Julia K. Kadish of Sheppard Mullin writes:
Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
- Reasonable administrative safeguards, including: designate one or more employees to coordinate the security program; identification of internal and external risks and safeguards to control the risks; train employees on security practices; select service providers capable of maintaining appropriate safeguards (and contractually require said safeguards);
- Reasonable technical safeguards, including: assess risks in network and software design; regularly test and monitor effectiveness of controls, systems, and procedures; and
- Reasonable physical safeguards, including: assess risks of information storage and disposal; dispose of private information within a reasonable amount of time after it’s no longer needed for a business purpose; erase information so that it cannot be read or reconstructed.
There are some limited exceptions.
Read more on Eye on Privacy.