Uncertainty Surrounds Privacy Compliance, Enforcement With NY SHIELD Act
New York's SHIELD Act went into effect on March 21, but some businesses may still be trying to get their house in order while questions linger around just how strong enforcement will be.
March 31, 2020 at 11:30 AM
5 minute read
There's never a dull moment in privacy compliance. New York's SHIELD Act officially went into effect on March 21, but while many companies may have greeted the deadline from a position of strength, some could be finding themselves in a much more uncertain enforcement landscape than the one they imagined when the law was passed in July 2019.
The SHIELD Act amends New York's existing data breach notification law, expanding the definition of a breach to include not only unauthorized acquisition of protected digital information, but unauthorized access as well. It also broadens the type of information that companies have to protect to include "private information"—like Social Security or driver's license numbers—as well as "personal information" or "any information concerning a natural person" that can be used to identify said natural person.
Mark Krotoski, a partner at Morgan Lewis, indicated that the firm was already seeing "substantial compliance" with the tenants of the SHIELD Act among organizations. The General Data Protection Regulation or the California Consumer Privacy Act may deserve most of the credit, having long since forced many businesses to take a thorough data and cybersecurity inventory.
"I think the combination of new standards that have been imposed around the world have caught the attention of many companies to focus on these areas," Krotoski said.
However, Robert Silvers, a partner at Paul Hastings, views the situation as more of a "mixed bag" when it comes to businesses and their compliance efforts. He argued that some organizations both in the U.S. and abroad might be unaware that the law applies to them. For example, a company that doesn't maintain a presence in New York still falls subject to the SHIELD Act if they hold personal data belonging to one of the state's citizens.
"I think there are companies all over the world quite frankly who are in that bucket that just aren't aware that they are subject to this New York law," Silvers said.
Even if a company is fully aware that they fall within the authority of the SHIELD Act, there's still no guarantee that compliance will be a cakewalk. The act lays out several highly specific requirements, including the need for businesses to step beyond their own security posture to ensure that any vendors they might use have the appropriate controls in place as well. Silvers framed such an effort as something that would challenge both small and large companies alike.
"A lot companies are not used to that. You do have to design and execute a program in order to be able to do that. You have to have the right contractual language in place with your vendors to require them to protect the data that you share with them," Silvers said.
Fortunately, small businesses may not face the same level of scrutiny with regard to their vendor relationships. Under the SHIELD Act, companies with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets will be held to a different standard. Specifically their their security program must contain "reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers."
But ramping up a business' compliance efforts after the law has already gone into effect still isn't easy—especially these days. Mark Berman, a partner at Ganfer Shore Leeds & Zauderer, indicated that COVID-19′s drag on the economy could also be an issue for businesses attempting to get their compliance in order on a dwindling revenue stream.
"If [compliance] was expensive before or economically problematic for a company before, it's worse now," Berman said.
It may be more complicated, too. Dan Greene, a certified information privacy professional with law firm Beckage, pointed to the impact COVID-19 has had on the way companies conduct business, forcing them into a more dispersed or remote model of working that may present new questions around what constitutes "reasonable" security measures. Do they need more VPNs set up? More licenses for anti-virus software?
"Now employers have to address physical safeguards, technical safeguards and administrative safeguards in a whole new light," Greene said.
Beckage has formally asked the New York Attorney General's Office for an enforcement extension on the SHIELD Act, but exactly how regulators will choose to proceed is uncertain.
Berman at Ganfer Shore Leeds & Zauderer believes that organizations will be given space to adjust barring any direct complaints issued by consumers. However, Krotoski at Morgan Lewis and Silvers at Paul Hastings both stressed that the New York Attorney General's Office has typically been aggressive in its enforcement efforts.
"I think they are excited to enforce this law," Silvers said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250