New York SHIELDs Private Information (Security Requirements effective March 21, 2020)

Laura Ferguson
Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Locke Lord LLP

As we first reported on July 24, 2019 (and updated on September 24, 2019), an amendment of New York’s data breach notification law—the Stop Hacks and Improve Electronic Data Security Act, commonly referred to as the SHIELD Act—was signed into law on July 25, 2019.  While the breach notification amendments of the SHIELD Act went into effect on the ninetieth day after being signed into law—October 23, 2019—the security requirements of the SHIELD Act officially go into effect on the two hundred fortieth day after the SHIELD Act was signed into law- March 21, 2020.  

Data Security Obligations
The SHIELD Act added a requirement that covered entities implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including the disposal of data.  In order to be in compliance, a business must implement a data security program that includes reasonable administrative, technical and physical safeguards, including:

  • Administrative safeguards: (1) designates one or more employees to coordinate the security program; (2) identifies reasonably foreseeable internal and external risks; (3) assesses the sufficiency of safeguards in place to control the identified risks; (4) trains and manages employees in the security program practices and procedures; (5) selects service providers capable of maintaining appropriate safe guards, and requires those safeguards by contract; and (6) adjusts the security program in light of business changes or new circumstances.
  • Technical safeguards: (1) assesses risks in network and software design; (2) assesses risks in information processing, transmission and storage; (3) detects, prevents and responds to attacks or system failures; and (4) regularly tests and monitors the effectiveness of key controls, systems and procedures.
  • Physical safeguards: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Small businesses are permitted to scale the above reasonable security requirements as appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information the business collects.  In addition, a business is deemed to be in compliance with the above reasonable security requirements if the business is subject to and in compliance with GLBA, HIPAA, part 500 of title 23 of the official compilation of codes, rules and regulations of the state of New York, or any other data security rules and regulations of any official department, division, commission or agency of the federal or New York state government. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide