Following the passage of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California, a wave of similar state-level laws have been proposed across the United States. These legislative proposals aim to change the way customer data is treated, introducing new protections for consumers and new requirements for businesses’ data collection and storage practices.

In May of 2019, Senator and Consumer Protection Committee Chair Kevin Thomas introduced the New York Privacy Act (NYPA), which failed to pass the state legislature in July. The bill contained a data fiduciary clause that would have required businesses to act in the best interest of consumers when protecting private information, and allowed for consumers to independently sue violators.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, however, passed state legislature and was signed into law on July 25. While it is less restrictive than the NYPA, it still poses potential risks for businesses to be aware of.

What is the New York SHIELD Act?

The SHIELD Act expands existing laws by adding restrictions for businesses concerning how data is captured, shared, and protected. It affects breach notification requirements, changes the definition of “private information,” and requires businesses to implement “reasonable safeguards” to prevent data breaches.

Reasonable safeguards include, but are not limited to:

• Assessing risks in network and software
• Assessing risks in information processing, transmission, and storage 
• Detecting, preventing, and responding to system failures 
• Regularly testing and monitoring the effectiveness of key controls, systems, and procedures 
• Detecting, preventing, and responding to intrusions 
• Disposing of private information as required

Any business that owns or licenses computerized data containing private information of New York State residents must comply with the SHIELD Act, regardless of whether that business operates within New York. 

Why should auto and truck dealerships care about the SHIELD Act?

Auto and truck dealerships collect customer data on a daily basis. From lease agreements to credit checks, dealerships have to collect, transmit, and store private information, and much of it is processed through digital forms. This makes dealerships a prime target for SHIELD Act enforcement.

While the SHIELD Act does not allow for private right of action, violators still face injunctive relief and civil penalties of up to $250,000. In other words, a large data breach could have a significant impact on a dealership’s bottom line.

How should dealerships respond?

Amendments to breach notification policy take effect on October 23, 2019, and the “reasonable safeguards” requirements for data security go into effect on March 21, 2020. In order to prepare for SHIELD Act compliance, dealerships need to assess their current security posture for possible gaps and make adjustments as necessary.

These adjustments may include: developing new data collection and management policies, updating privacy policy text and opt-out instructions, evaluating third-party relationships and vendor management policies, and implementing additional staff training.

All dealerships that retain private information of New York residents are required to comply with the SHIELD Act, regardless of where the business operates. Therefore, dealerships in every state should be cognizant of this law. 

Dealerships should stay alert for potential SHIELD Act amendments or clarifications. It’s likely that this consumer privacy law will continue to evolve, and it’s important for dealerships to stay on top of any changes in order to plan effectively. 

Furthermore, while the NYPA failed in a recent legislative session, the bill (or similar bills containing data fiduciary clauses) will likely be reintroduced for further discussion in the coming months.

 Need to evaluate your dealership for SHIELD Act readiness? Contact us to get started.