What New York Data Privacy and Security Protection Means for Employers

by | Nov 8, 2019 | NY Data Privacy and Security Protection |

Employers Must Comply with New SHIELD Law

In July of 2019, the New York legislature passed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) act. The new law provides greater protection for private information and broadens requirements for security breach notification.

Which NY Employers Must Comply with the Law?

The SHIELD law applies to all NY employers because private information includes individual names and Social Security numbers.

Businesses that do not reside in New York but that do business with New York residents are also subject to the law’s security requirements.

What Does Private Information Include?

Private information includes:

  • Name
  • Social Security Number (SSN)
  • Driver’s license number
  • Credit or debit card number
  • Financial account number
  • Biometric information
  • Username or email address and password to online account

What Is Necessary for Compliance?

To be in compliance with SHIELD, employers must implement a data security program that keeps private information secure and adheres to the act. How extensive the program must be depends on the size of the company and its business activities and the sensitivity of the personal information it gathers.

If the business is already in compliance with the following laws, they are also in compliance with SHIELD:

  • Gramm-Leach-Bliley Act
  • HIPPA Security Rule
  • New York Site Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies

What Are the New Breach Notification Requirements?

The new law expands the definition of breach of the security system. Breach now includes unauthorized access of computerized data that compromises:

  • Security
  • Confidentiality
  • Integrity of private information

Breach also now extends to New York residents and not only New York businesses.

A company may be exempt from breach notification if the breach was unintended and will probably not result in misuse, financial harm or emotional harm to the affected persons.

Companies must be in compliance with the breach notification amendments by October 23, 2019. The new data security requirements must be in effect by March 21, 2020.

(References: The National Law Review)

Stephen Hans & Associates assists employers in complying with employment laws and represents them in employment litigation.