The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)1 amended New York’s data breach notification law. It broadened the law’s territorial scope, expanded the definition of Private Information and what constitutes a Breach, and imposed stricter data security obligations on affected businesses. It was signed into law in July 2019; the breach notification amendments took effect in October 2019, and the security data requirements took effect March 21, 2020.
Prior to the SHIELD Act, New York’s breach notification law applied only to companies that conduct business within the state. Now, any person or business who “owns or licenses computerized data which contains private information” of New York residents is liable under the law.2 The SHIELD Act added key data elements to its definition of Private Information the exposure of which will constitute a breach, including: financial account numbers, biometric information, and email addresses and credentials.3 Whereas a breach under the prior law meant the unauthorized acquisition of Private Information, under the SHIELD Act, the unauthorized “access” to private information constitutes a breach, triggering the notification requirement.4
The SHIELD Act imposes new data security requirements. Businesses that own or license New York residents’ private information must now “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity” of that information.5 Businesses should implement data security programs that include certain measures as detailed in the law, including risk assessments, employee training, and timely data disposal.6