New York has enacted two laws since the end of last year that has expanded its breach of notice and security requirements and may prepare to pass a third bill aimed at increasing the privacy of New York residents. On July 25, 2019, Governor Andrew M. Cuomo of New York signed the Stop Hacks and Improve Electronic Data Security Act, referred to as the “SHIELD Act” and the Identity Theft Protection and Mitigation Services Act. In summary, these bills expand the types of personal information covered by the New York Data Breach Reporting Act, require companies to implement specific data security measures, and require any company regulated by a Credit Reporting Agency (“CRA”) to provide affected consumers with Five years of prevention of identity theft and remediation services-a new high-water mark for such requirements. These bills may just be the beginning of New York State’s increased protection of personal data of state residents. New York is also considering a new privacy law that, if passed, would be stricter than California’s Consumer Protection Act (CCPA) and introduce the concept of “data trustee” into the US privacy dictionary.
New York State’s original Data Breach Notification Act required that any person or business operating in New York State obtain “private information” without valid authorization to notify New York State residents. The Shield Act, which will enter into force on March 21, 2020, extends the scope of the New York Data Breach Notification Act in several ways. The law applies to any individual and business that processes information about New York residents, regardless of whether the individual or business is doing business in New York. Perhaps most importantly, the Shield Act requires any person or business that handles personal information of New York residents to implement and maintain “reasonable” administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of private information. Several states have similar laws that require reasonable control, but the Shield Act requires companies to ensure the following, and failure to establish reasonable safeguards will mean that New York regulators may take action against the company:
- Designate one or more employees to coordinate security procedures;
- Identify foreseeable internal and external risks;
- Assess whether existing safeguards are sufficient to control the identified risks;
- Train employees in security procedures and practices;
- Select service providers capable of maintaining appropriate safeguards and implement these safeguards through contracts;
- Adjust security procedures based on business changes or new circumstances;
- Assess risks in network and software design;
- Assess risks in the processing, transmission, and storage of information;
- Detect, prevent and respond to attacks or system failures;
- Regularly test and monitor the effectiveness of key controls, systems, and procedures;
- Assess the risks of information storage and disposal;
- Detect, prevent and respond to intrusions;
- Prevent unauthorized access or use of personal information during or after the collection, transportation, and destruction or disposal of the information;
- Eliminate electronic media within a reasonable time after personal data is no longer needed for commercial use, making the data unreadable or reconstructable.
Concerned how your organization may not be prepared for The New York Sheild Act?
Contact LIFARS For Assistance Immediately!