New Cybersecurity and Privacy Law in New York Affects Employers in New York and Beyond
The SHIELD Act will impose substantial new obligations on any employer with an employee residing in New York State, as well as on many employers across the country that conduct online hiring.
- Regardless of their location or size, employers that receive, collect or otherwise possess private information about New York residents must comply with the New York SHIELD Act.
- Even employers with no New York employees may trigger coverage based on information collected through their online hiring processes.
- Employers with such data must adopt cybersecurity data safeguards that comply with the provisions of the SHIELD Act and are subject to notification requirements in the event of a data breach.
New York recently passed a new cybersecurity and data breach law that is scheduled to go into effect on October 23, 2019. The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) applies to “any person or business that owns… computerized data which includes private information,” as defined in the Act, regardless of corporate structure, revenues, or location. The Act subjects many businesses outside of New York to new cybersecurity and data privacy compliance obligations, beyond those of the jurisdictions in which the business may be based. The Act also broadens the scope of New York’s current data breach notification and private data protection laws in two ways: (1) covered entities are required to adopt comprehensive data protection programs to safeguard “private information,” and (2) covered entities must comply with heightened data breach notification requirements.
The SHIELD Act will apply not only to employers in New York State, but also to many employers with no physical presence in New York. Additionally, although the Act takes size into account when determining whether a data protection system is reasonable, no exemption exists for small employers.
Cybersecurity Program and Data Breach Notification Requirements
The SHIELD Act requires “any person or business that owns or licenses computerized data which includes private information of a resident of New York” to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” The Act imposes detailed requirements about the administrative, technical and physical safeguards covered entities must adopt, although it provides flexibility in meeting data security requirements for “small businesses.” A “small business” is defined as one with (i) fewer than 50 employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets. For larger businesses, such programs must at a minimum include:
- designation and training of employees to coordinate cybersecurity compliance,
- the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract,
- risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage,
- processes and physical safeguards to detect, prevent and respond to attacks or system failures,
- monitoring and testing of the effectiveness of the cybersecurity program,
- processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes, and
- updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.
Employers in New York or that possess “private information” (discussed below) of New York residents will be expected to take actions to ensure that their cybersecurity program is compliance with these new requirements.
The Act also imposes data breach notification obligations on covered entities, as well as on any person or business “which maintains computerized data which includes private information,” even if the person or business does not own or license the private information.
The Act provides until March 21, 2020, for establishment of the required data protection program, but the data breach notification requirements are operative as of the October 23, 2019 effective date. The Act does not create a private right of action, but the New York State Attorney General is authorized to bring enforcement actions, and violations may result in civil penalties.
Expanded Definition of Protected, “Private Information”:
The SHIELD Act expands New York’s current definition of “private information,” which was previously defined as:
- “personal information” (i.e., information about a person that, “because of a name, number, personal mark, or other identifier, can be used to identify such natural person”) plus
- specific data elements “when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired.”
Prior to the SHIELD Act going into effect, the two recognized “data elements” are an individual’s Social Security Number or Driver’s License Number/Non-Driver Identification Card Number. The SHIELD Act expands the definition to include the following, additional data elements:
- biometric information, including fingerprints, voice prints, or retina or iris images;
- bank account or credit or debit card numbers, regardless of the inclusion of the password or security code, if the numbers could be used to access accounts.
Additionally, “private information” now also includes a “username or email address in combination with a password or security question and answer that would enable access to an online account.”
Practical Considerations for Out-of-State Employers:
Any employer of a New York State resident will necessarily fall within the scope of the Act, as, at a minimum, such “private information” is necessary for completion of an IRS form W-2.
Employers who are outside of New York may still fall within the scope of the SHIELD Act if they solicit or accept applications from New York State residents, if “private information” is gathered during the application process. Many employers post job openings on their “Careers” websites or gather information about applicants through third-party job boards. Job openings based in locations across the country may still attract applicants who currently reside in New York State but who are interested in relocating.
To avoid triggering SHIELD Act requirements as a result of the recruitment of NY residents, employers may consider:
- Examining their current records for “private information” regarding any New York resident and assessing the need to maintain such information consistent with the company’s document retention practices.
- If an employer does not maintain “private information,” it should adopt and document policies and procedures designed to prevent the receipt of such information. Such procedures could include some of the following precautions:
- Assigning their own unique identifiers to employee applications, in order to avoid collection of “data elements.”
- Avoiding having applicants create password-protected individual accounts on an online careers portal.
- To the extent that private information is necessary for background checks, employers may wish to outsource collection of such personal information to a third-party vendor so as to not obtain access to such information prior to the candidate’s start date.
Employers located in New York State or that otherwise possess “private information” of New York residents should act to bring their cybersecurity practices into compliance with these new requirements. Employers with no current New York presence should evaluate whether their cybersecurity practices comply with the SHIELD Act requirements prior to hiring a New York resident or otherwise acquiring private information about any New York resident.
Regardless of SHIELD Act coverage, however, all employers are encouraged to bring their cybersecurity practices up to a level that would be compliant in order to protect the organization’s own valuable information and the personal information of their employees, wherever located. While employers outside of New York may prefer to avoid coverage and thus potential liability under the Act, the SHIELD Act nonetheless serves as a guide to best practices.
U.S. employers that are not subject to the New York SHIELD Act will have other statutory obligations under state and federal laws.