The absence of any form of federal law governing data privacy and protecting the use of US citizens' private information has led to a handful of individual states establishing their own privacy laws in order to safeguard consumer data.
Somewhat surprisingly, on a national level, only the dated Privacy Act of 1974 established some privacy rights for consumers but its scope is limited to data collected by the US government from its citizens. The 1974 Act has absolutely no impact on the private industry or in particular consumer data collected on the internet by companies.
To make up for this shortcoming the New York State Information Security Breach and Notification Act was implemented in 2005 and, more recently, updated by the Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act). However, as we shall see, the proposed New York Privacy Act (NYPA) seeks to take the data breach notification law a step further to protect consumers' private information.
If you need help being compliant with the New York's data privacy law, try EasyLlama's easy data privacy training for employers. We can easily educate and get your team certified quickly to avoid any potential fees.
What is the data breach notification law (NY SHIELD Act)?
In order to understand the NY SHIELD Act, we will need to consider what type of data it covers, the type of data protection it requires, how data breaches are dealt with by private organizations, and what happens if they do not comply with the privacy law.
Get An Instant Free Course Preview
Try our best-in-class, interactive, and engaging courses for free!
What is considered private information?
The legislation gives an exhaustive and precise list of what it deems to be private data but in essence, it considers as private information a social security number, driver's license number, financial details such as account numbers, and biometric information. Added to this it also includes any website login information such as a username or email and its associated password for website access.
The 2019 SHIELD Act expanded the 2005 legislation significantly by including not only organizations that conduct business in New York but any "person or business which owns or licenses computerized data which includes private information" on New York residents, therefore, expanding the geographical scope of the law. It also applies to employee data privacy.
How is personal information protected?
The Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) requires a business holding personal data on NY residents to take active steps to implement reasonable cybersecurity protections and safeguards in order to prevent hackers from accessing concerning consumer data.
In practice this means that such organizations should require employees to undergo data privacy training and to have administrative safeguards where employees have specific data security experts on how to deal and manage data protection, technical safeguards using a security program to assess, monitor, detect, and finally, physical safeguards to protect and prevent unauthorized access.
Even though all companies are concerned whatever their size there are however some exemptions for those that are considered as "small businesses" where the security program compliance is less onerous than it would be for larger organizations with regards to consumer protection.
How is a breach dealt with?
NY consumers whose personal data has been obtained illegitimately by a third party must be notified and informed of the hack using four methods either in writing, telephone, email or substitute notice. If the breach affects more than 5000 new york individuals the data breach notification must also be communicated to a specific list of consumer reporting agencies, which can be obtained from the attorney general, must be notified.
The subject matter of the notification must include information on the business making the notification, contact details for state and federal agencies providing further information on the matter and finally a description of the kind of information that has been accessed. Regardless of size, all businesses must inform New York residents of data breaches.
Enforcement of the SHIELD Act
Private individuals have no legal recourse under the act if a company does not notify them of a breach. Only the New York Attorney General has the power to take action by applying for an injunction and courts may impose civil penalties of between $5000 and $250,000.
What is the proposed New York Privacy Act (NYPA)?
Although the SHIELD act provides a legal framework restricting third parties access to general data collected by organizations it falls short of the type of protection provided by the California CCPA which makes compliance a step further with respect to information security. New York's proposed legislation would establish a Consumer Data Privacy Bill of Rights which would put it on par with California legal protections with respect to cybersecurity as established by the CCPA to protect the California consumer.
What would it mean for NY consumers?
The NYPA could take data privacy a step further by addressing the purpose for which such data is collected and requires entities to use that data solely for that purpose. A business is under the obligation to let users have more control by letting them access such data and allow them to review or request deletion of such personal information in order to comply with these privacy laws. Moreover, the law will give new yorkers protection from being discriminated against simply for exercising their rights.
Finally, these New York state laws introduce a private right of action in the form of injunctive relief and actual damages although it does limit recovery since the individuals must show they were harmed by the breach in order for a recovery to be successful.
Also to note is that NY Biometric Privacy Ac also expands the definable of data to biometric information and restricts companies to hold such data for a maximum of three years since it was last used by new york residents.
What would it mean for NY businesses?
The NYPA could require a business to exercise a higher duty of care than that of the SHIELD Act. While the latter required the lower threshold reasonable or ordinary duty of care the new legislation will introduce the notion of fiduciary duty. By creating a fiduciary obligation for the business that holds private information on users the law heightens the standard of care whereby the business must put New York residents interests' first and take precedence over the interest of the company and its shareholders.
In terms of cybersecurity, the requirements are more stringent since even if the expenditure is to a certain extent detrimental to the business's profitability these must nevertheless be implemented. In other words, the company must be proactive in establishing a security program to protect persons' data.
Another significant addition by the NYPA is the introduction of the "opt-in" consent requirement whereby consumers have to take affirmative action to consent to their data being saved as opposed to the commonplace "opt-out" consent.
Finally, the consumer privacy act would apply to all entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Companies could also be under the obligation to list third parties which whom they share such information.
You can check out privacy law's pros and cons here.
What are the chances of it being implemented?
In its current form, the bill has little chance of success while it provides consumers with even greater control over their personal information it will be much more onerous for businesses to comply with data security requirements. As a bit of background, during the same 2018-19 legislative session that the New York SHIELD Act was passed, the NYPA was introduced and then reintroduced in the 2019-20 legislative session. The law failed to progress in either session.
The main argument against the privacy bill is the onerous obligations it creates but financially with the heavy safeguards it must implement but also the private right of action it raises. The Bill has been introduced three times and has failed to pass in its current form so it seems likely that businesses will have to tackle the confusing state-by-state patchwork of laws that govern data privacy.
That being said, with more data privacy breaches having significant repercussions on users and taking the front stage, can New York and more broadly speaking the US on a national, really afford to carry on with the existing cybersecurity legislation in its current form.