ARTICLE
12 September 2019

New York Passes SHIELD Act Amending Data Breach Notification Law

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
The SHIELD Act significantly amends New York's data breach notification law and data protection requirements.
United States Privacy

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law. This adds to the growing list of states enacting privacy and data security laws. The SHIELD Act introduces significant changes, including.

  • Broadening the Definition of "Private Information." The Act broadens the definition of "private information" to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.
  • Expanding the Definition of "Breach." The Act expands the definition of "breach of the security of the system" to include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access. Previously, a breach was defined only as unauthorized acquisition of computerized data.
  • Expanding the Territorial Scope. The Act expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.
  • Imposing Data Security Requirements. The Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.

The breach notification amendments take effect on October 23, 2019, while the data security requirements take effect on March 21, 2020.

Governor Cuomo also signed Senate Bill S3582, which requires a credit reporting agency that suffers a breach containing Social Security numbers to offer consumers identity theft prevention and mitigation services.

New York is strengthening enforcement of consumer privacy and data protection. Companies should review their information security programs to assess the private information they collect and implement data security requirements specified in the SHIELD Act. Given the number of new and proposed state laws, this process can be time consuming and complex.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More