California and New York make big waves when they pass laws regulating privacy and data. We have previously described the changes coming in 2020 with the California Consumer Protection Act (“CCPA”).
New York State may soon adopt two aggressive data privacy laws. The proposed SHIELD Act would impose data security requirements as restrictive as those in the EU’s General Data Protection Regulation, effective last year. The current draft of the New York Privacy Act (“NYPA”) employs a novel “data fiduciary” approach that would require companies to put the interests of data subjects ahead of their own.
What is the SHIELD Act?
The “Stop Hacks and Improve Electronic Data Security Handling” (SHIELD) Act would cover any company that holds sensitive data of New York residents, even if it is not registered to do business in the state. In this way, its jurisdictional scope is like that of the CCPA and GDPR.
The SHIELD Act also imports stringent data security requirements from the NYS Department of Financial Services cybersecurity regulation, which requires risk assessments, an employee designated to oversee a company’s data protection program, employee training, and other measures. It would require companies to disclose ransomware infections, which often threaten a company’s core operations and reputation.
The SHIELD Act is expected to pass the NY State Senate this session, but is still under consideration. Stay tuned.
What is a “Data Fiduciary” and What is the New York Privacy Act?
A fiduciary duty is the highest standard of duty implied by law. Introduced as a concept by Yale Law School professor Jack Balkin in 2014, a “data fiduciary” is required to act in the best interests of the consumer, rather than its own, in protecting personal information it collects.
Under the NYPA, companies will have to secure personal information as a fiduciary, and inform consumers if the information is accessed, lost, or distributed without authorization. They are prohibited from using, processing, or transferring it without prior express, documented consent. They may not use it for any purpose that benefits the company to the detriment of the consumer or that results in reasonably foreseeable and material harm to the consumer. They NYPA expressly states that a company’s data fiduciary duty to a consumer supersedes any duty owed to the owners or shareholders of the company.
Consumers will also have the usual assortment of rights found in the consumer privacy acts of other states. They have the right to be informed of the information that is being collected from them or about them. They have the right to receive a copy of information that is being held by the company and to correct or delete that information.
The bill was introduced last month, and the New York State Senate Standing Committee on Consumer Protection held a public hearing on June 4, 2019. Zachary Hecht, Policy Director for Tech NYC, testified against the bill, noting the expected high cost of compliance, particularly for small businesses. Christine Fisher, Executive Director, Northeast, of TechNET, pointed out that the EU gave businesses two years to prepare for the GDPR. A co-author of the CCPA and former CIA counterintelligence agent, Mary Ross, believed that the NYPA would properly burden companies with responsibility to protect consumer data.
These bills reflect the trend among states to increase the data privacy protections for consumers. It also represents another regulation in the growing patchwork of state regulations around the U.S. with which businesses must comply, and another reason for federal preemptive data privacy regulation.