New York Governor Andrew Cuomo recently signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law. Along with broadening the definition of what constitutes as a breach, the law will strengthen the state’s data breach policies.
SHIELD was first proposed in 2017 by former Attorney General Eric Schneiderman. Although the bill has undergone several revisions, the final version:
- expands the legal definition of what counts as data (including biometric data, email addresses, passwords, and security questions)
- expands what counts as a data breach (including unauthorized viewing and copying)
- requires companies to implement more measures to protect consumer data, expands the current breach notification requirement, and mandates that any person or enterprise affected by the breach be notified.
Furthermore, the SHIELD Act requires companies to implement reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of sensitive data. Examples of such safeguards include:
- Identifying reasonably foreseeable risks to data security
- Selecting vendors that can maintain appropriate safeguards
- Detecting, preventing and responding to attacks and system failures
- Preventing unauthorized access to private information
And companies who fail to adequately protect consumers data will face strict penalties. “The stark reality is security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data,” said Governor Cuomo.