The New York Shield Act and What Businesses Need to know

On July 25, 2019, New York State passed the Stop Hacks and Improve Electric Data Security Act (“Shield Act”). The Shield Act is designed to protect the private information of New York residents and to establishes certain regulatory minimum standards. As a result, businesses are required to take new steps when doing business with New York residents. For example, a business is required to receive a customer’s consent prior to providing them with written or electronic notice that their personal information may have subject to unauthorized access. If the incident affects over five hundred residents of New York, the business is required to document the cybersecurity event and provide the state attorney general a copy of that report within ten days after the determination. The breach notification takes effect on October 23, 2019, while the data security requirement take effect on March 21, 2020.

Although the Shield Act does not provide a private right of action, the attorney general can bring an action on behalf of the people of the state of New York. In such an action, the court may impose penalty of up to two hundred fifty thousand dollars.

In short, the Shield Act highlights New York state’s response to the ever-growing threat posed to businesses by cybersecurity threats. To achieve that, the Shield Act broadens the definition of “private information” to include biometric information such as an individual’s unique physical characteristics. Consequently, businesses must swiftly adopt new cybersecurity protocols to comply with the requirements of the Shield Act.

This article contains general legal information and does not contain legal advice. Appolo Compliance is not a law firm or a substitute for an attorney or law firm. For legal advice, please contact a lawyer.

Published by apollocompliance

Jean-Marc is a law student interested in cybersecurity and data privacy law.

Leave a Reply

Your email address will not be published. Required fields are marked *