The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is Now in Effect
As we previously informed you, the compliance deadline to have a data privacy plan as required by the SHIELD Act was fast approaching and took effect on March 21, 2020. The Act applies to businesses that collect the personal information of New York residents and requires them to have certain reasonable administrative, technical and physical safeguards in place, as set forth in the Act. The Act requires businesses that are not regulated by and compliant with another New York state or federal data security regime to adopt a program that includes such safeguards.
For administrative safeguards, companies must designate one or more employees to coordinate the security program, conduct risk assessments and training, require contract third-party providers and vendors to have certain practices in place, and adjust its program as the business and data situation changes. Technical safeguards include policies to assess network and software design risks, data processing risks, incident detection and response, and regular testing and monitoring of key controls and systems. As for physical safeguards, the business must document how it assesses storage and disposal, intrusion response, and prevention of authorized access to private information. Specifically, record retention and disposal is a key component, where the law details that storage of private information should only be kept within a reasonable amount of time and where there is no longer any business purpose it should be deleted. Disposal includes taking steps to ensure the information cannot be read or reconstructed.
Businesses of fewer than 50 employees, less than $3 million in gross revenues in each of the last three fiscal years, or less than $5 million in year-end total assets are considered “small businesses” pursuant to the Act, and may implement a data security program based on their size and complexity, taking into account the nature and scope of their business activities and the nature and sensitivity of the information collected. There remains no private right of action, and enforcement still rests with the Attorney General. Under the SHIELD Act penalties have increased (now $20 per notification violation with the maximum penalty set at $250,000).
With the Act, New York now stands beside California, Massachusetts and other states that reach beyond their borders and may pursue any business that owns or licenses New York residents’ private information regardless if the business is located or doing business in New York.
All businesses, including those in New Jersey, should assess whether and if the Act applies and try to minimize the risk of a future enforcement action. At Riker Danzig, we are available to answer any questions you have about the SHIELD Act or any other privacy or data security law that may impact your business
If you have any questions, please contact one of this Alert's authors: Michael P. O'Mullan at email@example.com, Labinot Alexander Berlajolli at firstname.lastname@example.org or Daniel J. Parziale at email@example.com, or any other attorney in Riker Danzig’s Cyber Security & Data Privacy practice.
Riker Danzig's Cyber Security & Data Privacy Partners: