New York is the latest in the growing list of states like California, Rhode Island, and Massachusetts, enacting privacy and data security laws. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which amends New York’s data breach notification law with Section 899-bb. The law increases safeguards for the “private information” of New York residents and broadens New York’s security breach notification requirements. It requires any business that collects personal information of New York residents to develop, implement and maintain reasonable safeguards to protect that information.
The SHIELD Act introduces bold changes, the most significant outlined below:
Broadened Definition of “Private Information.”
The Act broadens the definition of “private information” to include biometric information and username or e-mail address with a password that permits access to an online account. It also includes, in addition to a Social Security Number, an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.
Expanded Definition of “Breach.”
The Act expands the definition of “breach of the security of the system” to include unauthorized “access” of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access. Previously, a breach was defined only as unauthorized acquisition of computerized data.
Extended geographic limits.
Previously, the law was limited to those that conduct business in New York.
But with the new changes, the SHIELD Act requires any employer in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
Imposing Data Security Requirements.
Reasonable safeguards are now required to protect the security, confidentiality, and integrity of private information. A company should implement a data security program which designates an employee or employees to coordinate the data security program, trains and manages employees in the security program practices and procedures, and assesses internal and external risks and implements controls to reduce those risks. In addition, companies are obliged to dispose of data in a secure and timely manner.
The breach notification amendments took effect on October 23, 2019, and the data security requirements will take effect on March 21, 2020.
Also signed into effect by Governor Cuomo – Senate Bill S3582, which requires a credit reporting agency that suffers a breach containing Social Security numbers to offer consumers identity theft prevention and mitigation services.
These changes can be overwhelming for small to medium sized businesses. Selecting a service to manage security can ease the stress of compliance with the new SHIELD Act law.