New York Poised to Make Big Splash in State Data Protection Law

Lathrop GPM

Lathrop GageCalifornia and New York make big waves when they pass laws regulating privacy and data. We have previously described the changes coming in 2020 with the California Consumer Protection Act (“CCPA”).

New York State may soon adopt two aggressive data privacy laws. The proposed SHIELD Act would impose data security requirements as restrictive as those in the EU’s General Data Protection Regulation, effective last year. The current draft of the New York Privacy Act (“NYPA”) employs a novel “data fiduciary” approach that would require companies to put the interests of data subjects ahead of their own.

What is the SHIELD Act?

The “Stop Hacks and Improve Electronic Data Security Handling” (SHIELD) Act would cover any company that holds sensitive data of New York residents, even if it is not registered to do business in the state. In this way, its jurisdictional scope is like that of the CCPA and GDPR. 

The SHIELD Act also imports stringent data security requirements from the NYS Department of Financial Services cybersecurity regulation, which requires risk assessments, an employee designated to oversee a company’s data protection program, employee training, and other measures. It would require companies to disclose ransomware infections, which often threaten a company’s core operations and reputation.

The SHIELD Act is expected to pass the NY State Senate this session, but is still under consideration. Stay tuned.      

What is a “Data Fiduciary” and What is the New York Privacy Act?

A fiduciary duty is the highest standard of duty implied by law. Introduced as a concept by Yale Law School professor Jack Balkin in 2014, a “data fiduciary” is required to act in the best interests of the consumer, rather than its own, in protecting personal information it collects.

Under the NYPA, companies will have to secure personal information as a fiduciary, and inform consumers if the information is accessed, lost, or distributed without authorization. They are prohibited from using, processing, or transferring it without prior express, documented consent. They may not use it for any purpose that benefits the company to the detriment of the consumer or that results in reasonably foreseeable and material harm to the consumer. They NYPA expressly states that a company’s data fiduciary duty to a consumer supersedes any duty owed to the owners or shareholders of the company.

Consumers will also have the usual assortment of rights found in the consumer privacy acts of other states. They have the right to be informed of the information that is being collected from them or about them. They have the right to receive a copy of information that is being held by the company and to correct or delete that information.

The bill was introduced last month, and the New York State Senate Standing Committee on Consumer Protection held a public hearing on June 4, 2019. Zachary Hecht, Policy Director for Tech NYC, testified against the bill, noting the expected high cost of compliance, particularly for small businesses. Christine Fisher, Executive Director, Northeast, of TechNET, pointed out that the EU gave businesses two years to prepare for the GDPR. A co-author of the CCPA and former CIA counterintelligence agent, Mary Ross, believed that the NYPA would properly burden companies with responsibility to protect consumer data.

These bills reflect the trend among states to increase the data privacy protections for consumers. It also represents another regulation in the growing patchwork of state regulations around the U.S. with which businesses must comply, and another reason for federal preemptive data privacy regulation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Lathrop GPM | Attorney Advertising

Written by:

Lathrop GPM

Lathrop GPM on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.