Citing a sixty percent increase in data breach notifications from 2015 to 2016, New York Attorney General Eric Schneiderman recently introduced the Stop Hacks and Improve Data Electronic Security Act (SHIELD) bill.  The legislation would require companies that handle sensitive date of New York residents to adopt “reasonable administrative, technical and physical protections for data.”

The proposed legislation would impose penalties of up to $5,000 per violation or $20 per each instance of failed notification, up to a maximum of $250,000.   Small businesses would have less rigorous requirements, and there is a proposed safe harbor for employers of all sizes who obtain independent certification that their data protection measures meet the highest standards.

Currently, New York only requires that businesses safeguards personal information if that information contains a social security number, and to be held liable under the law, businesses must conduct business in New York.  SHIELD would require that individuals be notified if sensitive personal information, such as social security number, biometric data, username/password combinations, and protected health data protected under HIPAA, is breached or stolen.  Failure to comply with the legislation could result in a civil suit and penalties under the General Business Law.  SHIELD will apply to companies operating outside the state if they handle the sensitive, personal data of New York residents.