Julia E. Judish
Julia E. Judish is special counsel at Pillsbury Winthrop Shaw Pittman, LLP, in Washington, DC.
New York’s SHIELD Act imposes new requirements for protection of state residents’ personal data and for notification of data breaches—and it reaches beyond state borders. If your association has employees, job applicants, or members in New York, the organization likely has new compliance obligations.
Associations across the nation face heightened data privacy and data breach notification requirements due to a far-reaching new law enacted in 2019 in New York state. The Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, applies to any person or organization that owns, receives, collects, or otherwise possesses computerized private information about New York state residents.
Unlike the more highly publicized California Consumer Protection Act, the New York SHIELD Act contains no exceptions for nonprofit organizations. The SHIELD Act also applies regardless of the size, revenues, or location of an association that holds covered information.
Any association that maintains computerized employment records and has one or more employees who reside in New York will be subject to the SHIELD Act, because employers collect covered “private information” in complying with their tax obligations. The statute defines covered private information as
The data elements that, in combination with “personal information,” trigger coverage include any of the following:
Even associations with no employees in New York can be subject to the statute, based on the information they collect from job applicants or hold about members. With most hiring done through online career websites or job boards, even associations located far from New York may gather “private information” from an applicant with a New York residence. Associations with individual members may also collect private information from New York residents, unless the association is located outside of New York and has a very localized membership.
Even associations with no employees in New York can be subject to the statute, based on the information they collect from job applicants or hold about members.
Associations covered by the SHIELD Act must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but not limited to, disposal of data.” The safeguards must, at a minimum, include
While small associations are not exempt from these requirements, the statute is less prescriptive about how small businesses must comply. Under the law, a small business satisfies the data privacy requirements if it has adopted “reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.” The statute defines a “small business” as one with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.
Associations subject to the statute must establish a compliant data privacy program by March 21, 2020.
The SHIELD Act also mandates prompt notice in the event of a data breach to affected individuals, government authorities (the New York state attorney general, the Department of State, and the Office of Information Technology Services), and consumer reporting agencies.
No notification to affected individuals is required if the private information was inadvertently exposed by people authorized to access it, and if the association “reasonably determines such exposure will not likely result in misuse of such information or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The association must keep a written record of that determination and must still notify the New York state authorities and consumer reporting agencies.
The data breach notification requirements went into effect on October 23, 2019.
The New York attorney general may bring an action for civil penalties or to enjoin unlawful practices under the SHIELD Act within three years of any violation. Penalties for failing to provide notice of a data breach can amount to the greater of $5,000 or up to $20 per instance, to a cap of $250,000 per breach. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.
The SHIELD Act does not create a private cause of action. However, a plaintiff who is harmed by lax cybersecurity or a data breach could presumably support a negligence claim by showing that a covered association was not compliant with the statute’s requirements.
Even for associations that fall outside of SHIELD Act coverage, its data privacy measures are a guide to the best practices that associations should follow to protect their own valuable information and the private information of their employees and members. In addition, associations would be prudent to review what other statutory obligations may apply to them under the data privacy laws of other jurisdictions in which the association operates or has members, including state and federal laws and the laws of other countries.