Although no form of federal law governs the use of customer data across the U.S., many states have taken to establishing their own privacy acts and data security regulations to safeguard consumer information.
In this blog, we’ll go over what constitutes private information and highlight New York’s current privacy data security regulations. We’ll also cover two proposed acts and what they could mean for New Yorkers.
Private Information As These Acts Define It
New York’s data security and privacy regulations all aim to safeguard employees’ and customers’ personal and private information.
This confidential information can be defined as the following:
- Social Security numbers
- Driver’s license numbers
- Financial details, like account and credit card numbers
- Physical addresses
- Phone numbers
- Usernames/email addresses and associated passwords for website access
- Biometric information
[Related: The Biggest Cybersecurity Threats for NYC Businesses]
The New York Stop Hacks and Improve Electronic Data Security Act
In the spring of 2020, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into full effect. This act has two main functions:
- It regulates New York businesses’ security measures.
- It sets guidelines for how they mitigate data breaches and protect their customers’ and employees’ personal information.
This act broadened existing data protection laws to more fully define personal identifiable information (PII). The NY SHIELD Act also increased penalties for cybersecurity breaches, creating more responsibility for New York businesses and third-party data handlers.
Under the NY SHIELD Act, all businesses in the state must have “reasonable measures” in place to minimize data breach risks.
These measures can include the following:
- Evaluating existing security measures to look for improvement
- Evaluating internal and external risks
- Setting up cybersecurity training for all employees
- Closely monitoring and managing employees with access to confidential data and PII
- Working with vendors who understand the cybersecurity standards
- Identifying any software- and network-associated data risks
- Implementing an ongoing response system in case of systems failures and cyberthreats
- Deciding how to properly collect, move and dispose of confidential data
With rapid technological advancements and evolving cybersecurity threats, this act ensures businesses manage any sensitive information they collect with the utmost care.
Proposed New York Privacy Act
While the NY SHIELD Act offers a legal framework and sets consequences for protecting the data companies collect, the New York Privacy Act (NYPA) would take security compliance one step further.
According to the New York State Senate, this proposed legislation would “require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.”
Additionally, the NYPA would mandate that businesses be transparent about the purpose for which they collect this confidential information and use that data solely for that purpose. People would be able to fully access this data and to review or request its deletion. Moreover, instead of the common consent requirement that asks users whether they would like to “opt out” of sharing their information, the NYPA would require New Yorkers to “opt in.”
Progress of the NYPA
As of June 2023, the New York Senate has passed the bill, and it awaits approval from the New York State Assembly.
[Related: New York To Require Continuing Education in Cybersecurity for Lawyers]
Proposed New York Biometric Privacy Act
Per the New York State Assembly, the proposed New York Biometric Privacy Act (NYBPA) requires companies that collect and manage “biometric identifiers or biometric information to develop a written policy establishing a retention schedule, and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.”
Biometric identifier information (BII) can include the following:
- A retinal or iris scan
- A fingerprint
- A voiceprint
- A hand or face geometry scan
The NYBPA also outlines that no company can collect or manage a person’s BII without taking these steps:
- Informing the person in writing that the company is collecting their information
- Informing the person in writing of the purpose and length of time for which the company is collecting, storing and using their BII
- Obtaining a written release from the person or their authorized representative
Progress of the NYBPA
The New York Senate Consumer Affairs and Protection Committee received the NYBPA in February 2023, and it is currently pending approval.
Who Needs To Know?
If your business handles New York residents’ data in digital form, you must comply with New York’s data security and privacy regulations.
Specifically, under the NY SHIELD Act, any business that digitally stores any private or personal identifiable information (PII) about a New York State resident — including employees, clients, prospects and more — must comply.
As for the proposed NYPA, any entities conducting business in New York or handling New Yorkers’ personal data will need to follow its guidelines.
The anticipated criteria for adhering to the NYPA are as follows:
- If your yearly gross revenue is over $25 million
- If you control the data of a minimum of 100,000 New Yorkers
- If you control the data of a minimum of 500,000 people in general, with 10,000 who are New York residents
- If you derive 50% or more of your gross revenue from the sale of personal data
Keep Your Data Secure and Your Business Compliant With CMIT Solutions
At CMIT Solutions, we’re dedicated to providing the highest-quality IT security services and support. We specialize in helping small to midsize businesses succeed and keeping their data safe.
If you’d like a consultation or help with understanding these New York privacy and data security regulations, call us at (585) 672-4114 or fill out our online form today!
Featured image via Unsplash