icon
10/8/2019

The New York State SHIELD Act- it's Big, it's Bold, it's...

in my personal opinion, potentially unconstitutional. 

 

Not one to be left behind, New York recently followed the EU’s lead in enacting its SHIELD Act described here. To be clear, I strongly believe in protecting personal privacy, and at Digital Edge, data confidentiality and integrity are paramount to all other concerns. However, I strongly disagree with this piecemeal, uncoordinated approach that has thus far been allowed to take place by the US government, and I believe their inaction may be forcing the States to intrude upon the Commerce Clause (U.S. Const. art. IV, § 8).

What is the “Commerce Clause?”

The Commerce Clause is one of the most important clauses in the United States Constitution. Its states that “[t]he Congress shall have power… [t]o regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” While that may sound somewhat broad, but straight forward, I can assure you that it is far broader than you think, and not straight forward at all.

I will spare you the nearly countless pages that can be (and have been) written on this topic, and just say for our purposes here, the question is whether “the burden imposed on [interstate commerce] is clearly excessive in relation to the putative local benefits.” Pike v. Bruce Church (1970).

What does the SHIELD Act state?

It States:

(A) ANY PERSON OR BUSINESS THAT OWNS OR LICENSES COMPUTERIZED DATA WHICH INCLUDES PRIVATE INFORMATION OF A RESIDENT OF NEW YORK SHALL DEVELOP, IMPLEMENT AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE PRIVATE INFORMATION INCLUDING, BUT NOT LIMITED TO, DISPOSAL OF DATA.

It then goes on to list dozens of controls to be deemed “in compliance”:

  (1)[THE BUSINESS] DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE WITH THE  SECURITY PROGRAM;

  (2) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS;

  (3)  ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE IDENTIFIED RISKS;

  (4) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES AND PROCEDURES;

  (5) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE-GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; AND

  (6) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW CIRCUMSTANCES; AND

  (B)  REASONABLE TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR BUSINESS:

  1. ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN;
  2. ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STORAGE;
  3. DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES; AND
  4. REGULARLY  TESTS  AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS, SYSTEMS AND PROCEDURES; AND

            (C) REASONABLE PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR BUSINESS:

  1. ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL;
  2. DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS;
  3. PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFORMATION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND  DESTRUCTION  OR DISPOSAL OF THE INFORMATION; AND
  4. DISPOSES OF PRIVATE INFORMATION WITHIN A REASONABLE AMOUNT OF TIME AFTER IT IS NO LONGER NEEDED FOR BUSINESS PURPOSES BY ERASING ELECTRONIC MEDIA SO THAT THE INFORMATION CANNOT BE READ OR RECONSTRUCTED.

 

What I think?

I think the Southern District of New York court was exceedingly apt in American Library Association v. Pataki (1997) when it held that  “Haphazard and uncoordinated state regulation can only frustrate the growth of cyberspace. The need for uniformity in this unique sphere of commerce requires that New York’s law be stricken as a violation of the Commerce Clause.” The breath of protected items within this new legislation is obviously extremely burdensome to NY businesses because it adds to the aggregated list of disparate and possibly conflicting regulations these business must satisfy. Furthermore, while some stated local benefits or goals, such as protection of social security numbers, are very important, protecting a state issued driver license number cannot possibly justify adding to this mountain of new state regulations. At the very least, I think a court could possibly find this statute too broad, and it could be struck down either wholly or in part. The bottom line is that the United States Federal government needs to implement a comprehensive, common sense privacy law and end this madness once and for all.

Was this article helpful?
Keith J. Barry
Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Let's talk: 800-714-5143

Speak to a specialist