New York's SHIELD Data Privacy Law - Does it Apply to You?

On January 1, 2020, the New York SHIELD Act (Stop Hacks and Electronic Data Security Act), one of the harshest cybersecurity laws in the United States,went into effect. The purpose of this law is to further protect the private information of consumers beyond the scope of existing national laws and regulations.

Who must comply?

This law is mandated on both businesses in New York and any organization that collects or stores electronic records of personal data of New York residents. Any business that has a single New York customer must adhere to the SHIELD Act whether located in or beyond the state's borders. This will most likely encourage companies to implement SHIELD on all consumer data as it is impractical to develop privacy policies for New Yorkers only. While the law is already in effect, businesses have been given until March 21 to comply.

What does the law mandate?

1. It expands the definition of what constitutes a security breach. Initially, consumers had to be notified when their data was stolen or acquired by an unauthorized party. Now, organizations must inform consumers even if unauthorized parties access the data. This change is expected to increase the number of data breach notifications.

2. It also expands the definition of what constitutes private data. Private data now includes biometric data from facial recognition software, as well as email addresses, passwords, security questions and answers, social security numbers, any form of identification cards or numbers and financial account data.

3. Organizations must put sufficient safeguards in place to ensure the protection of consumer data. This includes identifying areas of risk, vetting vendors correctly and restricting access to personal data. While the SHIELD Act does not mention specific safeguards, organizations will be in compliance if their security program includes the elements specified in the Act.

4. Organizations must onboard an employee tasked with coordinating their security program. This employee must conduct risk assessments and implement safeguards in response to risk assessments. They must also ensure the organization's compliance with the SHIELD Act. In the event of a breach, the employee is responsible for reporting the breach to the relevant authorities.

5. Organizations must conduct regular updates to their networks' software and hardware. They must also be proactive rather than reactive in the safeguards they implement.

What to do in case of duplication

If the data breached is also protected under other data protection or privacy laws such as HIPAA, HITECH or any other federal or local laws, duplicate notifications do not have to be sent to relevant authorities. However, in such cases, the State Attorney General, State Police, Department of State and consumer reporting agencies must be notified.