Everyone who operates in New York State or handles New Yorkers’ information should be aware of their obligations to comply with the Disposal of Personal Records Law. This law is codified in New York General Business Law §399-h and requires that when disposing of data, whether on paper records or in electronic format, certain precautions are taken to ensure the data doesn’t fall into the wrong hands. This is a basic security obligation imposed on covered entities to guard against identity left or other malicious use of private information.
Unlike much of current cybersecurity regulations, this law has been on the books for some time so there is little excuse for failing to meet its fairly straightforward obligations.
What is a Covered Entity?
Section 399-h applies to any person or private entity disposing of a record containing “personal identifying information.” This information is defined as any information about a natural person that can be used to identify the person, stored in combination with the person’s social security number, drivers license (or non-driver ID) number, mother’s maiden name, or generally, a financial account number. This law applies when the person or entity doing the disposal does so in the course of business conducted for profit.
What does §399-h Require?
The law requires covered entities to take certain reasonable precautions depending on the type and format of information being disposed of, to ensure that unauthorized persons cannot access the information.
For paper records, this is as simple as putting documents through a shredder. Many organizations have long since transitioned to storing the bulk of their information in digital format. This information is still subject to §399-h and parties should take care not to inadvertently discard protected information on an old device. There are now many companies specializing in information technology asset disposition that can assist with scrubbing a device of sensitive material prior to disposal.
Not properly disposing of records in accordance with §399-h can land a Covered Entity with a civil penalty of up to $5,000.
Covered entities should keep in mind that §399-h doesn’t alter employers’ obligations to retain records according to generally appliable state and federal laws and regulations. It also doesn’t necessarily mandate that covered entities dispose of any particular data at any particular time. It merely requires them to take adequate safeguards when they dispose of data.
Conclusion
Your organization’s obligations regarding §399-h and data disposal generally are based on its circumstances. Implementation of appropriate and reasonable data disposal practices should be incorporated into the organization’s broader data security policy, the crafting of which can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Chris Baiamonte (cbaiamonte@wladislawfirm.com) or Justin Furry (jfurry@wladislawfirm.com) at the Wladis Law Firm at (315) 445-1700 with any questions.
Christopher J. Baiamonte
Mr. Baiamonte concentrates his practice primarily on civil litigation. He counsels individual, corporate, and municipal clients on resolving disputes ranging from environmental liability to shareholders rights to creditor–debtor suits. He also works with clients to navigate various state and federal regulations relating to areas such as environmental protection, employment, and civil rights.