SHIELD Act Signed into Law by New York Governor

New York Governor Andrew M. Cuomo has signed into law S5575B/A5635B or The Stop Hacks and Improve Electronic Data Security (SHIELD) Act on July 25, 2019. The law provies better privacy protections for state locals and fortifies New York’s data breach notification laws to make sure they are up to speed with the present technology. It will take effect in 240 days.

Under the SHIELD Act, the current state privacy and data breach notification laws will have the following changes:

A broadened definition of covered entities includes any person or entity that retains the private data of a New York State resident, whether or not that person or entity operates a business in the state of New York.

All businesses are mandated to develop, implement and sustain reasonable safety measures to protect the confidentiality, availability and integrity of personal data. Those measures must correlate to the size of the company. The SHIELD Act provides a listing of factors regarded as ‘reasonable security protections.’

The business must develop a written information security program, which integrates all requirements of the SHIELD Act. An individual must be assigned to be responsible for the implementation and administration of the program. He should also supervise employees as they receive training concerning the requirements of the SHIELD Act.

A broadened definition of a data breach includes any unauthorized access of private data. In the past, notifications were only necessary if an unauthorized person acquired personal data.

An expanded definition of personal information includes email addresses and usernames together with the linked password or answers to security questions that would permit account access. The new law calls for the issuance of notifications upon exposure of a financial account number combined with any method of getting account access. Biometric data is likewise defined as personal information requiring notifications.

Just as with HIPAA, inadvertent and good faith disclosures of personal data do not require notifications if there is little possibility of harm.

Organizations covered by the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), and financial companies covered by the New York Department of Financial Services Cybersecurity Rule are granted a safe harbour should they be found in compliance with their respected requirements.

The time frame for the issuance of notifications is not changed. Notifications should be issued “in the most expedient time possible and without unreasonable delay.”