What does expanded New York data privacy law mean for you?
Whether you call it personal information, personal data, or personally identifiable information (PII), the data that your organization collects on clients, customers, and users is vital to your operations as well as to regulatory, litigation, and consumer responsiveness.
Yet, as data privacy laws and data retention requirements evolve, organizations must not only keep up with the latest changes, but also cope with a fundamental conflict: privacy laws and retention requirements often contradict each other.
So, how can your organization comply with data privacy laws and the need to retain data? Effective information governance (IG) allows you to operationalize the processes of data disposal and retention — helping your organization balance the requirements of both data privacy laws and data retention regulations.
SHIELD Act: What has changed
Among the changes, New York’s SHIELD Act has expanded definitions and requirements for private information and data breach notice provisions. And there are two major new concepts and increased business responsibilities that deserve more attention.
1. Focus on data security protections
The SHIELD Act adds the words “Data Security Protections” to the heading of a major section of the law, introducing and emphasizing a whole new area of concern. There is expansive language on this topic, requiring companies to “implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of…private information.” In other words, it’s not just about breach notifications anymore.
2. Information governance challenge
There’s a completely new, albeit very short, provision about “disposal…of private information within a reasonable amount of time after it is no longer needed for business purposes,” and that requirement is at the top of the new list of security requirements. This presents a significant challenge for every organization, yet has flown under the radar of most analyses of the SHIELD Act. This requirement presents an information governance challenge, not a typical data security requirement. We all focus on what’s familiar to us, and data privacy professionals are not in the business of operationalizing the governance of data and information.
3. Broader definitions of private information and breach
The SHIELD Act also introduced a broadened definition of “private information” and of “breach.” Private information now includes biometric information (among many other things), and a breach now includes any unauthorized access that compromises the integrity of private information. These new definitions are the most challenging aspect of this new law. For example, there’s a new concept about combining data elements (to create private information) that is both expansive and very vague: how do you know which data elements could give access to a customer’s financial accounts; and what does it mean to “combine” these elements?
4. Expansion of scope
Another significant change is the act’s expansion of the territorial scope of New York State law: data breach notifications are required of any person or organization that owns the private information of a New York resident, not just organizations that conduct business in New York State. This is significant. It’s no longer about state businesses, it’s about state residents. Given the population and importance of New York State, many companies without offices or operations in the state but selling or marketing to New Yorkers will be covered.
SHIELD Act becomes a New York data privacy law
The above are examples of how the SHIELD Act verges on being a data privacy law, not just a data security law. As we noted, the act expands the emphasis of the law from business activities to data concerns. Thus, organizations should direct their attention to interactions with customers: what are the people, processes, and systems in your organization that may collect data about NYS residents? Who, internally, is responsible for making sure the data practices are compliant and the data is safe? Clearly IT is involved, as well as records management and privacy officers, but who else is or should be involved?
How to respond to the SHIELD Act changes
The SHIELD Act laid out two effective dates: October 2019, when changes to the existing breach notification rules took effect, and March 2020, when data security requirements began. Since those dates have passed, what should the priorities be for organizations that still need to start compliance with the latest New York data privacy law?
Review breach-related processes
Start with reviewing and updating data breach identification, management, and notification processes. Why? You don’t want to appear in a headline that reads, “XYZ Company Discovered a Breach of Personal Data Months After It Happened and Then Failed to Properly Notify Consumers and Regulators.” While the AG could investigate and enforce shortcomings in your data security measures, from a risk criticality point of view, breaches should be the focus.
Involve senior management
Most mid-sized and large businesses have identified management team responsibility for data security, and those “CISO”-type folks are usually well aware of industry best practices. (And the SHIELD Act requirements on data security follow pretty standard industry guidelines, listing “reasonable administrative…technical…and physical safeguards”.) But senior management attention to data breach identification, management, and notification needs to be elevated.
Breach management, in particular, requires coordinating across operational and corporate teams, including legal. Experience with procedures for unusual events tells us this is a common operational risk: because it’s not a business-as-usual function, you don’t have regular meetings of a “breach management committee” where everyone reaffirms that all is working properly. Yet, the time to figure out how to scramble the fighter jets is not when you see the bombers on the radar screen. To prepare for the requirements of this legislation, someone in senior management must be accountable, or you will wind up with an emergency approach.
Consider an information governance approach
This is why we work on incorporating data privacy and protection into clients’ existing risk management frameworks and embedding the concept of personal information into information governance policies and procedures. There is no question that characteristics of data like “sensitive,” “records,” and “personal” are all just indicators that the information requires governance. And that means integrating the efforts of information security, records management, and data privacy teams and tools is necessary going forward. This is the approach that sophisticated organizations are now taking.
To learn more about data privacy or about information governance in general matthew@bernsteindata.com or check out our on-demand webinar.