Jeremy Wolk, BridgeTower Media Newswires
There is no doubt that the current state of privacy laws in the United States is in flux. Following the European Union’s rollout of the General Data Protection Regulation, or GDPR, in May 2018, it became clear it was only a matter of time until the United States adopted similar laws of such breadth and force. Throughout the past year and a half, many states have reviewed proposed laws aimed at providing individuals the same level of protection and control over their personal data as the GDPR. The first of its kind in the United States, the California Consumer Privacy Act, or CCPA, was passed in June 2018 with an effective date of Jan. 1, 2020. The CCPA, like the GDPR, enhances consumer privacy rights and protections.
As companies across the country began reviewing current and developing new internal and external policies to address the obligations under the CCPA, the threat of similar laws in other states became increasingly real, leading to the passing of the NY Stop Hacks and Improve Electronic Data Security Act. The SHIELD Act amends New York’s current data breach notification law and imposes substantive data security requirements on any business that owns or leases the private information of New York residents. Like both the CCPA and the GDPR, the SHIELD Act applies to any business that collects the private information of in-state residents, without regard to whether the company otherwise conducts business in the state. But, notably, the SHIELD Act does not have any dollar or size threshold, meaning that the SHIELD Act applies to almost every business—large or small—that collects the private information of New York residents.
Understanding that the SHIELD Act has prescriptive data security requirements for companies to follow, the act will require a deeper look at and review of a company’s current data security and privacy practices. As the March 2020 deadline approaches, here are some steps companies of all sizes should be taking to prepare.
—————
Data map
The most important first step is for companies to map out the data it collects. What data is being collected and from whom? Once we have the data, where is it being stored? Is the data being transferred to a third-party, such as a vendor? Knowing what data the company is collecting, storing, and transferring, and understanding why such collection, storage, and transfer is happening, is imperative to compliance with the SHIELD Act. Additionally, companies should know what individuals have access to the data and consider if that access is needed for the performance of the job.
In reviewing a data map, companies should consider how long data is being kept and for what purposes. Implementing a data disposal or data retention policy is not only a good practice for companies, but ultimately reduces the risk of liability under the SHIELD Act as routine disposal of data eliminates data that is required to be protected.
—————
Review policies, practices
The SHIELD Act requires any business or person that owns or licenses private information of New York residents “to develop, implement and maintain reasonable safeguards to protect the security of, confidentiality and integrity” of the private information. Further, the SHIELD Act specifically provides that a person or business shall be deemed to have met this standard if it implements a data security program that includes enumerated reasonable administrative, technical, and physical safeguards.
Therefore, as the deadline for compliance grows closer, companies should conduct reviews of the policies and programs that govern the collection, storage, transfer, and disposal of data. According to the SHIELD Act, a company should have policies in place that:
• Identify reasonably foreseeable internal and external risks;
• Routinely assess the sufficiency of safeguards in place to control identified risks;
• Train employees in the security program and practices;
• Develop a process for the selection of service providers to ensure any service provider maintains appropriate safeguards (and requiring those safeguards by contract); and
• Have the flexibility to be adjusted in light of business changes or new circumstances.
Yet, having these policies in place is simply not enough. Companies should not only consider where these policies are being stored and how they are disseminated to employees, but should regularly review the policies to ensure that they are still meeting the business needs.
Companies should also review their data privacy and security practices and ensure that reasonable technical and physical safeguards are in place. Such safeguards should include:
• Risk assessments in network designs and in information processing, transmission, and storage;
• Regular testing and monitoring of the effectiveness of key controls, systems, and procedures;
• Ability to detect, prevent, and respond to attacks or system failures;
• Protection against unauthorized access to or use of private information; and
• Disposal of private information within a reasonable amount of time after it is no longer needed for business purposes.
—————
Review vendor contracts
As the March deadline looms, companies should also review any written agreement with a third party that processes, stores, or otherwise maintains the company’s private information. While contractually obligating a third-party service provider to maintain certain safeguards to protect personal data has long been a best practice, it is now required to be in all written agreements. Companies should take the time to review these agreements for the sufficiency of any data privacy or security provisions.
All too often, we find that contracts are executed in the boilerplate form presented by the vendor. These agreements are almost uniformly drafted to minimize the obligations of the vendor and limit their liability for data privacy violations. The propensity to frivolously enter into these agreements is often due to two common misconceptions. The first is the belief that when outsourcing data and security obligations one is also transferring the liability for privacy obligations and data breaches. To the contrary some privacy statutes place liability on the original data collector even where the actions of a vendor resulted in the unauthorized access. In fact, some courts have gone so far as to find original data collectors liable for a failure to proactively monitor the data practices of vendors even if such vendor is contractually obligated to maintain appropriate data safeguards. The second misconception arises from a belief that the trivial dollar amount of a vendor contract does not warrant the costs of its negotiation or that a correlation should exist between the revenue earned by the vendor and the dollar amount of its liability. This perspective, however, fails to appreciate the risk of multimillion dollar liabilities resulting from a data breach and the growing litigation landscape of a plaintiff’s bar incentivized to bring claims on behalf of individuals affected by a breach.
• Prudent companies should review their historical vendor agreements for, and seek to negotiate future agreements with, terms that:
• Establish a standard of care through a minimum level of data security safeguards that is preferably tied to benchmarks such as specific certifications, industry standards or laws;
• Obligate the parties to a general compliance with current and future laws, preferably with specificity (e.g., referencing the SHIELD Act);
• Require the delivery of post-breach notices, a specified timetable for such delivery and an assignment of post-breach responsibilities, and
• Allocate liability between the parties.
While a discussion of the considerations with the liability provisions relating to data security is too voluminous for the scope of this article, we note a few key provisions which merit such consideration. In particular, companies should review the interplay between the provisions setting forth a vendor’s indemnification obligations and limitation of liability. We often see boilerplate agreements that appear to require a vendor to indemnify a company for data breaches, only to have that indemnification obligation limited to a paltry amount of fees paid in the limitation of liability provision. Most agreements will also include a waiver of indirect damages that, absent an express obligation of the vendor to pay data breach mitigation expenses (e.g., notices, governmental penalties, credit monitoring), could absolve the vendor of liability for these expenses even when responsible for the data breach. Finally, vendor liability is often limited to “gross negligence” or other intentional actions that result in the data breach. To the contrary, many data breaches are the result of external “hacks” where both the vendor and company meeting their respective data security obligations, so it is important to consider whether liability for such “unintentional” access will be shared by the parties or solely assumed by your company.
It is clear that the SHIELD Act will significantly impact businesses that hold the private information of New York residents. However, the measures that the SHIELD Act requires companies to take to protect both the privacy and security of private information are in line with the continued trend to encourage robust data privacy laws. Now is the time for companies to get ahead of the new laws and to prepare for an increased emphasis on data privacy and security by updating internal compliance policies and reviewing vendor agreements to ensure they contain appropriate data security obligations and liabilities.
—————
Jeremy Wolk is a partner in Nixon Peabody LLP’s Business & Finance department. He developed this article with Jenny Holmes, an attorney in our Labor & Employment group. Both are members of the firm’s Privacy and Data Protection team.
