To protect both businesses and consumers, a growing number of states are enacting cybersecurity legislation to require entities to implement security measures to safeguard against a data breach. Designed to help prevent unauthorized access to or theft of sensitive consumer information, many of these measures have complex compliance requirements.

    To add to the challenge, the current cybersecurity regulatory backdrop consists of a patchwork of different regulations across all 50 states; making compliance inconsistent and tricky for companies operating in multiple states. And, considering privacy scandals such as the Cambridge Analytica affair, states are enacting sweeping privacy requirements, sometimes with a global effect. A recent article in Forbes, “Data Privacy Will Be The Most Important Issue In The Next Decade,” highlights the significance of this trend. California has led the way, with the California Consumer Privacy Act (CCPA). Other states and perhaps the federal government are sure to follow.

    The resources on this page can help educate you on potential applicability and the impact to your business. If you need additional guidance, our Privacy and Data Security team can assist with:

    • Performing risk assessments to review privacy policies/practices, assess data, pinpoint weaknesses and compliance gaps, and more.
    • Developing a comprehensive privacy management program that addresses changes in the privacy regulatory space including the CCPA, NY SHIELD Act, GDPR, and more, to make you “future ready.”
    • Providing access to technical experts that have the right experience you need and best-in-class knowledge.
    • Allowing for full and frank assessment of your privacy and data security maturity under the attorney-client privilege.

    California Consumer Privacy Act (CCPA)
    This complicated piece of legislation, effective January 2020, changes the privacy landscape in California and beyond.  This legislation, the first of its kind in the United States, is similar in purpose to the European Union’s General Data Protection Regulation (GDPR) but differs in many respects.

    Key elements:

    • Applies to for-profit entities, and any entities they control or are controlled by them, that “do business” in California, with certain thresholds.
    • Creates extensive new rights and obligations in relation to personal information, including a consumer’s right to know specific pieces of personal information held by a business, and a limited right to deletion.
    • Covers any information that can be linked, directly or indirectly, to a consumer or household like IP addresses, online identifiers, products or services purchased by a household, geolocation data from a cell phone, or even inferences drawn from such information. 

    Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act)
    The NY SHIELD Act amends New York’s data breach notification statute (General Business Law § 899-aa) and adds new substantive data security requirements for any person or business that owns or licenses computerized data including the defined “private information” of a New York resident.

    Key elements -

    • Regulations cover any person or business, anywhere in the world, that owns or licenses “private information” about a resident of New York.
    • Expands existing definition of protected “private information,” adding an individual’s username and password for an online account, and various types of biometric information, including fingerprints and voiceprints.
    • Clarifies that compromise of an account number, or credit or debit card number, even without a compromise of an associated access code or password, is reportable, “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.”
    • Includes a notification exception for situations involving “inadvertent disclosure by persons authorized to access private information” if “such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”




    This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

    I have read this and agree     Cancel

    Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.