What Associations Need to Know About the New York Data Privacy Law
Even associations with no employees in New York can be subject to the statute
This article was provided by ASAE and one of its counsel, Julia E. Judish, special counsel at Pillsbury Winthrop Shaw Pitman, LLP, in Washington, D.C.
New York’s SHIELD Act imposes new requirements for protection of state residents’ personal data and for notification of data breaches—and it reaches beyond state borders. If your association has employees, job applicants, or members in New York, the organization likely has new compliance obligations.
Associations across the nation face heightened data privacy and data breach notification requirements due to a far-reaching new law enacted in 2019 in New York state. The Stop Hacks and Improve Electronic Data Security Act, known as the SHIELD Act, applies to any person or organization that owns, receives, collects, or otherwise possesses computerized private information about New York state residents.
Unlike the more highly publicized California Consumer Protection Act, the New York SHIELD Act contains no exceptions for nonprofit organizations. The SHIELD Act also applies regardless of the size, revenues, or location of an association that holds covered information.
Any association that maintains computerized employment records and has one or more employees who reside in New York will be subject to the SHIELD Act, because employers collect covered “private information” in complying with their tax obligations. The statute defines covered private information as
- a username or email address in combination with a password or security question and answer that would enable access to an online financial account, or
- “personal information” (information about a person that, “because of a name, number, personal mark, or other identifier, can be used to identify such natural person”) plus an unencrypted “data element.”
The data elements that, in combination with “personal information,” trigger coverage include any of the following:
- the person’s Social Security number,
- the person’s driver’s license number/nondriver identification card number,
- biometric information, including fingerprints, voice prints, or iris images, or
- bank account or credit or debit card numbers, regardless of the inclusion of the password or security code, if the numbers could be used to access the person’s financial accounts.
Even associations with no employees in New York can be subject to the statute, based on the information they collect from job applicants or hold about members. With most hiring done through online career websites or job boards, even associations located far from New York may gather “private information” from an applicant with a New York residence. Associations with individual members may also collect private information from New York residents, unless the association is located outside of New York and has a very localized membership.
Data Privacy Requirements
Associations covered by the SHIELD Act must “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but not limited to, disposal of data.” The safeguards must, at a minimum, include
- designation and training of employees to coordinate cybersecurity compliance,
- ensuring that any third-party service providers are capable of maintaining appropriate cybersecurity practices, with safeguards required by contract,
- risk assessment of the association’s cybersecurity program, including both network and software design and information processing, transmission, and storage,
- processes and physical safeguards to detect, prevent, and respond to attacks or system failures,
- monitoring and testing of the effectiveness of the cybersecurity program,
- processes to safely, securely, and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes, and
- periodic updates to the program to address changes in the business or circumstances that would require the program to be changed.
While small associations are not exempt from these requirements, the statute is less prescriptive about how small businesses must comply. Under the law, a small business satisfies the data privacy requirements if it has adopted “reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.” The statute defines a “small business” as one with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.
Associations subject to the statute must establish a compliant data privacy program by March 21, 2020.
Data Breach Notification Requirements
The SHIELD Act also mandates prompt notice in the event of a data breach to affected individuals, government authorities (the New York state attorney general, the Department of State, and the Office of Information Technology Services), and consumer reporting agencies.
No notification to affected individuals is required if the private information was inadvertently exposed by people authorized to access it, and if the association “reasonably determines such exposure will not likely result in misuse of such information or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” The association must keep a written record of that determination and must still notify the New York state authorities and consumer reporting agencies.
The data breach notification requirements went into effect on October 23, 2019.
The New York attorney general may bring an action for civil penalties or to enjoin unlawful practices under the SHIELD Act within three years of any violation. Penalties for failing to provide notice of a data breach can amount to the greater of $5,000 or up to $20 per instance, to a cap of $250,000 per breach. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.
The SHIELD Act does not create a private cause of action. However, a plaintiff who is harmed by lax cybersecurity or a data breach could presumably support a negligence claim by showing that a covered association was not compliant with the statute’s requirements.
Even for associations that fall outside of SHIELD Act coverage, its data privacy measures are a guide to the best practices that associations should follow to protect their own valuable information and the private information of their employees and members. In addition, associations would be prudent to review what other statutory obligations may apply to them under the data privacy laws of other jurisdictions in which the association operates or has members, including state and federal laws and the laws of other countries.