ARTICLE
16 March 2020

NY Shield Act Data Security Requirements Effective This Month

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019,..
United States Technology
Julia K. Kadish
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:

  • Reasonable administrative safeguards, including: designate one or more employees to coordinate the security program; identification of internal and external risks and safeguards to control the risks; train employees on security practices; select service providers capable of maintaining appropriate safeguards (and contractually require said safeguards);
  • Reasonable technical safeguards, including: assess risks in network and software design; regularly test and monitor effectiveness of controls, systems, and procedures; and
  • Reasonable physical safeguards, including: assess risks of information storage and disposal; dispose of private information within a reasonable amount of time after it's no longer needed for a business purpose; erase information so that it cannot be read or reconstructed.

There are some limited exceptions. Organizations otherwise regulated by federal law such as GLBA and HIPAA are exempt. There is also an exception for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets. These "small businesses" may scale their data security program according to their size and complexity, the nature and scope of its business activities, and the nature and sensitivity of the information collected.

Putting it into practice. New York joins other states (including Massachusetts, Nevada and Oregon) to require specific data security protections. Companies who have nationwide security programs in place will want to conduct a gap assessment to verify whether their existing program meets New York's requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julia K. Kadish
Julia K. Kadish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More