Not long ago, there was a bold proposal being considered by the New York state legislature that arguably would have changed the landscape of data privacy. Instead, the state legislature is proceeding on a less transformative, but significant nonetheless proposal.
In the 2018 elections, Democrats seized control of the New York State Senate for just the third time in 50 years. In May, members of the new majority introduced a bill that would impose strict rules for the collection, use, control, processing, and transfer of data by entities that conduct business in New York or produce products or services intentionally targeted at New York residents (NYPA). This bill attracted a lot of attention and was regarded by some as more bold than the California Consumer Privacy Act (CCPA).
NYPA set out to be transformative in its treatment of data. It redefined “personal data,” to include things like mother’s maiden name, records of personal property, biometric information, internet search history, and certain education records. NYPA proposes the creation of a fiduciary-like duty on those who collect, store, and process data, where data subjects would need to “exercise the duty of care, loyalty, and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller, or data broker, in a manner expected by a reasonable consumer under the circumstances.”
The bill included the consumer rights made famous in the GDPR and CCPA, such as the right to know, the right to access, and the right to opt-out. However, it tried to do what the CCPA could not, establish a private right of action for consumers to sue companies and seek injunctive relief and compensatory damages, in addition to reasonable attorney’s fees.
But this transformative bill did not and probably will not see the light of day. As it faltered, the New York State Senate and State Assembly began pushing an alternative bill that is destined to meet the governor’s pen sooner rather than later. The “Stop Hacks and Improve Electronic Data Security Act” (the “Shield” Act) creates affirmative data obligations, provides factors to determine whether information has been breached, increases civil penalties for failure to notify, and extends the statute of limitations on enforcement actions.
The Shield Act undoubtedly raises information security standards. It provides clarity on what reasonable security practices and policies should include, such as designated employees to coordinate the information security program, and requiring vendors to comply with security procedures. While it may never live up to the hype of NYPA, it certainly cannot be ignored.