With SHIELD Act, New York State Requires Enhanced Protection of Residents' Private Data

Douglas Gerhardt
Harris Beach PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Just prior to the sweltering hot weekend, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act. Taking effect on March 22, 2020, the law imposes new obligations on entities to better ensure data security.

The SHIELD Act applies to all entities that own or license computerized data that includes private information of any resident of New York state. In contrast, current law only applies to businesses that operate in New York state.

With cybersecurity threats omnipresent, the SHIELD Act seeks to curtail them by ensuring businesses have measures in place to deflect threats and protect privacy. It also imposes reporting requirements. The new law amends NYS General Business Law Article 39-F and existing General Business Law §899-aa; as well as adding a whole new §899-bb. Some key provisions include:

• Expanding the definition of private information to include biometric information (e.g. fingerprint, voice, eyeball); account or credit card information when the number could be used to access an individual’s financial account without additional identifying information, security code or password; and a user name or email address in combination with a password or security question and answer protecting an online account;
• Expanding applicability of the law from those that “conduct business in New York State” to any person or business that owns or licenses computerized data that include private information;
• Broadening the breach notification litmus test from unauthorized “acquisition of” to unauthorized “access to” or “acquisition of”. This change is designed to catch up with both current technology and threats.
• Increasing fines “not to exceed” from $150,000 to $250,000.
• Adding a new “reasonable security requirement” mandating implementation of data security protections that include reasonable administrative, technical, and physical safeguards. Administrative safeguards focus on policies and procedures and the administrative actions that support them. Physical safeguards focus on physical measures, policies, and procedures that protect information, systems, equipment, and facilities from natural disasters, environmental hazards, and unauthorized intrusion. Technical safeguards are designed to protect electronic information from unauthorized access.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Harris Beach PLLC | Attorney Advertising

Written by:

Harris Beach PLLC
Harris Beach PLLC
Contact
more
less

Harris Beach PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide