There's never a dull moment in privacy compliance. New York's SHIELD Act officially went into effect on March 21, but while many companies may have greeted the deadline from a position of strength, some could be finding themselves in a much more uncertain enforcement landscape than the one they imagined when the law was passed in July 2019.

The SHIELD Act amends New York's existing data breach notification law, expanding the definition of a breach to include not only unauthorized acquisition of protected digital information, but unauthorized access as well. It also broadens the type of information that companies have to protect to include "private information"—like Social Security or driver's license numbers—as well as "personal information" or "any information concerning a natural person" that can be used to identify said natural person.

Mark Krotoski, a partner at Morgan Lewis, indicated that the firm was already seeing "substantial compliance" with the tenants of the SHIELD Act among organizations. The General Data Protection Regulation or the California Consumer Privacy Act may deserve most of the credit, having long since forced many businesses to take a thorough data and cybersecurity inventory.

"I think the combination of new standards that have been imposed around the world have caught the attention of many companies to focus on these areas," Krotoski said.

However, Robert Silvers, a partner at Paul Hastings, views the situation as more of a "mixed bag" when it comes to businesses and their compliance efforts. He argued that some organizations both in the U.S. and abroad might be unaware that the law applies to them. For example, a company that doesn't maintain a presence in New York still falls subject to the SHIELD Act if they hold personal data belonging to one of the state's citizens.

"I think there are companies all over the world quite frankly who are in that bucket that just aren't aware that they are subject to this New York law," Silvers said.

Even if a company is fully aware that they fall within the authority of the SHIELD Act, there's still no guarantee that compliance will be a cakewalk. The act lays out several highly specific requirements, including the need for businesses to step beyond their own security posture to ensure that any vendors they might use have the appropriate controls in place as well. Silvers framed such an effort as something that would challenge both small and large companies alike. 

"A lot companies are not used to that. You do have to design and execute a program in order to be able to do that. You have to have the right contractual language in place with your vendors to require them to protect the data that you share with them," Silvers said.

Fortunately, small businesses may not face the same level of scrutiny with regard to their vendor relationships. Under the SHIELD Act, companies with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets will be held to a different standard. Specifically their their security program must contain "reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers."

But ramping up a business' compliance efforts after the law has already gone into effect still isn't easy—especially these days. Mark Berman, a partner at Ganfer Shore Leeds & Zauderer, indicated that COVID-19′s drag on the economy could also be an issue for businesses attempting to get their compliance in order on a dwindling revenue stream.

"If [compliance] was expensive before or economically problematic for a company before, it's worse now," Berman said.

It may be more complicated, too. Dan Greene, a certified information privacy professional with law firm Beckage, pointed to the impact COVID-19 has had on the way companies conduct business, forcing them into a more dispersed or remote model of working that may present new questions around what constitutes "reasonable" security measures. Do they need more VPNs set up? More licenses for anti-virus software?

"Now employers have to address physical safeguards, technical safeguards and administrative safeguards in a whole new light," Greene said.

Beckage has formally asked the New York Attorney General's Office for an enforcement extension on the SHIELD Act, but exactly how regulators will choose to proceed is uncertain.

Berman at Ganfer Shore Leeds & Zauderer believes that organizations will be given space to adjust barring any direct complaints issued by consumers. However, Krotoski at Morgan Lewis and Silvers at Paul Hastings both stressed that the New York Attorney General's Office has typically been aggressive in its enforcement efforts.

"I think they are excited to enforce this law," Silvers said.