New Consumer Data Security Protections Legally Required

Life And Privacy
Typography

By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E

 

The security of NY consumers’ private information is about to get a boost. The recently passed SHIELD Act (Stop Hacks and Improve Electronic Data Security) has expanded the scope of protection required of persons or businesses handling NY consumers’ data. Starting in late March of 2020, NYS will require companies in all sectors to exercise data security to secure private information of NY consumers.

Effective March 21, NY will require persons or businesses that own or license private information about individuals to develop, implement, and maintain a data security program with “reasonable safeguards” designed to protect the information. An example of the type of information required to be protected is an individual’s name along with a driver’s license number.

The reasonable safeguards requirement will typically be deemed satisfied if the business already complies with the federal Health Insurance Portability and Accountability Act (healthcare industry), the federal Gramm-Leach-Bliley Act and the NY Department of Financial Services’ Cybersecurity Regulations (financial services companies), and other applicable federal or NYS data security rules and regulations.

If a business or person is not covered by these laws or regulations, it can be in compliance with the new requirements if it has a data security program that has reasonable administrative, technical, and physical safeguards, such as:

  • Deleting securely information no longer required for a business purpose;
  • Using only service providers that maintain safeguards;
  • Identifying reasonably foreseeable internal and external security risks;
  • Protecting against unauthorized access to private information;
  • Training employees on data security program practices/procedures; and
  • Detecting, preventing and responding to attacks and failures of the system.

The new law’s requirements apply to any person or entity regardless of size, including small businesses (as defined in the law). Compliance requirements are more limited for small businesses; while a small business must still set up a data security program, it is compliant if the program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business' activities, and the sensitivity of the personal information the small business collects from or about consumers.”

The NYS Attorney General can sue for civil penalties for a failure to comply with the law’s data security requirements, which is deemed a violation of NY’s prohibition on deceptive acts and practices. The new law does not create a private right of action, meaning that consumers are not legally entitled to enforce rights provided by the law.

Businesses that are not yet in compliance should take steps to put into place an appropriate data security program. And while the SHIELD Act aims to protect consumers' private information and impose accountability on companies that do business within NYS, consumers should still exercise sound judgment and discretion when it comes to their personal information.

Before sharing their information, consumers should find out why their data is being collected, whether and why it will be retained, who will have access to it, whether it will be shared or sold, and how securely it will be kept. Consumers should ask questions and read consumer privacy disclosures to get as much information as possible about how their privacy will be handled, and not proceed until they’re fully informed.  

 By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E

Sign up via our free email subscription service to receive notifications when new information is available.