In the past two years, a flurry of states have enacted laws and amendments to laws governing businesses’ collection, use, sharing, and protection of consumers’ personal information, including the SHIELD Act (SHIELD Act or Act) in New York, amendments to Nevada’s Security and Privacy of Personal Information Law, and the California Consumer Protection Act (CCPA).  All of these laws will take full or partial effect within the next six months.  In this post, we summarize the new requirements imposed on organizations by these laws.  Businesses subject to these laws should be taking actions now to help ensure that they will be in compliance with all applicable requirements by the laws’ operative dates.

New York: The SHIELD Act (October 23, 2019 and March 21, 2020 Compliance Deadlines)

Last week, on July 25, 2019, the Governor of New York signed the Stop Hacks and Improve Electronic Data Security Act, or the “SHIELD” Act.  The SHIELD Act, which is applicable to all persons and businesses that own or license computerized data that includes private information of New York residents, creates two changes to New York law.

First, the Act amends New York’s existing breach notification law by expanding the definition of “private information” to include (1) an individual’s account, credit card, or debit card number, if the number could be used to access a financial account without a security code, access code, or password; (2) biometric information, such as a fingerprint, voice print, retina, or iris image; and (3) a user name or email address in combination with a password or security question and answer.  The SHIELD Act also expands the existing breach notification law’s definition of a “breach” to include unauthorized access to private information in addition to unauthorized acquisition of private information.  This expanded definition will result in expanded breach notification obligations for businesses in contexts in which private information is viewed, but not taken, by an unauthorized person, including in ransomware scenarios.  The SHIELD Act also increases (1) the maximum civil penalty for a knowing or reckless violation of New York’s breach notification law from $150,000 to $250,000; and (2) the statute of limitations for which the New York Attorney General may bring an action against a business from two years to three years.

Second, the SHIELD Act creates new cybersecurity requirements for businesses that own or license computerized data that includes private information of New York residents.  Such businesses must develop, implement, and maintain a data security program that includes:

  • Reasonable administrative safeguards such as:
    • Designating one or more employees to coordinate the security program;
    • Identifying reasonably foreseeable internal and external risks;
    • Assessing the sufficiency of safeguards in place to control the identified risks;
    • Training and managing employees in security program practices and procedures;
    • Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
    • Adjusting the security program in light of business changes or new circumstances;
  • Reasonable technical safeguards such as:
    • Assessing risks in network and software design;
    • Assessing risks in information processing, transmission, and storage;
    • Detecting, preventing, and responding to attacks or system failures; and
    • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and
  • Reasonable physical safeguards such as:
    • Assessing risks of information storage and disposal;
    • Detecting, preventing, and responding to intrusions;
    • Protecting against unauthorized access to or us of private information during or after the collection, transportation, and destruction or disposal of the information; and
    • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Businesses are deemed to be in compliance with the Act if they are subject to and in compliance with Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), or the New York State Department of Financial Services Cybersecurity Requirements.  Small businesses (defined as businesses with fewer than 50 employees, less than three million dollars in gross annual revenue, or less than five million dollars in year-end total assets) have some flexibility under the Act, and are only required to have reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of their activities, and the sensitivity of the personal information they collect.

The SHIELD Act’s breach notification changes will go into effect on October 23, 2019, and the new cybersecurity requirements will go into effect on March 21, 2020.

Nevada: Amendments to the Security and Privacy of Personal Information Law (October 1, 2019 Compliance Deadline)

On May 29, 2019, the Governor of Nevada signed Senate Bill 220 (SB220), which amends Nevada’s Security and Privacy of Personal Information Law (Security and Privacy Law), into law.  Although Nevada’s Security and Privacy Law governs both the security practices of data collectors and the online privacy notice obligations of website operators, SB220 amends only the online privacy notice portion of the law.  The amendments to the law will affect only operators of Internet websites and online services that (1) collect and maintain certain types of personal information (PI) from Nevada residents in connection with their websites or online services; and (2) direct sales or other activities toward Nevada, consummate transactions with Nevada or Nevada residents, or otherwise avail themselves of the privilege of conducting activities in Nevada (collectively, Operators).  The privacy notice obligations imposed on Operators do not apply to third parties that operate, host, or manage websites or services on behalf of website or service owners or that process information on behalf of such owners.

Prior to its amendment, the Security and Privacy Law required Operators to provide a notice to Nevada consumers that (1) identifies the categories of PI collected through their websites and the categories of third parties with whom the Operator may share such PI; (2) provides a description of the process, if any, for a consumer to review and request changes to any of his or her PI; (3) describes the process by which the Operator notifies consumers who use or visit the website of material changes to the notice; (4) describes whether a third party may collect PI about a consumer’s online activities over time and across different websites when consumers use the Operator’s website; and (5) states the effective date of the notice.

The amendments add a requirement for Operators to provide Nevada consumers with the opportunity to “opt-out” of the sale of their PI.  Operators must provide consumers with either an email address, toll-free phone number, or website through which consumers can submit an opt-out request to an Operator, directing the Operator to not make any sale of any of the consumer’s PI that the Operator has collected or will collect.  Notably, this requirement applies whether or not an Operator actually sells PI.  Operators subject to the amended law should record opt-out requests from consumers and honor such requests with respect to any future sale of PI.  Unlike the CCPA, the amended law does not require Operators to provide a conspicuous notice of the opt-out right on their websites, though as a best practice, Operators should describe this right and the opt-out process in their website privacy policies.

In the amendments, the term “sale” is narrowly defined to only include situations in which an Operator receives money in exchange for consumers’ PI, and only where the recipient of the PI licenses or sells the PI to additional persons.  The term excludes the disclosure of PI by an Operator to a person (1) who processes the PI on behalf of the Operator; (2) with whom the Operator has a direct relationship for the purposes of providing a product or service requested by the consumer; (3) for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the PI to the Operator; (4) who is an affiliate of the Operator; or (5) as an asset that is part of a merger, acquisition, or bankruptcy.

The law’s definition of “Operator” was amended to exclude financial institutions subject to the GLBA, entities subject to HIPAA, and certain motor vehicle manufacturers or persons who repair or service motor vehicles.  As a result, once the amended law is effective, these types of entities will be excluded not only from the new opt-out requirement created by the amended law, but also from the law’s requirement to provide a privacy notice to consumers.

The amended law’s opt-out requirement will go into effect in just two months on October 1, 2019.

California: California Consumer Privacy Act (January 1, 2020 Compliance Deadline)

On June 28, 2018, the Governor of California signed into law the California Consumer Privacy Act.  The CCPA requires businesses to provide California consumers with an online privacy notice disclosing various information about their practices relating to the collection and sharing of California consumer PI.  Additionally, businesses that are deemed to sell PI under the CCPA’s broad definition of “sale” must provide a “Do Not Sell My Personal Information” link on their website homepage that leads to a designated webpage that allows consumers to opt-out of the sale of their PI.  For a more in-depth discussion on the CCPA’s requirements and how to comply, see our prior post on the CCPA here.

The CCPA will go into effect on January 1, 2020.  However, regulatory enforcement of the CCPA will not take place until July 1, 2020, or six months after implementing regulations have been published by the California Attorney General, whichever is sooner.

Fey, LLC will continue to monitor developments in state data privacy law.  To ensure you do not miss any articles or alerts we prepare on data protection laws and developments, you can follow our LinkedIn page here.

Laura Fey

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.

Hannah Zimmerman

Hannah Zimmerman is an associate attorney with Fey LLC.