New data retention limitations and disposal requirements on some types of businesses in New York will go into effect on March 21, 2020, under the Stop Hacks and Improve Electronic Data Security (SHIELD Act) that was signed into law last year. Businesses that store or process private information of New York state residents should ensure that they are prepared to comply with this portion of the SHIELD Act before that date.
New York Governor Andrew Cuomo signed the SHIELD Act into law in July 2019. The act immediately expanded New York’s breach notification and remedy requirements and increased possible penalties for noncompliance. (This prior LawFlash provides an overview of the data breach requirements in the SHIELD Act: First of New York SHIELD Act’s Data Breach Notification Requirements Take Effect Soon.)
The SHIELD Act requires that any company that “owns or licenses computerized data which includes private information of a resident of New York” must develop, implement, and maintain “reasonable safeguards” to protect the security of that information, including the “disposal of data.”
A mid-size or large business will be considered compliant with the above if the company:
The physical safeguards required by the SHIELD Act include document management requirements similar to those found in Europe’s General Data Protection Regulation (GDPR). Those safeguards include:
There is no definition under the SHIELD Act regarding what will be considered a “reasonable amount of time” to hold data after it is no longer needed. However, one can assume that, at a minimum, businesses that are subject to this section of the SHIELD Act should have updated document retention schedules and policies in place, and should be able to demonstrate that they are actively followed.
Any business that processes or retains privacy data of New York residents should ensure that it has a current and effective document retention policy and schedule. This will be especially important for any company that holds human resources (HR) or customer records, as that business will almost certainly store private data that falls under the SHIELD Act.
The company should make certain that the document retention policy includes parameters to protect private data during the entire time it is within the control of the company, including during all phases of collection, storage, and disposal. The company should also confirm that record retention schedules are up-to-date, and that privacy data is only stored for as long as needed (and then effectively destroyed so that it can no longer be read or reconstructed). The act provides the attorney general of New York with the power to enforce the regulations therein. In order to avoid such scrutiny, affected companies are encouraged to look at their current record retention practices, upgrade them where needed, and ensure that their requirements are being observed.
 “Private Information” under the SHIELD Act includes the following types of information (in combination with a personal identifier):
 The SHIELD Act defines a “small business” as a person or businesses with fewer than 50 employees, less than $3 million in gross annual revenue or less than $5 million in year-end total assets. Companies that fit within the definition of “small business” will be considered compliant if their security program contains “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” SHIELD Act § 899-BB (2) (C)
 Reasonable administrative safeguards under this section of the SHIELD Act include: designating employees to coordinate security program, identifying foreseeable risks, training employees in security program practices, selecting appropriate service providers, and adjusting the security program as businesses change. New York State Senate Bill S557B, § 899-BB (2) (B) (II) (A)
 Reasonable technical safeguards under the is section of the SHIELD Act include: assessing risk in network and software design and information processing and storage, detecting and preventing attacks and system failures, and regularly testing and monitoring systems and procedures. New York State Senate Bill S557B, § 899-BB (2) (B) (II) (A)