Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities – covering, for instance, data security and breach notifications – on companies that collect personal information, whether from their customers, their employees, end users, or others. That legislative trend has recently expanded previous obligations of companies conducting business in New York state.

On October 23, 2019, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect. The law broadens the state’s existing breach notification laws and imposes new security obligations on companies doing business in New York, including an expanded focus on how companies handle biometric data. The SHIELD Act also applies to employee information, as long as there is at least one employee in New York state – regardless of the size or location of the company. As such, the law will have a significant impact on businesses across the country that have private information about consumers and employees based in New York.