JOHN P. O’BRIEN, TECHNOLOGY ATTORNEY

New York’s SHIELD Act

February 3, 2020 By In All No Comments

FULL VIDEO OVERVIEW BELOW

As of October 2019, the State of New York’s new legislature under Stop Hacks and Improve Electronic Data Security Act, also referred to as SHIELD Act, will broaden the state’s requirements for data breach notifications. Moreover, the Act will require certain businesses to maintain “practical” data security protections. The SHIELD Act will apply to any individual or company, including those outside the State of New York, who own or license computerized data that contains the “private, sensitive information” of any resident of New York State.

Critically, the Act will require qualifying companies to enforce and maintain practical data protection measures in an effort of protecting the confidentiality, integrity, and security of the private information being handled. The SHIELD Act has specific guidelines for what it considers “practical” safeguards, which include designing a party to manage programs or performing due attentiveness on data security that involves outside service providers. Moreover, the effect of the statute is to order companies that maintain, utilize, or do business with the state’s residents’ sensitive information to develop and execute adequate data security programs.

Requirements for Data Security, Effective March 2020

Businesses or individuals that own or license computerized data that holds the sensitive information of a New York resident will need to create, implement, and preserve practical safeguards in effort of protecting the confidentiality, integrity, and security of the data.

In order to comply with the requirements, the entity must:

  • Maintain a compliant information protection program under the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinic Health Act (HITECH Act), the State of New York’s DFS cyber rules, and/or all other applicable New York or federal government cybersecurity regulations; or
  • Maintain security program that has “practical” administrative, physical, and technical safeguards. The Act specifies the measures that are required in order to meet these practical requirements.

Small companies will not be exempt from administering data security protections; although, the protections need to only be practical for the complexity or size of the entity, the scope or nature of the company’s activities, and/or the vulnerability of the data that is being collected from or with regard to the consumers.

Broadened Sensitive Information Breach Notification Directives, Effective October 2019

The statute will order a “breach of security” notification by entity, either business or person, conducting business affairs in the state where (1) private information compromised is computerized information, additionally, (2) the data compromised is presumed to have been acquired and/or accessed by an entity without appropriate authorization. The statute expands the obligation to notify through:

  1. Making it clear that “breach in security” includes the unapproved access to the sensitive information,  such as the acquisition of or unauthorized access to, without appropriate authorization, data that is computerized, which compromises the confidentiality, integrity, or security of sensitive and personal information maintained or collected by the entity; and
  2. Adding factors to what is considered covered data, which now includes biometric data. Private and sensitive information is identified as the personal information of the resident that also includes one or more of the following non-encrypted data factors:
    • Driver’s license number;
    • Non-driver ID number;
    • Social security number;
    • Debit cards, credit cards, bank account number, in addition the security code, password, access code, and other sensitive data that allows access into the financial accounts;
    • Debit card number, credit card number, or bank account number when that information alone allows access into an individual’s personal financial accounts; or
    • The biometric information of the resident such as his or her voice print, fingerprint, iris image and retina, along with other unique digital or physical representation used in order to authenticate and acquire a resident’s individual identity.

Once you understand what data is covered and what actions are covered under NY SHIELD ACT you also need to carefully understand you breach notification obligations: (i) what goes in the breach notice;(ii)  how NY residents need to be notified; and (iii) your regulatory breach notice obligations. Not all privacy breach notice obligations are the same.

Consult the Legal Support of a Qualified Attorney

Recently enacted, New York’s Stop Hacks and Improve Electronic Data Security Act has made substantial changes to New York Law and it will affect establishments holding the computerized data of New York residents. Whether your establishment is a major corporation or a small business, you will need to be compliant with the new law in order to continue holding sensitive information relating to New York residents. Consider contacting a well-versed attorney for more information.

Attorney John P. O’Brien is exceptionally experienced in technology and the law as it pertains to it. If you own a company dealing with the sensitive information of residents in the areas affected by the recent law changes, contact Attorney John P. O’Brien for more information today.

About The Author

John P. O'Brien
John O’Brien is an Attorney at Law with 30+ years of legal technology experience. John helps companies of all sizes develop, negotiate and modify consulting contracts, licenses, SOWs HR agreements and other business related financial transactions. John specializes in software subscription models, financial based cloud offerings, and capacity on demand offerings all built around a client's IT consumption patterns and budgetary constraints. He has helped software developers transition their business from the on-premise end user license model to a hosted SaaS environment; helped software develop productize their application and represented clients in many inbound SaaS negotiations. John has developed, implemented and supported vendor lease/finance programs at several vendors. Please contact John for a free consultation if you or the organization you work for is tired of trying to develop, negotiate and/or modify contracts and tech agreements of any type.

Recent Posts

No obligation, Always Free Consultation

I am a legal professional specialized in helping companies of all sizes develop, negotiate and/or modify consulting contracts, licenses (in-bound or out-both), SOWs, HR agreements and other business related financial transactions. This experience provides a powerful resource in navigating the challenges tech companies and tech consumers face in growing their business, managing their risks and maximizing their profits.

Address:

76 Ridge Road
Rumson, NJ 07760

Phone:

1+(732)-219-6641
1+(732)-219-6647 FAX

Hours:

Mon-Fri 8am – 5pm

Email:

johnpobrienesq@verizon.net