NY SHIELD Act – Are Your Policies in Place?
January 27, 2020
Taking effect March 21, 2020, the New York Stop Hacks and Improve Electronic Date Security Act (SHIELD Act), imposes several potentially onerous compliance requirements on businesses operating in (and even some outside of) New York. These requirements are referred to as: Technical, Administrative, and Physical Safeguards.
Within each category of “safeguard” an organization, that is not considered a “Small Business,”1 is required to develop, implement, and maintain a data security program that includes policies for training employees, periodic technical monitoring of the company’s computer systems/networks (e.g., penetration testing, vulnerability scans, etc.), and data retention/destruction practices.
While many organizations falling outside of the definition of “Small Business,” set forth in the Act, may already have a data security program in place that includes employee training and computer vulnerability analyses, it is entirely possible these organizations have not established a data retention policy. So, what is a reasonable data retention policy? The Act requires organizations to “dispose of private information within a reasonable amount of time after it is no longer needed for business purposes . . . .” Maintaining former employee records for five years after employment ceases is considered “best practice” in New York, but is not necessarily required by law. Is following what is considered a “best practice” reasonable under SHIELD? Probably, but a definitive answer is not available now, and will not be until this particular issue is contested. Another measure of what is reasonable may be attached to payroll audit requirements. For example, if a company is obligated to retain payroll information for potential auditing by the department of labor (for six years in New York), is it reasonable to build a document retention policy that provides for deletion of electronic payroll information every six years? We expect the answer is yes, but again without clear guidance from the state attorney general’s office, there is no bright line rule for what is acceptably reasonable under SHIELD. These questions invite another line of inquiry related to customer data? How long can a company retain customer information after a sale of items is complete? What if you expect return customers? Is it reasonable to retain such information for one year? Two years? Five years? What if customers are members of a loyalty program? Probably one year is okay, but beyond that it is safer to build a data retention policy around deleting customer electronic data within a year of its last use.
1 SHIELD Act defines a “Small Business” as “any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.” Compliance for Small Businesses is met by developing a data security program that is “reasonable” that are appropriate for the size and complexity of the Small Business, the nature and scope of the business’s activity and the sensitivity of the data collected.