{"id":751,"date":"2023-08-30T13:58:10","date_gmt":"2023-08-30T18:58:10","guid":{"rendered":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/?p=751"},"modified":"2025-07-30T17:12:44","modified_gmt":"2025-07-30T22:12:44","slug":"a-look-at-new-yorks-data-security-and-privacy-regulations-for-small-businesses","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/blog\/a-look-at-new-yorks-data-security-and-privacy-regulations-for-small-businesses\/","title":{"rendered":"A Look at New York\u2019s Data Security and Privacy Regulations for Small Businesses"},"content":{"rendered":"<p><span style=\"font-weight: 400\">Although no form of federal law governs the use of customer data across the U.S., many states have taken to establishing their own privacy acts and data security regulations to safeguard consumer information.<\/span><\/p>\n<p><span style=\"font-weight: 400\">In this blog, we\u2019ll go over what constitutes private information and highlight New York\u2019s current privacy data security regulations. We\u2019ll also cover two proposed acts and what they could mean for New Yorkers.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-770 size-large\" src=\"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-1024x683.jpg\" alt=\"new york city view, data security regulations\" width=\"1024\" height=\"683\" srcset=\"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-1024x683.jpg 1024w, https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-300x200.jpg 300w, https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-768x513.jpg 768w, https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-1536x1025.jpg 1536w, https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-2048x1367.jpg 2048w, https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-content\/uploads\/sites\/9\/2023\/08\/pexels-david-iglesias-13356893-1920x1281.jpg 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h2><span style=\"font-weight: 400\">Private Information As These Acts Define It<\/span><\/h2>\n<p><span style=\"font-weight: 400\">New York\u2019s data security and privacy regulations all aim to safeguard employees\u2019 and customers\u2019 personal and private information.\u00a0<\/span><\/p>\n<p><b>This confidential information can be defined as the following:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Social Security numbers<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Driver\u2019s license numbers<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Financial details, like account and credit card numbers<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Physical addresses<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Phone numbers<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Usernames\/email addresses and associated passwords for website access<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Biometric information<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400\">The New York Stop Hacks and Improve Electronic Data Security Act<\/span><\/h2>\n<p><span style=\"font-weight: 400\">In the spring of 2020, <\/span><a href=\"https:\/\/cmitsolutions.com\/newyork-ny-1095\/blog\/ny-shield-act-what-it-is-and-how-to-make-sure-your-business-complies\/\"><span style=\"font-weight: 400\">the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act<\/span><\/a><span style=\"font-weight: 400\"> went into full effect. This act has two main functions:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">It regulates New York businesses\u2019 security measures.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">It sets guidelines for how they mitigate data breaches and protect their customers\u2019 and employees\u2019 personal information.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">This act broadened existing data protection laws to more fully define personal identifiable information (PII). The NY SHIELD Act also increased penalties for cybersecurity breaches, creating more responsibility for New York businesses and third-party data handlers.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Under the NY SHIELD Act, all businesses in the state must have \u201creasonable measures\u201d in place to minimize data breach risks.<\/span><\/p>\n<p><b>These measures can include the following:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Evaluating existing security measures to look for improvement<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Evaluating internal and external risks\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Setting up cybersecurity training for all employees\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Closely monitoring and managing employees with access to confidential data and PII<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Working with vendors who understand the cybersecurity standards<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Identifying any software- and network-associated data risks<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implementing an ongoing response system in case of systems failures and cyberthreats<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Deciding how to properly collect, move and dispose of confidential data<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">With rapid technological advancements and evolving cybersecurity threats, this act ensures businesses manage any sensitive information they collect with the utmost care.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Proposed New York Privacy Act<\/span><\/h2>\n<p><span style=\"font-weight: 400\">While the NY SHIELD Act offers a legal framework and sets consequences for protecting the data companies collect, the New York Privacy Act (NYPA) would take security compliance one step further.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">According to the <\/span><a href=\"https:\/\/www.nysenate.gov\/legislation\/bills\/2023\/A3593#:~:text=2023%2DA3593%20(ACTIVE)%20%2D%20Summary,whom%20their%20information%20is%20shared.\"><span style=\"font-weight: 400\">New York State Senate<\/span><\/a><span style=\"font-weight: 400\">, this proposed legislation would \u201crequire companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.\u201d\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Additionally, the NYPA would mandate that businesses be transparent about the purpose for which they collect this confidential information and use that data solely for that purpose. People would be able to fully access this data and to review or request its deletion. Moreover, instead of the common consent requirement that asks users whether they would like to \u201copt out\u201d of sharing their information, the NYPA would require New Yorkers to \u201copt in.\u201d<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Progress of the NYPA\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400\">As of June 2023, the New York Senate has passed the bill, and it awaits approval from the New York State Assembly.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Proposed New York Biometric Privacy Act<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Per the <\/span><a href=\"https:\/\/nyassembly.gov\/leg\/?default_fld=&amp;leg_video=&amp;bn=A00027&amp;term=2021&amp;Summary=Y&amp;Text=Y\"><span style=\"font-weight: 400\">New York State Assembly<\/span><\/a><span style=\"font-weight: 400\">, the proposed New York Biometric Privacy Act (NYBPA) requires companies that collect and manage \u201cbiometric identifiers or biometric information to develop a written policy establishing a retention schedule, and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual\u2019s last interaction with the private entity, whichever occurs first.\u201d<\/span><\/p>\n<p><b>Biometric identifier information (BII) can include the following:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">A retinal or iris scan<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">A fingerprint<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">A voiceprint<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">A hand or face geometry scan<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">The NYBPA also outlines that no company can collect or manage a person\u2019s BII without taking these steps:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Informing the person in writing that the company is collecting their information<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Informing the person in writing of the purpose and length of time for which the company is collecting, storing and using their BII<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Obtaining a written release from the person or their authorized representative<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400\">Progress of the NYBPA<\/span><\/h3>\n<p><span style=\"font-weight: 400\">The <\/span><a href=\"https:\/\/legiscan.com\/NY\/pending\/senate-consumer-affairs-protection-committee\/id\/419\"><span style=\"font-weight: 400\">New York Senate Consumer Affairs and Protection Committee<\/span><\/a><span style=\"font-weight: 400\"> received the NYBPA in February 2023, and it is currently pending approval.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Who Needs To Know?<\/span><\/h2>\n<p><span style=\"font-weight: 400\">If your business handles New York residents\u2019 data in digital form, you must comply with New York\u2019s data security and privacy regulations.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Specifically, under the NY SHIELD Act, any business that digitally stores any private or personal identifiable information (PII) about a New York State resident \u2014 including employees, clients, prospects and more \u2014 must comply.<\/span><\/p>\n<p><span style=\"font-weight: 400\">As for the proposed NYPA, any entities conducting business in New York or handling New Yorkers\u2019 personal data will need to follow its guidelines.\u00a0<\/span><\/p>\n<p><b>The <\/b><a href=\"https:\/\/www.centraleyes.com\/everything-you-need-to-know-about-the-new-york-privacy-act-2021\/\"><b>anticipated criteria<\/b><\/a><b> for adhering to the NYPA are as follows:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">If your yearly gross revenue is over $25 million<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">If you control the data of a minimum of 100,000 New Yorkers<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">If you control the data of a minimum of 500,000 people in general, with 10,000 who are New York residents<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">If you derive 50% or more of your gross revenue from the sale of personal data<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400\">Keep Your Data Secure and Your Business Compliant With CMIT Solutions<\/span><\/h2>\n<p><span style=\"font-weight: 400\">At <\/span><a href=\"https:\/\/cmitsolutions.com\/rochester-ny-1109\/\"><span style=\"font-weight: 400\">CMIT Solutions<\/span><\/a><span style=\"font-weight: 400\">, we\u2019re dedicated to providing the highest-quality IT security services and support. We specialize in helping small to midsize businesses succeed and keeping their data safe.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">If you\u2019d like a consultation or help with understanding these New York privacy and data security regulations, call us at (585) 672-4114 or fill out our <\/span><a href=\"https:\/\/cmitsolutions.com\/rochester-ny-1109\/contact-us\/\"><span style=\"font-weight: 400\">online form<\/span><\/a><span style=\"font-weight: 400\"> today!<\/span><\/p>\n<p><i><span style=\"font-weight: 400\">Featured image via <\/span><\/i><a href=\"https:\/\/unsplash.com\/photos\/pvPyz0LcsBU\"><i><span style=\"font-weight: 400\">Unsplash<\/span><\/i><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Although no form of federal law governs the use of customer data&#8230;<\/p>\n","protected":false},"author":34,"featured_media":752,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-local-it"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/posts\/751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/users\/34"}],"replies":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/comments?post=751"}],"version-history":[{"count":0,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/posts\/751\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/media\/752"}],"wp:attachment":[{"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/media?parent=751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/categories?post=751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cmitsolutions.com\/rochester-ny-1109\/wp-json\/wp\/v2\/tags?post=751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}