DPA Short Form Transfer Addendum - New York (Operational Compliance)

DPA SHORT FORM TRANSFER ADDENDUM -- NEW YORK

Operational Compliance Format -- Article Numbering

Addendum Effective Date: [__/__/____]

Reference Agreement: [________________________________] dated [__/__/____] (the "Agreement")

Transferor: [________________________________] ("Transferor")

Transferee: [________________________________] ("Transferee")

This Addendum establishes the operational compliance framework for transfers of Personal Data involving New York residents under the SHIELD Act and, where applicable, 23 NYCRR Part 500.

ARTICLE I: DEFINITIONS

1.1 "Private Information" -- N.Y. Gen. Bus. Law 899-aa(1)(b); personal information + SSN, DL/ID, financial account with credentials, biometric information, username/email with password/security Q&A, medical information (eff. Mar. 21, 2025), health insurance information (eff. Mar. 21, 2025).

1.2 "Personal Data" -- Any information linked to an identified/identifiable NY resident, including Private Information and additional categories under Applicable Data Protection Laws.

1.3 "Security Breach" -- N.Y. Gen. Bus. Law 899-aa(1)(c); unauthorized access compromising security, confidentiality, or integrity of Private Information.

1.4 "Reasonable Safeguards" -- Administrative, technical, and physical safeguards per N.Y. Gen. Bus. Law 899-bb(2).

1.5 "DFS Covered Entity" -- Entity regulated under 23 NYCRR Part 500.

ARTICLE II: OPERATIONAL SCOPE

2.1 Regulatory Applicability Assessment:

2.2 Pre-Transfer Compliance Checklist:

☐ Written contract executed (this Addendum)
☐ Service provider safeguard requirement satisfied (899-bb(2)(b)(i)(E))
☐ Reasonable Safeguards implemented and verified
☐ Private Information elements identified
☐ Medical/health insurance information protocols updated (eff. Mar. 2025)
☐ Data inventory completed (Exhibit C)
☐ Technical measures verified (Exhibit B)
☐ Subprocessor list reviewed
☐ 30-day breach notification workflow established (eff. Dec. 2024)
☐ Multi-agency notification contacts documented (AG, DFS, Dept. of State, State Police)
☐ DFS compliance verified (if applicable)

2.3 Transfer Type: ☐ Controller-to-Processor ☐ Controller-to-Controller ☐ Processor-to-Sub-Processor

2.4 Purpose: [________________________________]

2.5 Data Categories:

☐ SSN ☐ DL/State ID ☐ Financial account + credentials ☐ Credit/debit card
☐ Biometric info ☐ Username/email + password ☐ Medical info (eff. Mar. 2025)
☐ Health insurance info (eff. Mar. 2025) ☐ Names/identifiers ☐ Employment data
☐ Online identifiers ☐ Commercial data ☐ Geolocation ☐ Other: [________________________________]

2.6 Data Subject Categories: ☐ Customers ☐ Employees ☐ End Users ☐ Business Contacts ☐ Patients ☐ Other: [________________________________]

2.7 Duration: Agreement term plus [____] day wind-down.

ARTICLE III: COMPLIANCE FRAMEWORK

3.1 SHIELD Act Contract Matrix (899-bb(2)(b)(i)(E)):

3.2 DFS Vendor Management Matrix (23 NYCRR 500.11, if applicable):

3.3 Legal Basis: ☐ Contractual ☐ Legitimate interests ☐ Consent ☐ Legal obligation

3.4 International Transfer: ☐ DPF ☐ SCCs Module [____] ☐ UK Addendum ☐ N/A

ARTICLE IV: DATA CLASSIFICATION

4.1 SHIELD Act Private Information Inventory:

4.2 Additional Data:

4.3 DFS Nonpublic Information (23 NYCRR 500.01, if applicable):

☐ NPI as defined in DFS regulations
☐ N/A (not DFS-regulated)

ARTICLE V: TRANSFEROR OPERATIONS

5.1 SHIELD Act Data Security Program Checklist (899-bb):

Administrative Safeguards (899-bb(2)(b)(i)):
☐ Security coordinator designated: [________________________________]
☐ Internal/external risks identified
☐ Safeguard sufficiency assessed
☐ Employee training conducted: Last date [__/__/____]
☐ Service providers (including Transferee) contractually required to maintain safeguards

Technical Safeguards (899-bb(2)(b)(ii)):
☐ Network/software risk assessed
☐ Processing/transmission risk assessed
☐ Attack detection/prevention/response implemented
☐ Key controls regularly tested

Physical Safeguards (899-bb(2)(b)(iii)):
☐ Storage/disposal risk assessed
☐ Intrusion detection/prevention implemented
☐ Unauthorized access protection implemented
☐ Disposal procedures established

5.2 Small Business Status (899-bb(2)(c)):

☐ Fewer than 50 employees ☐ Less than $3M gross revenue (3 years) ☐ Less than $5M total assets
☐ Qualifies as small business ☐ Does not qualify ☐ TBD

5.3 Monitoring Schedule:

ARTICLE VI: TRANSFEREE OPERATIONS

6.1 Required Actions:

☐ Process only per documented instructions
☐ Maintain Reasonable Safeguards (899-bb)
☐ Ensure personnel confidentiality
☐ Cooperate with breach notification (30-day deadline)
☐ Cooperate with audits and assessments
☐ Delete/return data on termination
☐ DFS cybersecurity program (if applicable)
☐ Notify Transferor if unable to meet obligations

6.2 Prohibited Actions:

☐ NOT sell Personal Data
☐ NOT share for advertising without authorization
☐ NOT process for unauthorized purposes
☐ NOT disclose to unauthorized parties
☐ NOT engage in deceptive data practices (GBL 349/350)

6.3 Confidentiality. All personnel bound by confidentiality obligations.

6.4 DFS Third-Party Requirements (500.11, if applicable):

☐ Cybersecurity program implemented
☐ MFA for system access
☐ Encryption for NPI in transit and at rest
☐ Cybersecurity event notification protocols

ARTICLE VII: TECHNICAL MEASURES

7.1 SHIELD Act Three-Pillar Verification:

Administrative Safeguards:

Technical Safeguards:

Physical Safeguards:

7.2 Enhanced Private Information Measures. Field-level encryption; data masking in non-prod; real-time alerts; segregated storage.

7.3 Medical/Health Data Measures (eff. Mar. 2025). Encryption, access controls, and logging specifically applied to medical and health insurance information now included in Private Information definition.

ARTICLE VIII: DATA SUBJECT RIGHTS OPERATIONS

8.1 NY Landscape Note. New York lacks comprehensive consumer privacy rights (access, delete, correct, port, opt-out). The SHIELD Act focuses on security and breach notification. However, operational readiness for consumer rights is recommended.

8.2 Multi-State Rights Support. Where other state laws apply to NY residents:

8.3 Future Readiness Checklist:

☐ Data mapping system capable of individual-level queries
☐ Deletion capability across all data stores
☐ Correction/update capability
☐ Export in machine-readable format
☐ Opt-out mechanism infrastructure
☐ Consumer request intake and tracking system

8.4 DFS Consumer Complaint Cooperation (if applicable). Transferee cooperates with DFS-directed consumer complaints.

ARTICLE IX: SUBPROCESSOR MANAGEMENT

9.1 SHIELD Act Requirement. Transferee must contractually require subprocessors to maintain safeguards (899-bb(2)(b)(i)(E)).

9.2 Authorization: ☐ Specific ☐ General (with [____] days' notice)

9.3 Subprocessor Tracker:

9.4 Flow-Down Checklist:

☐ Reasonable Safeguards (admin, tech, physical)
☐ Confidentiality ☐ Purpose limitation ☐ Breach notification
☐ Audit cooperation ☐ Deletion/return ☐ DFS compliance (if applicable)

9.5 Liability. Transferee fully liable.

ARTICLE X: DATA BREACH RESPONSE

10.1 Critical: 30-Day Notification Deadline (eff. Dec. 21, 2024).

10.2 Breach Response Checklist:

☐ Breach contained
☐ Transferor notified within required timeframe
☐ Scope identified (number, Private Info elements)
☐ Medical/health insurance data involvement assessed (eff. Mar. 2025)
☐ Harm assessment completed (reasonably likely to result in misuse/harm)
☐ Individual notice drafted (date, description, contact info, CRA info, remedial services)
☐ AG office notified
☐ DFS notified (if applicable, within 72 hours)
☐ Dept. of State notified
☐ State Police notified
☐ Substitute notice evaluated (if >$250K cost, >500K affected, or insufficient contacts)
☐ Credit monitoring arranged
☐ Root cause analysis
☐ Remediation plan

10.3 Expanded Private Information (eff. Mar. 21, 2025). Medical information and health insurance information now trigger breach notification. Update detection and classification protocols.

10.4 Indemnification. Transferee indemnifies for breach costs attributable to its security failures.

ARTICLE XI: DATA RETENTION AND DELETION

11.1 SHIELD Act Disposal (899-bb(2)(b)(iii)(C)). Dispose of Private Information within reasonable time after no longer needed.

11.2 Retention Schedule:

11.3 Deletion Checklist:

☐ Election received ☐ Primary data purged ☐ Backups scheduled (within [____] months)
☐ Subprocessors notified ☐ SHIELD-compliant disposal methods used ☐ Certification delivered

11.4 Legal Hold. Permitted if required; Transferor notified; minimum data; protections continue.

ARTICLE XII: AUDIT AND MONITORING

12.1 SHIELD Act Oversight. Transferor verifies Transferee's capability to maintain safeguards.

12.2 Evidence. SOC 2 Type II; ISO 27001; pen test summary; security questionnaire; risk assessment; training records.

12.3 Monitoring Schedule:

12.4 On-Site. [____] per year; [____] days' notice; NDA; cost per Agreement.

12.5 Regulatory Cooperation. AG, DFS, Dept. of State, State Police as applicable.

12.6 Remediation. [____] days; evidence provided.

ARTICLE XIII: CROSS-BORDER

13.1 Interstate. SHIELD Act applies to any business with NY resident Private Information regardless of location.

13.2 Location: ☐ US only ☐ US + EEA/UK ☐ Specific: [________________________________] ☐ No restriction

13.3 Relocation Notice. [____] days prior.

ARTICLE XIV: LIABILITY

14.1 Mutual indemnification.

14.2 Transferee: AG enforcement costs; DFS penalties (if applicable); notification/monitoring costs; common law negligence claims; GBL 349/350 claims; investigation costs.

14.3 Enforcement. AG (SHIELD Act -- no private right of action); DFS (23 NYCRR 500); common law (negligence, breach of implied contract); GBL 349/350 (private right of action for deceptive practices).

14.4 Cap. Agreement cap except for willful misconduct, unauthorized disclosure, notification failures.

ARTICLE XV: TERM AND TERMINATION

15.1 Term. Coterminous. 15.2 Cure. [____] days. 15.3 Survival. Articles I, VI, VII, VIII, X, XI, XII, XIV.

ARTICLE XVI: EXECUTION

TRANSFEROR:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

TRANSFEREE:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

EXHIBIT A: RISK ASSESSMENT

Overall: ☐ Proceed ☐ Proceed with measures ☐ Do not proceed

EXHIBIT B: SHIELD ACT SAFEGUARDS VERIFICATION

EXHIBIT C: DATA INVENTORY

SOURCES AND REFERENCES

• SHIELD Act -- NY AG
• Ropes & Gray Update -- 2024 Amendments
• 23 NYCRR Part 500 -- DFS Cybersecurity
• Inside Privacy -- Expanded Private Information
• PwC SHIELD Guide