New York recently passed a comprehensive overhaul of its data security and breach notification requirements called the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act). Importantly, the law will affect businesses that do not have a physical presence within New York as the SHIELD Act regulates companies that possess the private information of even a single New York resident.
The breach notification amendments take effect on October 23, 2019. The data security requirements take effect on March 21, 2020.
If a covered business owns or licenses the private information of a New York resident and experiences a security breach, notice requirements attach. Notice must be provided in the “most expedient time possible and without unreasonable delay.”
In addition to data breach notifications, the SHIELD Act also imposes several data protection requirements that covered businesses must implement. Just as with the data breach requirements, the data security requirements apply to covered businesses that possess private information of a New York resident.
Small businesses are required to comply with only some of the data protection requirements. Small businesses are defined as:
- Fewer than fifty (50) employees;
- Less than $3 million in gross annual revenue in each of the last three (3) years; or,
- Less than $5 million in year-end total assets.
Small businesses must implement data security measures that are “appropriate for the size and complexity of the small business, the nature and scope of the small businesses’ activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Businesses that do not qualify for the limited exemption for small businesses may comply by demonstrating that they are a “compliant regulated entity,” which will be rare for self storage owners and operators, or by enacting several data security measures explained in the memo provided below.
The New York law continues the trend of states such as California and Nevada enacting strict data security and privacy laws. SSA members should carefully review the SHIELD Act. New York based businesses that have the private information of New York residents must take necessary steps to ensure they have required data security safeguards in place as well as appropriate mechanisms to notify New York residents in the event of a breach.
SSA members outside of New York should also carefully examine the law. If an SSA member anywhere in the country has the private information of a customer or tenant who is a New York resident, that business is now covered by the SHIELD Act and must take the necessary steps to comply as well.
It is best to consult with a data security attorney and/or specialist to fully understand the technical nuances of the law and what businesses must do to make sure their data security system provides the minimum protection required by the SHIELD Act.
For a list of privacy and data security law firms, click here. For a list of privacy and data security implementation specialists, click here.
Overall, as more states enact laws pertaining to data privacy and security, it is a good practice to audit company-wide procedures regarding data protection to ensure current practices are sufficient for current standards.
To learn more about the SHIELD Act, click HERE