On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The law boosts the protection of consumers’ private information, and holds accountable any company that does business within the state. And while there are existing federal and state protections of varying strictness levels, the New York law will have a broader impact simply due to the size of the state.
who does this apply to?
Any person or business who conducts business in New York and/or owns data and private information of New York residents (no matter location of your organization). Under the SHIELD Act, viewing of private information by an unauthorized party would qualify as a “breach of the security of the system” and be eligible for fines and criminal penalties.
what if you're not compliant?
The New York Attorney General can seek up to a quarter million dollars for an infraction from the organization. So far, the NY AG office has levied fines totaling more than 600 million dollars related to data breaches based on existing statutes.
what is reasonable security?
The SHIELD Act requires organizations to develop, implement, and maintain “reasonable safeguards” to protect the security, confidentiality, and integrity of personally identifiable information (PII). Reasonable security safeguards include utilzing access controls, security assessments, training employees, and various other technical controls.