The law now applies to any person or company that owns or licenses personal information of a New York resident, not just entities conducting business in the state.
The law allows companies to conduct a risk-of-harm analysis in the event of an inadvertent disclosure, which must be documented in writing. If a company determines that notice is not required because the risk assessment concludes that the access or disclosure will not likely result in the misuse of data or financial or emotional harm to the individual. If the incident involves more than 500 New York residents, the written determination must be provided to the New York Attorney General within 10 days of the determination. If the entity fails to notify the individual, the law increases civil penalties to the greater of $5,000 or $20 per record, with a cap of $250,000.
Finally, the law includes data security requirements that companies must put in place, consistent with other state laws. Companies must implement and maintain administrative, technical and physical safeguards to protect and dispose of personal information. This is similar to the requirements of Massachusetts, Rhode Island and Oregon, which require businesses to have a Written Information Security Program, also known as a WISP, to be in place.
The security requirements go into effect on March 21, 2020, with the rest of the provisions taking effect on October 23, 2019. It is a good time to determine whether your business has a WISP in place and to implement one if not.
Date: August 5, 2019