The New York State Assembly on June 17 passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, following approval in the State Senate on June 5.
If signed into law, the SHIELD Act would modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections. Under the SHIELD Act, New York would join the increasing number of states requiring persons and entities to implement reasonable data security protections based on business size, as well as those states with data breach notification requirements extending to out-of-state businesses.
Among other provisions, the SHIELD Act would
- expand the scope of information subject to data breach notification law to include biometric information (e.g., fingerprints) and email address/password combinations that provide account access, including security questions and answers;
- broaden the definition of “data breach” to include unauthorized “access” to private information (currently, only an “acquired” standard applies under the current General Business Law 899-aa (NYGBL)). Access may include viewing, copying, or downloading private information;
- update the notification procedures for companies and state entities in the event of an information security breach, including coordination with breach notification provisions of other federal and New York state laws and regulations;
- apply the data breach notification requirements to any person or entity with the private information of a New York resident (currently, this only applies to persons and entities conducting business in the state);
- impose “reasonable” security requirements on persons and businesses that collect private information of a New York state resident, including the development, implementation, and maintenance of reasonable administrative, technical and physical safeguards to protect the security, confidentiality, and integrity of the private information. Specific requirements would depend on the size and nature of a business and the sensitivity of the information collected; and
- expand the time period in which the New York attorney general may bring an action against a business for SHIELD Act violations. Under the current NYGBL, the action must be brought within two years from “the date of the act complained of or the date of discovery of such act.” The new period would be within three years from either (i) the date on which the attorney general became aware of the violation, or (ii) the date of notice sent to the attorney general. There is also an added exclusion from time limits where the entity took steps to hide a breach.
The bill now heads to Governor Andrew Cuomo for his review and consideration. We will continue to provide updates on this bill as they are made available.