New data privacy law in Empire State gives biometric players options and risks
Given the unusually high tide of political, economic and health-care developments this year, executives could be forgiven for missing a state data privacy law that went into effect March 21 with national implications.
Please consider this a public service announcement for all those waylaid by other pressing concerns: New York state’s Stop Hacks and Improve Electronic Data Security (also known as the SHIELD Act) is live with far-reaching effects for handlers, maintainers and owners of biometric data.
The SHIELD Act, which dictates when any business needs to notify New York resident that their data was mishandled, builds on previous New York legislation as well as other state efforts to hold organizations accountable for the security, integrity and confidentiality of consumer data.
“We can expect vigorous enforcement,” wrote Brian Cesaratto in the law new and analysis publication The National Law Review.
Here are some points to remember.
First, the new law broadens who can be held responsible. A prior New York law cited only firms that do business within the state. Now anyone or any company owning or licensing the private data of a New York resident must comply.
And, despite its name, this law is not aimed solely at preventing the hacking and acquisition of digital data. It now defines unauthorized access to data as a breach, as well.
In fact, New York’s attorney general can open investigations based on whistleblower complaints and the suspicions of customers, according to retail-payments trade publication PYMTS.com
Also broadened is the definition of private information. For the first time, it includes security questions and answers, biometric information and much else as well.
An article in The National Law Review said that according to the law, private information includes any individually identifiable information, including names combined with social security numbers, driver or non-driver identification card number, account numbers, credit or debit card numbers, security codes, access codes, passwords, or other information that could give someone access to another person’s financial account.
Fines for “knowingly and recklessly” violating the law are $5,000, or up to $20 per instance, whichever is greater, up to $250,000. Judges can impose fines of up to $5,000 per violation of the “reasonable safeguard requirement.”
While widely considered a strict measure, the new law none the less gives businesses some significant leeway.
Businesses and individuals can decide not to notify those affected of a data mishap, according to an article appearing on the site of law firm Jackson Lewis P.C. That includes if exposure was an “inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines that exposure likely will not result in misuse of that information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”
Also, companies — large and small — must take “reasonable” administrative, technical and physical steps to safeguard data. For example, executives have to put in place a data-security plan setting out specific tasks, but it is up to them to define them.
At the same time, the act does not give those harmed by mishandled data the right to file suit.
The law provides suggested tasks, and most are commonsense, including: destroy data in a timely fashion, assess internal and external data risks and train employees.
That freedom also leaves businesses with some exposure. Their idea of harm and reasonable steps might be judged insufficient after a major problem with data.