New York: Implements More Stringent Data Security Requirements for Employers

In order to combat breaches of security placing personal information at risk, the state of New York implemented the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires businesses to implement safeguards for the private information of New York residents, and expands notification requirements when a breach occurs. The SHIELD Act is quite broad and can apply to any employer who maintains private information of New York residents, even those outside the state.

The law requires employers to protect private information by developing, implementing, and maintaining reasonable safeguards to protect private information. A business will be in compliance with the standard if a data security system is in place that provides for protections outlined in the Act, including but not limited to, a designated data security program coordinator, a system for securely destroying private information when it is no longer needed, and assessing risks and implementing ways to address those risks. Small businesses (fewer than 50 employees) have less stringent requirements. In addition, those businesses already in compliance with other regulations that require private information be similarly secured (HIPAA Security Rule, Gramm-Leach-Bliley Act, etc.) are deemed to be in compliance with the SHIELD Act.

The SHIELD Act also expands notice requirements when a breach does occur, and applies to more categories under the expanded definition of “private information.” For example, biometric information is now covered by the Act, which should alert employers using biometric time clocks to record employee time to ensure compliance with the new rules. Employers should prepare to comply with the new requirements, and review all private information in their possession requiring protection.

Action Items