As we
previously informed you, the compliance deadline to have a data privacy plan as
required by the SHIELD Act was fast approaching and took effect on March 21,
2020. The Act applies to businesses that collect the personal information of
New York residents and requires them to have certain reasonable administrative,
technical and physical safeguards in place, as set forth in the Act. The Act
requires businesses that are not regulated by and compliant with another New
York state or federal data security regime to adopt a program that includes
such safeguards.
For administrative safeguards, companies must designate one or
more employees to coordinate the security program, conduct risk assessments and
training, require contract third-party providers and vendors to have certain
practices in place, and adjust its program as the business and data situation
changes. Technical safeguards include policies to assess network and software
design risks, data processing risks, incident detection and response, and
regular testing and monitoring of key controls and systems. As for physical
safeguards, the business must document how it assesses storage and disposal,
intrusion response, and prevention of authorized access to private information.
Specifically, record retention and disposal is a key component, where the law
details that storage of private information should only be kept within a
reasonable amount of time and where there is no longer any business purpose it
should be deleted. Disposal includes taking steps to ensure the information
cannot be read or reconstructed.
Businesses of fewer than 50 employees, less than $3 million in
gross revenues in each of the last three fiscal years, or less than $5 million
in year-end total assets are considered “small businesses” pursuant to the Act,
and may implement a data security program based on their size and complexity,
taking into account the nature and scope of their business activities and the
nature and sensitivity of the information collected. There remains no private
right of action, and enforcement still rests with the Attorney General. Under
the SHIELD Act penalties have increased (now $20 per notification violation
with the maximum penalty set at $250,000).
With the Act, New York now stands beside California, Massachusetts
and other states that reach beyond their borders and may pursue any business
that owns or licenses New York residents’ private information regardless if the
business is located or doing business in New York.
All businesses, including those in New Jersey, should assess
whether and if the Act applies and try to minimize the risk of a future
enforcement action. At Riker Danzig, we are available to answer any questions
you have about the SHIELD Act or any other privacy or data security law that
may impact your business
If you
have any questions, please contact one of this Alert's authors: Michael P.
O'Mullan at momullan@riker.com, Labinot
Alexander Berlajolli at lberlajolli@riker.com or Daniel
J. Parziale at dparziale@riker.com, or any
other attorney in Riker Danzig’s Cybersecurity & Data Privacy practice.
Riker
Danzig's Cyber
Security & Data Privacy Partners:
Brian
E. O’Donnell
Michael P. O’Mullan
Maura C. Smith
Samuel
P. Moulthrop
Robert
J. Schoenberg
Lance
J. Kalik
Jason
D. Navarino
Anthony
J. Zarillo, Jr.