New data retention limitations and disposal requirements on some types of businesses in New York will go into effect on March 21, 2020, under the Stop Hacks and Improve Electronic Data Security (SHIELD Act) that was signed into law last year. Businesses that store or process private information of New York state residents should ensure that they are prepared to comply with this portion of the SHIELD Act before that date.
New York Governor Andrew Cuomo signed the SHIELD Act into law in July 2019. The act immediately expanded New York’s breach notification and remedy requirements and increased possible penalties for noncompliance. (This prior LawFlash provides an overview of the data breach requirements in the SHIELD Act: First of New York SHIELD Act’s Data Breach Notification Requirements Take Effect Soon.)
SHIELD Act Data Security Safeguard Requirements
The SHIELD Act requires that any company that “owns or licenses computerized data which includes private information of a resident of New York” must develop, implement, and maintain “reasonable safeguards” to protect the security of that information, including the “disposal of data.”
A mid-size or large business will be considered compliant with the above if the company:
- is regulated by, and compliant with, data protection requirements imposed by other federal and state laws (including the federal Gramm-Leach-Bliley Act, HIPAA, and New York Department of Financial Services data protection regulations for financial services companies); OR
- implements a data security program that includes “reasonable” administrative, technical and physical safeguards.
‘Reasonable’ Physical Security Safeguards Under SHIELD Act Include New Document Retention and Disposal Requirements
The physical safeguards required by the SHIELD Act include document management requirements similar to those found in Europe’s General Data Protection Regulation (GDPR). Those safeguards include:
- assessing risk of information storage and disposal;
- detecting, preventing, and responding to intrusions;
- protecting against unauthorized access to or use of private information after the collection, transportation, or disposal of information; and
- disposing of private information within a “reasonable amount of time” after it is no longer needed for businesses purposes by “erasing electronic media so that the information cannot be read or reconstructed.”
There is no definition under the SHIELD Act regarding what will be considered a “reasonable amount of time” to hold data after it is no longer needed. However, one can assume that, at a minimum, businesses that are subject to this section of the SHIELD Act should have updated document retention schedules and policies in place, and should be able to demonstrate that they are actively followed.
What the SHIELD Act Means for Businesses that Process Personal Data of New York Residents
Any business that processes or retains privacy data of New York residents should ensure that it has a current and effective document retention policy and schedule. This will be especially important for any company that holds human resources (HR) or customer records, as that business will almost certainly store private data that falls under the SHIELD Act.
The company should make certain that the document retention policy includes parameters to protect private data during the entire time it is within the control of the company, including during all phases of collection, storage, and disposal. The company should also confirm that record retention schedules are up-to-date, and that privacy data is only stored for as long as needed (and then effectively destroyed so that it can no longer be read or reconstructed). The act provides the attorney general of New York with the power to enforce the regulations therein. In order to avoid such scrutiny, affected companies are encouraged to look at their current record retention practices, upgrade them where needed, and ensure that their requirements are being observed.
 “Private Information” under the SHIELD Act includes the following types of information (in combination with a personal identifier):
- Social Security number;
- Driver’s license number;
- Account number, credit, or debit card number (in combination with information that would permit access to an individual’s financial account);
- Biometric information; and
- User names or email addresses (in combination with a password or security question and answer that would permit access).
 The SHIELD Act defines a “small business” as a person or businesses with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets. Companies that fit within the definition of “small business” will be considered compliant if their security program contains “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” SHIELD Act § 899-BB (2) (C)
 See SHIELD Act § 899-BB (1) (A) for full list of qualified data protection regulations.
 Reasonable administrative safeguards under this section of the SHIELD Act include: designating employees to coordinate security program, identifying foreseeable risks, training employees in security program practices, selecting appropriate service providers, and adjusting the security program as businesses change. New York State Senate Bill S557B, § 899-BB (2) (B) (II) (A)
 Reasonable technical safeguards under the is section of the SHIELD Act include: assessing risk in network and software design and information processing and storage, detecting and preventing attacks and system failures, and regularly testing and monitoring systems and procedures. New York State Senate Bill S557B, § 899-BB (2) (B) (II) (A)