The signing of the California Consumer Privacy Act (CCPA) into regulation in June 2018 imposed massive new privacy obligations on agencies which have personal records about California residents and set off a burst of privateness regulation throughout the U.S.
Various privateness bills had been brought in dozens of other states and also in Congress, and others are still within the works – key trouble being whether and to what extent a federal invoice could preempt country privacy laws.
New York has visible two noteworthy legislative developments on privateness protections inside the past few months: the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the New York Privacy Act (NYPA).
In June 2018, the California Consumer Privacy Act (CCPA) turned into signed into law, imposing substantial new privacy duties on groups which have private facts approximately California citizens. (California Civil Code §1798. A hundred, et seq.) The CCPA, which is going into impact Jan. 1, 2020, among different things requires organizations to respond to customers’ requests for disclosure or deletion of their personal data, in addition to honor requests now not to promote a purchaser’s statistics to a third birthday party.
The enactment of CCPA activates a burst of privacy legislation throughout the U.S. Legislators in dozens of other states have brought similar privateness payments. Various privateness bills have additionally been introduced in Congress, and others are still inside the works – a key difficulty being whether and to what extent a federal bill would preempt nation privateness laws.
But notwithstanding all of this hobby during the last year, no such privacy regulation has yet to be enacted in any country or in Congress. The many proposed payments both remain beneath evaluate in legislative committees or have failed to continue speedy enough to be surpassed into regulation throughout 2019 legislative classes. The handiest exception seems to be a rather slim Nevada regulation exceeded on May 30, 2019, that prohibits an enterprise from selling personal statistics for monetary attention following a tested client request not to do so. (Nevada SB220, NRS Ch. 603A, effective Oct. 1, 2019.)
With this background, New York has seen two noteworthy legislative traits on privateness protections inside the beyond few months.
The SHIELD Act
In June 2019, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) changed into exceeded by means of both the New York Senate and Assembly, and it’s far now due to be added to Gov. Andrew Cuomo for his signature. (See S5575B; A5635. The SHIELD Act became formerly pursued inside the 2017-2018 legislative session as S6933). In addition to expanding breach notification obligations, the regulation introduces wide new cybersecurity requirements.
A. Expanding Breach Notification Obligations
This bill amends General Business Law Section 899-aa with admire to breach notification in a number of key respects, which include:
increasing the definition of personal facts to include 1) economic account numbers that may be used to become aware of an person’s financial account without extra identifying statistics, safety code, get right of entry to code or password; 2) biometrics records; and 3) a person call or email address in combination with a password or protection question and solution that would permit get right of entry to to an online account
revising the which means of what constitutes “unauthorized get entry to” to private statistics
exempting be aware for an “inadvertent disclosure” in which it in all fairness decided that the publicity “will not probable bring about the misuse of such statistics, or financial damage”
increasing the fines the State Attorney General can search for violations of the statute, in addition to the growing the statute of barriers
B. New Cybersecurity Obligations
The SHIELD Act is going further than just breach notification, introducing a sequence of new safety requirements in Section 899-bb which might be similar in some respects to the ones previously enacted in Massachusetts (M.G.L. Ch. 93H and 201 CMR 17.00).
Specifically, organizations that preserve private records of New York citizens have to “increase, put into effect and hold affordable safeguards to defend the safety, confidentiality and integrity of the private data including, however now not limited to, disposal of facts.” This requirement may be fulfilled both by:
complying with regulations which include Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or the New York State Department of Financial Services Cybersecurity Requirements (23 NYCRR 500), or
enforcing a data safety software that consists of:
a. Affordable administrative safeguards which include:
i. Designating one or extra personnel to coordinate the security application
ii. Identifying reasonably foreseeable inner and outside risks
iii. Assessing the sufficiency of safeguards in the area to manipulate the recognized dangers
iv. Training and dealing with employees within the security software practices and methods
v. Deciding on service vendors able to maintaining suitable safeguards, requiring the one’s safeguards via contract, and
vi. Adjusting the safety software in light of commercial enterprise changes or new situations
b. Reasonable technical safeguards together with:
i. Assessing risks in network and software layout
ii. Assessing risks in facts processing, transmission, and garage
iii. Detecting, preventing and responding to attacks or device failures, and
iv. Often testing and monitoring the effectiveness of key controls, systems, and methods
c. Affordable bodily safeguards which include:
i. Assessing the dangers of statistics storage and disposal
ii. Detecting, stopping and responding to intrusions
iii. Protective towards unauthorized get entry to to or use of personal records at some stage in or after the collection, transportation, and destruction or disposal of the information, and
iv. Disposing of private data inside a reasonable quantity of time after it’s miles not wished for business purposes by way of erasing electronic media so that the statistics can’t be examined or reconstructed
These new statistics protection requirements appear to go past the Massachusetts guidelines in a few respects (which include disposal of private information) and seem to make bigger New York consumer-associated responsibilities for safety much like CCPA has performed for privateness.