The SHIELD Act significantly amends New York's data breach notification law and data protection requirements.
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law. This adds to the growing list of states enacting privacy and data security laws. The SHIELD Act introduces significant changes, including.
- Broadening the Definition of "Private Information." The Act broadens the definition of "private information" to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.
- Expanding the Definition of "Breach." The Act expands the definition of "breach of the security of the system" to include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access. Previously, a breach was defined only as unauthorized acquisition of computerized data.
- Expanding the Territorial Scope. The Act expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.
- Imposing Data Security Requirements. The Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.
The breach notification amendments take effect on October 23, 2019, while the data security requirements take effect on March 21, 2020.
Governor Cuomo also signed Senate Bill S3582, which requires a credit reporting agency that suffers a breach containing Social Security numbers to offer consumers identity theft prevention and mitigation services.
New York is strengthening enforcement of consumer privacy and data protection. Companies should review their information security programs to assess the private information they collect and implement data security requirements specified in the SHIELD Act. Given the number of new and proposed state laws, this process can be time consuming and complex.