Over the past few years, many states have been updating their cyber privacy laws.
Typically, these laws impose requirements on most businesses, which can be fined or held liable if they don’t comply.
The data security provisions of the New York SHIELD Act, which went into effect on March 21, 2020, apply to businesses that operate outside of New York, if those businesses hold New York residents’ private data.
That means that the New York Act applies widely. It states that the data security requirements apply to any “person or business which owns or licenses computerized data which includes private information” of a resident of New York. In addition, the law specifically indicates that any third-party service providers that have access to private data of customers, employees or both will be held to the same safeguards.
Interestingly, the law only mentions third parties in the administrative safeguards section, but it is wise for businesses to assume that any third party would also have to meet the full range of safeguards listed in all categories to comply with the New York law.
The law generally requires businesses to set up a cybersecurity program, appoint a coordinator for the program and train their employees in it. It also requires businesses to disclose data breaches. Non-compliance carries significant penalties of up to $250,000. Consult with an attorney to understand how the provisions of the law specifically apply to your business.
Lists of safeguards
The New York law doesn’t include detailed requirements that a business’s security program must meet.
Instead, it notes lists of administrative safeguards, technical safeguards and physical safeguards. Administrative safeguards include such actions as identifying foreseeable internal and external risks, training and managing employees in executing the program, and selecting the appropriate providers to ensure security measures are in place.
For technical safeguards, the New York law notes assessing any risks in network and software design, as well as information transmission and storage, detecting and responding to any failures in cybersecurity systems, and regularly monitoring any systems or procedures in place.
Physical safeguards under the law include actions like evaluating any risks associated with information storage and disposal, protecting against the unauthorized use of private information, and disposing of it within a reasonable time when your business no longer needs it.
According to the New York law, a business that implements the listed safeguards is “deemed” to be in compliance with the law.
Requirements depend on size of business
The law’s requirement to disclose data breaches applies to all businesses, no matter how big or small. But the extent of the cybersecurity measures a business must take varies depending on its size.
A business’s program can be scaled depending on its size and complexity, the nature and scope of its activities, and the level of sensitivity of the consumer data it collects.
A business must meet requirements appropriate to its size, based on the safeguards noted in the Act.
Under the Act, a business is defined as a “small business” if it meets one of the following criteria:
- Has fewer than 50 employees;
- Has less than $3 million in annual gross revenue in each of the last three fiscal years; or
- Has less than $5 million in year-end total assets.