Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities. These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers. Customers
5 Key Data Privacy and Security Risks That Arise When Organizations Record Job Interviews & Strategies for Mitigating Them
COVID-19 drove many formerly in-person interactions onto a variety of video conferencing platforms. But as millions of vaccinations are administered each day, and case numbers decline, it’s now possible to imagine and plan for the time when conducting business over video will no longer be mandatory.
For many organizations, though, COVID-19 has led to an
CPRA Series: Impacts On Notice At Collection And Privacy Policy
Already at the cutting edge of U.S. privacy law, California jumped even further ahead of the pack with the recent approval by State voters of the California Privacy Rights Act (“CPRA”). The CPRA, which builds upon the already extensive framework of privacy rights and obligations established in the California Consumer Privacy Act (“CCPA”), is likely
NYDFS Files First Enforcement Action Under Reg 500
On July 21, 2020, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). Reg 500, which took effect in March 2017, imposes wide-ranging and rigorous requirements on subject organizations and their service providers, which are summarized
New York SHIELD Act FAQs
Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.
This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.
When does the SHIELD Act become effective?
The SHIELD Act has two effective dates:
- October 23, 2019 – Changes to the existing breach notification rules
- March 21, 2020 – Data security requirements
Which businesses are covered by the SHIELD Act?
The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.
Are there any exceptions for small businesses?
As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.
However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with:
Continue Reading New York SHIELD Act FAQs
CCPA: Expansive Array of Consumer Rights Imposes Rigorous Compliance Burden
For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information. And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most
New York Enacts the SHIELD Act
On Thursday, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in
“Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost
During a presentation at the Professional Services Council Federal Acquisition Conference on June 13, 2019, a high-ranking Department of Defense (“DoD”) official announced, with dramatic flair, that cybersecurity is an allowable cost:
“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from
Secret Video Surveillance Found in Hospital Labor and Delivery Rooms
The New York Times newly established Privacy Project, recently highlighted the extent to which our society has created a “facial recognition machine” – cameras are everywhere, even in doorbells. Segments of society have accepted widespread surveillance on public streets, shopping malls, and in common areas of office buildings, apartment complexes, schools and similar
4 Resources That Make GDPR Compliance Less Painful
The deadline to comply with the GDPR’s complex and far ranging requirements is rapidly approaching. As your organization races to implement its compliance program before the May 25, 2018 effective date, questions and concerns are likely to arise. While there is no shortage of online guidance on the GDPR, finding answers to your specific questions