Important Privacy Developments in New York State

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Beckage lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.

1.       THE SHIELD ACT

Passed by the State’s legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.

STATUS

Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

2.       THE NEW YORK PRIVACY ACT (NYS5642)

This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act’s jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.

STATUS

Pending in Senate Consumer Protection Committee.  

PREDICTION

This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Beckage PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Wooden mazeEvolving Privacy Paradigms

Evolving Privacy Paradigms

Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.

Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.

To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Beckage attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.