New York: Implements More Stringent Data Security Requirements for Employers


All Employers of NY Employees Maintaining Private Data of New York Residents


March 21, 2020


Contact HR On-Call

(888) 378-2456

In order to combat breaches of security placing personal information at risk, the state of New York implemented the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires businesses to implement safeguards for the private information of New York residents, and expands notification requirements when a breach occurs. The SHIELD Act is quite broad and can apply to any employer who maintains private information of New York residents, even those outside the state.

The law requires employers to protect private information by developing, implementing, and maintaining reasonable safeguards to protect private information. A business will be in compliance with the standard if a data security system is in place that provides for protections outlined in the Act, including but not limited to, a designated data security program coordinator, a system for securely destroying private information when it is no longer needed, and assessing risks and implementing ways to address those risks. Small businesses (fewer than 50 employees) have less stringent requirements. In addition, those businesses already in compliance with other regulations that require private information be similarly secured (HIPAA Security Rule, Gramm-Leach-Bliley Act, etc.) are deemed to be in compliance with the SHIELD Act.

The SHIELD Act also expands notice requirements when a breach does occur, and applies to more categories under the expanded definition of “private information.” For example, biometric information is now covered by the Act, which should alert employers using biometric time clocks to record employee time to ensure compliance with the new rules. Employers should prepare to comply with the new requirements, and review all private information in their possession requiring protection.

Action Items

  1. Have data security systems, including but not limited to biometric time clocks, reviewed for compliance.
  2. Have data breach response plans updated or prepared.
  3. Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser.

© 2019 ManagEase

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply