New York SHIELD Act

The SHIELD Act broadens New York privacy laws in a number of ways. First, the SHIELD Act expands the territorial scope of data laws in New York. The SHIELD Act also broadens the definitions of  “private information” and “breach.” Lastly, the SHIELD Act implements new data security requirements with which businesses must comply.

Scope: The SHIELD Act expands the territorial scope of New York privacy laws, and now applies to any person or business that owns the personal or private information of a New York resident.

Private and Personal Information: The SHIELD Act expands upon the type of information that is required to be protected, including both private and personal information. Private information is defined as data elements (such as a social security number or account number), login information in combination with a password, or any HIPAA-protected material. Personal information is defined in a much broader sense and includes “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person …”

Data Breach: The SHIELD Act expands the definition of a breach. A breach is now not just the unauthorized acquisition of data, but also includes unauthorized access of data. An example of unauthorized access could be a company employee that viewed private information without authorization. The SHIELD Act further requires that, if a breach takes place, disclosure is made to the victims “in the most expedient time possible and without unreasonable delay.”

Data Security Requirements: The SHIELD Act requires businesses to implement a data security program that has reasonable administrative, technical, and physical safeguards. Examples of administrative safeguards include designating an employee to coordinate a security program and employee data security training. An example of a technical safeguard is having a program that assesses risk and detects data attacks. Examples of physical safeguards are requiring proper storage and disposal of information and requiring proper physical security measures. It is important to note that the SHIELD Act takes the size and complexity of a business into consideration, using metrics like number of employees, gross annual revenue, or value of total assets.

If your business owns the personal or private information of a New York citizen, you must be in compliance with the SHIELD Act immediately. If you have any questions regarding the SHIELD Act, or if you would like assistance in becoming compliant, please contact your Meyers Roman attorney or David V. Croft at dcroft@meyersroman.com.