Welcome to another episode of A Little Privacy, Please!® We’re delighted to welcome our guest today, Chris Mason, a complex commercial disputes partner resident in Nixon Peabody’s New York City office. Chris is head of the firm’s Class Actions team, an active member of our Cybersecurity & Data Privacy team, and a go-to colleague on the latest trends and technologies. He represents consumer products, technology, financial services, private equity, and industrial companies in litigation and complex disputes.
Chris is currently tracking enforcement actions taking place under the SHIELD Act. He’ll share more about what your business should know about this important regulation.
Chris, tell us about the New York SHIELD Act.
The New York SHIELD Act is the Stop Hacks and Improve Electronic Data Privacy Act. It’s been in effect for a number of years in New York, and it’s our basic breach statute. It involves a situation where there’s a breach of personal information by a company. The Act requires that people be given notice of it in most instances, and there are penalties for companies that don’t give notice and there are penalties for companies that don’t have adequate protections to prevent breaches of personal and private information. The Act is different than that in some other states because it is uniquely for our attorney general. It does not have a private right of action, so it’s not, for example, like California’s CCPA (California Consumer Privacy Act), and you’ll think that’s a good thing, and it is on average. I just have to warn you that doesn’t mean that there are no private lawsuits in New York that are sometimes based on that Act.
Who should be aware of this regulation, and what happens if someone doesn’t comply with it?
Every business in New York needs to be aware of the regulation and nonprofit entities as well. If you have a breach and you don’t respond to it appropriately, the good thing is there’s a mechanism on the attorney general’s website for reporting. However, if you don’t do that correctly, you’re going to be subject to sanctions that can range from a few dollars up to $250 thousand. And in addition, if you don’t have adequate security for personal and private information, then you’re going to get a fine that could be up to $500 thousand per instance of violation.
Is there maybe one thing that you can recommend that a New York business should do in order and try to comply with it?
What you really have to do is examine your cybersecurity at the physical, online, and data security levels. Do each of those things and make sure you’re taking reasonable steps to protect the private information of the people with whom you deal.