NY SHIELD Act Data Security Requirements Effective This Month

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:

  • Reasonable administrative safeguards, including: designate one or more employees to coordinate the security program; identification of internal and external risks and safeguards to control the risks; train employees on security practices; select service providers capable of maintaining appropriate safeguards (and contractually require said safeguards);
  • Reasonable technical safeguards, including: assess risks in network and software design; regularly test and monitor effectiveness of controls, systems, and procedures; and
  • Reasonable physical safeguards, including: assess risks of information storage and disposal; dispose of private information within a reasonable amount of time after it’s no longer needed for a business purpose; erase information so that it cannot be read or reconstructed.

There are some limited exceptions. Organizations otherwise regulated by federal law such as GLBA and HIPAA are exempt. There is also an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These “small businesses” may scale their data security program according to their size and complexity, the nature and scope of its business activities, and the nature and sensitivity of the information collected.

Putting it into practice. New York joins other states (including Massachusetts, Nevada and Oregon) to require specific data security protections. Companies who have nationwide security programs in place will want to conduct a gap assessment to verify whether their existing program meets New York’s requirements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.