Does Your Business Data Include Private Information of New York Residents?
data privacy | Data Protection | New York Residents | Personal Information | Privacy Laws and Regulations | security safeguards | SHIELD Act

Written by: Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.

If you answered “yes”, then you have a strict obligation to have data security protections in place.

In mid-2019, New York passed the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (Senate Bill 5575), adding a specific requirement for businesses who possess private information of New York residents in computerized form to have a data security program in place to protect the private information.  This includes businesses located in New York or outside the state.

The effective date for the data security requirement under the SHIELD Act is March 21, 2020.

Is your business prepared?  Here’s what you need to know.

Under NY Gen. Bus. Law § 899-bb, businesses that own or license computerized data which includes private information of New York residents are required to have an appropriate program for data protection and security of their information systems.

Businesses will be deemed compliant if they implement and maintain administrative, technical and physical safeguards appropriate to the business based on size, type of business activities, and sensitivity of private information held by the business.  Some of the reasonable security safeguards are:

  • Designate an employee(s) to coordinate the program
  • Risk assessment
  • Employee training and oversight in the program practices and procedures
  • Management of vendors, by contractually requiring that service providers maintain appropriate safeguards
  • Prevent, detect and respond to attacks to or failures of information systems and intrusions
  • Ongoing monitoring and testing of systems and procedures; and make adjustments as needed
  • Protection of private information from unauthorized access from the point of collection to the point of disposal
  • Disposing of private information when it is no longer needed, so that it can no longer be read or reconstructed

Penalties

New York’s Attorney General may bring an action for violations.  Non-compliance with the new data protection and security requirements will be considered deceptive acts and practices, with civil penalties up to $5,000 per violation.

Call to Action

Businesses located in and outside of New York who maintain private information of New York residents must ensure they are compliant with the mandated data and security protections by March 21, 2020.

Your business may already apply best business practices for data protection and security, with appropriate safeguards in place to ensure the security of private information (also known as personal information), from the time the data is collected through the time it is disposed.  Or maybe you are a sector-specific business, already complying with data protection and security protocols of laws such as the Gramm-Leach-Bliley Act, HIPAA, HITECH, 23 NYCRR 500, or other regulated federal or state laws.  Such entities are deemed compliant with the SHIELD Act requirements.

However, many businesses find themselves lacking the necessary policies, procedures and system security to ensure that all private or personal information collected, used, disclosed to third parties, and disposed of is always protected.  Or maybe your business needs to assess its existing practices and systems to make certain safeguards are up to date.

CSR Privacy Solutions, Inc. offers small to medium sized businesses (SMB) the opportunity to be prepared and up to date with best practices for data protection.  CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate consequences related to non-compliance associated with the handling of legally protected personal information and the risk of a data breach.

CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their current data protections, privacy policies, procedures, processes and information security programs.  Upon completing the assessment, they are presented with suggested improvements for areas the program identifies as deficient.

CSR’s Breach Reporting Service is the REACTIVE solution that provides breach notification assistance for the SMB community.  Because, even with all protections in place, companies may still suffer a data breach.

In addition, CSR offers its newest product, CSR-V3 – an automated vendor privacy risk reduction tool which documents vendor management, verification and validation due diligence.  Oversight of business vendors to whom you disclose private or personal information is crucial and is among the program safeguards mandated by the SHIELD Act.

Contact CSR




I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.