Page 8 - Threat Intelligence 11-15-2019
P. 8
SHIELD Act Overhauls New York’s Data Privacy Framework. This week, on October 23, 2019, New York’s new
breach notification provisions came into effect, a result of New York’s passage of the Stop Hacks and Improve
Electronic Data Security Act (SHIELD Act) in July. That Act overhauled New York’s data privacy framework,
expanding the list of data elements that are considered “private information” while growing the types of
incidents and covered entities that may trigger New York’s notification requirement. The SHIELD Act also
imposes a new legal obligation for owners and licensors of private data to comply with the Act’s “reasonable
security requirement.” Some regulated businesses, like those in the healthcare and financial industries, will be
deemed compliant with the SHIELD Act’s reasonable security requirement if they already comply with laws like
HIPAA or the GLBA. In an attempt to mitigate its potential burdens on smaller operations, the SHIELD Act
explicitly defines small businesses, for whom the Act’s “reasonable security requirement” will be assessed
with regard to factors like a business’s “size and complexity.” The SHIELD Act’s breach notification provisions
went into effect on October 23, 2019, while the new data security requirement goes into effect on March 21,
2020.
Source: https://www.jdsupra.com/legalnews/shield-act-overhauls-new-york-s-data-33724/
- Related articles -
New York Strengthens Data Privacy and Security Protections: Employers Must Adopt Safeguards (US).
Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor
signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the
state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that
owns … computerized data which includes private information,” regardless of corporate structure, revenues or
location. As such, the SHIELD Act will apply to not only businesses and employers in New York, but may also
apply to businesses and employers with no physical presence in New York.
Source: https://www.natlawreview.com/article/new-york-strengthens-data-privacy-and-security-
protections-employers-must-adopt
New York Expands Definition of Private Information and Imposes Groundbreaking Cybersecurity
Requirements. The Stop Hacks and Improve Electronic Data Security Handling Act (SHIELD Act) recently
enacted by the New York Senate brings New York in line with many states that have expanded their breach
notification laws, and imposes new obligations on businesses that hold New York residents’ personal
information. Effective October 2019, the Act amends New York’s general business law and state technology
law to broaden the definition of “Private Information” (PI) by subjecting three new categories of data to
security and breach notification requirements:
• Financial account and payment card numbers that “could be used to access an individual’s financial
account without additional identifying information, security code, access code, or password”
• Biometric information, “meaning data generated by electronic measurements of an individual’s
unique physical characteristics”
• A “user name or email address in combination with a password or security question and answer that
would permit access to an online account.”
Source: https://www.natlawreview.com/article/new-york-expands-definition-private-information-and-
imposes-groundbreaking
www.accumepartners.com
7
