January 19, 2021

Volume XI, Number 19

Advertisement

January 18, 2021

Subscribe to Latest Legal News and Analysis

NY SHIELD Act Data Security Requirements Effective This Month

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:

  • Reasonable administrative safeguards, including: designate one or more employees to coordinate the security program; identification of internal and external risks and safeguards to control the risks; train employees on security practices; select service providers capable of maintaining appropriate safeguards (and contractually require said safeguards);

  • Reasonable technical safeguards, including: assess risks in network and software design; regularly test and monitor effectiveness of controls, systems, and procedures; and

  • Reasonable physical safeguards, including: assess risks of information storage and disposal; dispose of private information within a reasonable amount of time after it’s no longer needed for a business purpose; erase information so that it cannot be read or reconstructed.

There are some limited exceptions. Organizations otherwise regulated by federal law such as GLBA and HIPAA are exempt. There is also an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These “small businesses” may scale their data security program according to their size and complexity, the nature and scope of its business activities, and the nature and sensitivity of the information collected.

Putting it into practice. New York joins other states (including Massachusetts, Nevada and Oregon) to require specific data security protections. Companies who have nationwide security programs in place will want to conduct a gap assessment to verify whether their existing program meets New York’s requirements.

 

Advertisement
Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 69
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement