Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

Minneapolis

New York

Washington, D.C.

The confluence of the COVID-19 crisis and the growing facility with remote work has moved more and more work to online and other digital platforms. As with any technological advance, cybercriminals see this as creating new targets of opportunity, increasing the risk of cybersecurity events and reemphasizing for many regulators the importance of data security. As these risks multiply, businesses would do well to assess their current legal obligations and ensure that their data security programs comply with regulations in all applicable jurisdictions.

contentpilot/introduction

Take New York, for example. As we reported in our <a href="https://www.thompsonhine.com/publications/new-york-shield-act-expands-privacy-and-cybersecurity-obligations" target="_blank" rel="noopener">previous alert</a>, in July 2019 New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act, which became effective on March 21, 2020, imposes more expansive data security requirements on companies and amends the state’s data breach notification law.

core/paragraph

core/heading

The SHIELD Act imposes on businesses that maintain New York residents’ private information new obligations to “develop, implement and maintain reasonable safeguards” to secure the information in both its use and disposal. Companies that are already subject to, and compliant with, certain federal and state data security regulations, such as financial institutions regulated by the Gramm-Leach-Bliley Act or health care organizations covered by the Health Insurance Portability and Accountability Act, are deemed to be in compliance with the SHIELD Act as well.

Under the SHIELD Act, an organization that is not already subject to these or similar regulations must implement and maintain specified administrative, technical and physical safeguards to protect private information, which include designating personnel to oversee the organization’s data security program; implementing due diligence and contractual requirements on third-party service providers; regularly testing key cybersecurity controls, systems and procedures; and implementing physical access controls. However, the SHIELD Act affords “small businesses” (as defined in the law) greater flexibility in implementing and maintaining their information security programs.

The SHIELD Act expands the scope of New York’s breach notification law by broadening the types of personal information that trigger notification obligations. Previously, state law required notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, was compromised. The SHIELD Act adds to this list biometric information as well as user names and email addresses, if they are coupled with passwords or other credentials allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.

Previously, New York’s data breach law only required notification when there was an unauthorized acquisition of computerized data, the determination of which was based on several factors identified in the law. The SHIELD Act broadens this requirement by also mandating notification when there is unauthorized access to protected information, meaning that reporting is now required in situations where personal information is exposed but not necessarily used or exfiltrated. To assist firms in determining their reporting obligations, the SHIELD Act also provides specific factors they may use to establish whether there was unauthorized access, including whether the information was viewed, used or altered by a person or communicated to another without authorization. Importantly, the new law does not change the time requirement for consumer notification – a breach must still be reported “in the most expedient time possible and without unreasonable delay.”

Companies should expect that New York, like many regulators, will fiercely enforce its data security and breach notification laws, especially given the increasing risk of cybersecurity events. Those obligated to comply with the SHIELD Act should ensure that their data security programs meet the law’s requirements and seek guidance as needed.

Mona Adabi 202.263.4147 <a href="mailto:Mona.Adabi@ThompsonHine.com">Mona.Adabi@ThompsonHine.com</a>

Darcy M. Brosky 216.566.5774 <a href="mailto:Darcy.Brosky@ThompsonHine.com">Darcy.Brosky@ThompsonHine.com</a>

Brian Doyle-Wenger 614.469.3294 <a href="mailto:Brian.Doyle-Wenger@ThompsonHine.com">Brian.Doyle-Wenger@ThompsonHine.com</a>

Craig A. Foster 614.469.3280 <a href="mailto:Craig.Foster@ThompsonHine.com">Craig.Foster@ThompsonHine.com</a>

Steven G. Stransky 216.566.5646 202.263.4126 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

Thomas F. Zych 216.566.5605 <a href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_New_Yorks_SHIELD_Act_Now_Effective_-_Take_Steps_to_Ensure_Compliance.pdf

New York’s SHIELD Act Now Effective – Take Steps to Ensure Compliance

Services