RCBJ-Audible (Listen For Free)
New York’s Law Should Not Be Overly Broad Or Burdensome To Businesses
By Judith Bachman
States, including New York, are set to making sweeping updates to their cyber privacy laws which could impact local business owners in response to the rash of recent cybersecurity breaches. These laws impose cybersecurity obligations on most businesses and impose fines and liability for non-compliance.
The New York SHIELD Act, effective on March 21, 2020, already requires businesses of any size to take internal security measures to safeguard New Yorker’s digital “private information.” The law was designed to ensure that business built robust internal cyber infrastructure, including designating a security program coordinator, implementing a security program, and training employees. The penalty for non-compliance could range up to a fine of $250,000.
In contrast, by law effective January 1, 2020, California focused its cyber security efforts on consumer’s cyber rights rather than business infrastructure. Under the California’s law, known as the CCPA, customers were entitled to know from businesses what personal data is collected about them and to control its use. The CCPA applied to any business, regardless of size or location, so long as that business processed data from any California resident.
When this statute went into effect at the beginning of last year, many businesses hastened to ensure that their businesses complied with the CCPA. Businesses of all sizes were required to spend thousands of dollars to comply with the law. These measures may have brought businesses in line with the CCPA but for many smaller businesses the requirements were costly and burdensome.
Now, Governor Cuomo has announced a proposal that, like the CCPA, will be consumer facing and require business to provide the customer with control over their personal data. Per the Governor’s proposal, the law “will mandate that companies that collect information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. The legislation will establish a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them.”
The proposal creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data.
Just as New York embraces consumer facing cybersecurity laws, California is recognizing that such laws must be balanced to avoid imposing unworkable hardships on smaller business. In 2020, California voters approved a new privacy bill that has a narrower scope targeting big businesses (with 100K+ users), instead of the CCPA which applied to smaller (businesses with 50K+ users). The new law applies to businesses earning over $25 million in annual revenue. When the new law takes effect in 2023 it will replace the CCPA.
Given California small businesses’ experiences, it might be best for Governor Cuomo to carefully craft the coming New York consumer cyber privacy law. If the New York’s law is overly broad and applies to businesses of any size alike, it could be a death knell to smaller businesses already struggling in the current economic climate.
Judith Bachman is the founder and principal of The Bachman Law Firm PLLC in New City. firstname.lastname@example.org 845-639-3210, thebachmanlawfirm.com