1. Home
  2. |Insights
  3. |March 21, 2020 Deadline Approaches for Businesses to Comply with New York Data Privacy Act Safeguards

March 21, 2020 Deadline Approaches for Businesses to Comply with New York Data Privacy Act Safeguards

Client Alert | 2 min read | 03.11.20

Effective March 21, 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act – which was enacted in July, 2019 (the “Act”)– will require businesses to implement safeguards to protect "private information" of individuals who are New York residents – including any New York employees. The Act previously implemented increased breach notification requirements, which took effect on October 23, 2019.

The Act defines "private information" to include personal information such as a name or other identifier in combination with:

  • An individual’s social security number;
  • Driver's license number;
  • Certain financial account information together with information permitting access (e.g. password), unless no additional information is required for access;
  • Biometric information used to authenticate or ascertain an individual’s identity;
  • Username or e-mail address together with information permitting access (e.g. password); or
  • Any unsecured protected health information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”) (collectively the “Data Elements”).

To the extent that personal information or the Data Elements are encrypted and, further, provided that the encryption key has not been accessed or acquired, they do not constitute “private information” for purposes of the Act. 

The Act requires businesses to implement and maintain reasonable safeguards to protect private information, including developing and implementing a “data security program.” The data security program includes, among other elements, designating one or more employees to coordinate the program, assessing risks in network design, software design, and information processing and storage, and disposing of private information within a reasonable time after it is no longer needed for business purposes. The data security program must cover internal information, such as employee personnel data and human resources records, as well as any other “private information” a business may need to protect.

While the Act applies to all employers regardless of size, small businesses — defined as those having fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets — need only ensure that their data security safeguards are appropriate for the size and complexity of the business, the nature and scope of the small businesses' activities, and the sensitivity of the personal information the small business handles. The Act does not provide substantive guidance on what will be considered “appropriate” for these purposes. Additionally, companies subject to, and in compliance with, other legal and regulatory regimes, such as the Gramm-Leach-Bliley Act, HIPAA, and the NY Department of Financial Services Cybersecurity Regulation, are considered in compliance with the Act’s data security program requirements.

The Act does not contain a private right of action; instead, covered businesses are subject to enforcement by the New York Attorney General, with civil penalties for knowing and reckless violations of the previously-enacted breach notification obligations of up to $20 per instance with a cap of $250,000. Violations of the reasonable safeguard requirements may carry penalties of up to $5,000 per violation. The Act also lengthens the statute of limitations from two (2) years to three (3) years.

All businesses possessing “private information” of New York residents and/or having employees in New York should ensure that their data security programs and reporting mechanisms are prepared for the impact of the Act.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....