February 21, 2020

February 20, 2020

Subscribe to Latest Legal News and Analysis

February 19, 2020

Subscribe to Latest Legal News and Analysis

February 18, 2020

Subscribe to Latest Legal News and Analysis

Preparing for New York’s New Data Security Requirements

New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions.

Under the new requirements, companies will need to develop and implement “reasonable safeguards” to protect the security, confidentiality and integrity of computerized data that includes private information. The private information that companies must protect includes social security numbers, driver’s license numbers, financial account numbers, biometric information, and other personal information that -if breached- would give rise to a duty to notify. Companies will be deemed in compliance with the Act’s requirement for reasonable safeguards if the company has implemented a data security program that establishes certain administrative, technical, and physical safeguards. This includes designating one person in charge of coordinating the program, conducting employee training on security practices, requiring (by contract) that service providers similarly maintain appropriate safeguards, regularly testing and monitoring the effectiveness of systems and controls, conducting risk assessments relating to network and software design, disposing of private information after it is no longer needed, and modifying the program in light of business changes or new circumstances. The law does not provide for a private right of action.

Putting it Into Practice: Prior to March 2020, companies should re-evaluate their existing data security program against the data security program outlined in the Act to take advantage of the compliance presumption, and should consider, if not done already, memorializing such data security program in writing.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums.

Ms. Rollins serves as a trusted advisor to her clients, bringing a focused, strategic approach to complex litigation and investigation matters alike. Her clients praise her ability to efficiently and effectively manage complex matters with multiple moving pieces, and to concisely and persuasively communicate the core issues of her clients’ cases to judges, regulators, and opposing counsel. These traits have enabled Ms. Rollins to successfully argue critical motions, procure dismissals, and achieve successful resolutions for her clients.

212.634.3077
Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196