United States: Cassie Lentchner: New York's ‘Shield Act' Breaks New Ground On Cybersecurity Policy

The privacy and data security law being implemented in New York may be overshadowed by regulations in California and the European Union, but should be recognized as one of the most significant cybersecurity statutes to date, said Pillsbury special counsel Cassie Lentchner, a former chief compliance officer for the New York State Department of Financial Services.

“The [General Data Protection Regulation] and [California Consumer Privacy Act] are important laws and they give important privacy rights to consumers, but they don't specifically require companies to create a cybersecurity program,” as the New York law does, Lentchner said.

The reach of the Shield Act is extensive, applying to any company with data on a New York resident rather than only to companies that do business in the state, the standard set in an earlier law. The measure was signed on July 25 and will be implemented in two parts.

In October, new data breach-notice requirements, including an expanded definition of protected personal information, go into effect and will cover biometric data and things like email addresses and passwords. New York requires affected firms to notify consumers of a data breach within 72 hours of realizing that a qualifying event has occurred.

By March, the law requires every covered company to adopt “reasonable” security controls for data, with specific requirements for: risk assessments; developing safeguards using the National Institute of Standards and Technology's framework of cybersecurity standards; monitoring progress; performing regular updates; and setting internal training requirements.

Lentchner said the two most difficult pieces coming in March are likely to be the requirement for use “of cyber-responsible vendors and confirming they are cyber-compliant,” and the requirement to “safely dispose of data within a reasonable amount of time.”

Requiring companies to adopt a “governance framework” can be particularly effective, she said, by mandating risk assessments, board notification of cyber problems, adequate staff training and even certification. “The message is 'pay attention and fund these efforts,'” she said.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.