22 DECEMBER 2020
The spotlight has brightened on data privacy in the last few years, especially amid the current pandemic and the use of remote working tools. But that spotlight certainly isn’t going to be turned down any time soon. While there is no U.S. federal data privacy law, states have taken it into their own hands, including California with its Consumer Privacy Act and now, New York State.
New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July of 2019. The state already had a General Business Law 899-AA with a section headlined “Notification of Unauthorized Acquisition of Private Information,” and the SHIELD Act is technically a revision and continuation of that New York data privacy law. But looking at the updated sections, we see meaningful additions to several topics.
The SHIELD Act adds the words “Data Security Protections” to the heading of a major section of the law, introducing and emphasizing a whole new area of concern. There is expansive language on this topic, requiring companies to “implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of…private information.” In other words, it’s not just about breach notifications anymore.
There’s a completely new, albeit very short, provision about “disposal…of private information within a reasonable amount of time after it is no longer needed for business purposes,” and that requirement is at the top of the new list of security requirements. This presents a significant challenge for every organization, yet has flown under the radar of most analyses of the SHIELD Act. This requirement presents an information governance challenge, not a typical data security requirement. We all focus on what’s familiar to us, and data privacy professionals are not in the business of operationalizing the governance of data and information.
The SHIELD Act also introduced a broadened definition of “private information” and of “breach.” Private information now includes biometric information (among many other things), and a breach now includes any unauthorized access that compromises the integrity of private information. These new definitions are the most challenging aspect of this new law. For example, there’s a new concept about combining data elements (to create private information) that is both expansive and very vague: how do you know which data elements could give access to a customer’s financial accounts; and what does it mean to “combine” these elements?
Another significant change is the act’s expansion of the territorial scope of New York State law: data breach notifications are required of any person or organization that owns the private information of a New York resident, not just organizations that conduct business in New York State. This is significant. It’s no longer about state businesses, it’s about state residents. Given the population and importance of New York State, many companies without offices or operations in the state but selling or marketing to New Yorkers will be covered.
The above are examples of how the SHIELD Act verges on being a data privacy law, not just a data security law. As we noted, the act expands the emphasis of the law from business activities to data concerns. Thus, organizations should direct their attention to interactions with customers: what are the people, processes, and systems in your organization that may collect data about NYS residents? Who, internally, is responsible for making sure the data practices are compliant and the data is safe? Clearly IT is involved, as well as records management and privacy officers, but who else is or should be involved?
The SHIELD Act laid out two effective dates: October 2019, when changes to the existing breach notification rules took effect, and March 2020, when data security requirements began. Since those dates have passed, what should the priorities be for organizations that still need to start compliance with the latest New York data privacy law?
Start with reviewing and updating data breach identification, management, and notification processes. Why? You don’t want to appear in a headline that reads, “XYZ Company Discovered a Breach of Personal Data Months After It Happened and Then Failed to Properly Notify Consumers and Regulators.” While the AG could investigate and enforce shortcomings in your data security measures, from a risk criticality point of view, breaches should be the focus.
Most mid-sized and large businesses have identified management team responsibility for data security, and those “CISO”-type folks are usually well aware of industry best practices. (And the SHIELD Act requirements on data security follow pretty standard industry guidelines, listing “reasonable administrative…technical…and physical safeguards”.) But senior management attention to data breach identification, management, and notification needs to be elevated.
Breach management, in particular, requires coordinating across operational and corporate teams, including legal. Experience with procedures for unusual events tells us this is a common operational risk: because it’s not a business-as-usual function, you don’t have regular meetings of a “breach management committee” where everyone reaffirms that all is working properly. Yet, the time to figure out how to scramble the fighter jets is not when you see the bombers on the radar screen. To prepare for the requirements of this legislation, someone in senior management must be accountable, or you will wind up with an emergency approach.
This is why we work on incorporating data privacy and protection into clients’ existing risk management frameworks and embedding the concept of personal information into information governance policies and procedures. There is no question that characteristics of data like “sensitive,” “records,” and “personal” are all just indicators that the information requires governance. And that means integrating the efforts of information security, records management, and data privacy teams and tools is necessary going forward. This is the approach that sophisticated organizations are now taking.