CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
June 29, 2022
Every day, we share personal information online. Whether we’re paying bills, connecting with friends on social media, or simply browsing websites, we’re giving pieces of our personal information away.
And the sheer volume of shared information — coupled with rampant identity theft, data hacking, and other fraudulent activity — has prompted officials worldwide to adopt data privacy laws. At their core, these laws regulate how personal information is collected, shared, and stored.
Still, at a federal level, the U.S. lacks its own overarching data security law. Thus, individual states are taking matters into their own hands.
Over the last few years, several states have enacted a patchwork of privacy laws to protect consumers. And in 2019, lawmakers took a closer look at a long-standing New York privacy law, discovered several evolutionary gaps and inefficiencies, then worked to amend and update it. Today, the latest iteration is known as the SHIELD Act.
The SHIELD act, or the Stop Hacks and Improve Electronic Data Security Act, amends the state’s existing data breach notification law. It imposes more data security requirements on companies that collect information on New York residents.
The SHIELD law became fully enforceable in March 2020.
But why were amendments introduced in the first place? The updated New York privacy law came after the state’s attorney general discovered a 60% increase of state data breaches in 2016. Just weeks prior to the SHIELD law introduction, one of the largest credit reporting agencies in the country, Equifax, identified a breach that affected more than 8 million New Yorkers.
Through the SHIELD Act, companies incurred additional data privacy requirements that, collectively, provide better overall breach protection for New York residents.
The SHIELD Act introduces significant changes to existing law:
The good news? Many companies already protect consumers' data (and have been, long before the SHIELD Act was ever a twinkle). And likely, they already meet SHIELD’s mandates.
For instance, an entity is already aligned with the SHIELD Act if it complies with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act, or New York’s cybersecurity requirements for financial services.
Companies are considered compliant if they implement reasonable administrative, physical, and technical safeguards. The bill offers several ways to ensure compliance:
Assess the risks of information storage and disposal.
Create systems to prevent, detect, and respond to physical intrusions.
Dispose of private information within a reasonable amount of time.
Protect against the unauthorized access of private information at any point during collection, transportation, and disposal.
If you own a small business and those bullets feel daunting, don’t worry: The SHIELD Act makes exceptions for businesses with fewer than 50 people and/or less than $3 million in annual revenue. Still, you must implement a reasonable security program that's appropriate for the size and complexity of your business.
If companies fail to comply with these security requirements, they could face civil penalties of up to $5,000 per violation. There are no caps on penalties, so fines can rack up quickly. Additionally, a $250,000 fine exists for failing to notify authorities when a data breach occurs.
As state legislation, the SHIELD Act encourages data protection and general breach notification. Following in its footsteps, individual states will continue to write and expand their own data privacy laws. But because the New York privacy law applies to any business that collects or maintains private information on New York residents, its effects are far-reaching.
Obviously, New York is economically significant. Most major companies hold some kind of private information on New York residents. These companies will be forced to abide by the new security requirements concerning respective residents.
But maintaining multiple security standards is complex, time-consuming, and inefficient. For the sake of expediency and cost, it’s easier for most companies to apply the SHIELD Act’s standards to all private information they collect and maintain, not just on New York residents.
Why is this so? Because we’ve seen it before with the European Union’s General Data Protection Regulation (GDPR). Rather than create and maintain multiple privacy standards, most companies that deal with EU customers simply declare GDPR as standard practice.
And we see similar action with the California Consumer Privacy Act (CCPA): Because entities that do business with California companies are obligated to abide by CCPA, it's easier for companies to meet those standards for all customers.
Will New York’s privacy law change how all companies behave? Probably not — at least not yet. Over time, as consumers learn to enjoy the protection provided by data security standards, pressure to do the same among other state and local governments will ramp up.
If you're a company that collects and maintains private information, it's not a matter of if, but when you’ll endure a cyber incident. It's important to think proactively about how your organization handles data to protect customers, users, followers, and the livelihood of your business. And the sooner you take steps to protect consumer privacy, the sooner you’ll comply with inevitable requirements.
Keeping your business up-to-date with the latest data privacy practices isn’t optional. Still, you don’t have to do it on your own. You can use tools like Osano to monitor changes in privacy laws, understand what vendors do with your data, and ask privacy professionals on-demand questions.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.