NYS Data Breach Notification Legislation

The Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act is expected to be passed shortly in the New York State Senate that would update the state’s data breach notification law to cover more personal information and compel firms to disclose ransomware infections and more. The legislation would also extend to businesses that holds sensitive data of New York residents, rather than only firms that do business in the state. 

Experts Comments: 

Chris Olson, CEO at The Media Trust : 

Chris Olson

“New York will be taking more than a page from the EU’s GDPR if it passes the SHIELD Act this week. The law would apply to any person or company, regardless of their location, that has the private information of a New York resident. Businesses should start preparing for the inevitable passage of more such laws by putting together a data security program with a dedicated program coordinator and drawing up contracts that require third parties to have strong security measures in place. If your business has a website or mobile app that can be accessed by NY residents and, like most digital assets these days, that collect information from users, you will need to ensure that you and your third parties, who run more than half the code on your website and app, have robust security defenses to prevent a data breach. Now is not the time to take a wait-and-see approach.”   

Dov Goldman, Director of Risk & Compliance at Panorays: 

“NY has a new privacy law in the works, and it is likely to have a tremendous impact. Despite the cumbersome name for the prospective legislation, the “Stop Hacks and Improve Electronic Data Security Handling” act (also called “SHIELD,” which is probably the moniker most will use), will effect change on a national and perhaps even international level. NY regulates thousands of financial service firms that are headquartered or just have a presence in the state. The new law will likely apply to many more companies, as SHIELD will require a business that has been breached to notify impacted NY residents, whether or not the business is located in the state. In this regard, SHIELD may be to the US what GDPR has been for Europe. NY’s DFS Part 500, a previous regulation of cybersecurity in the financial services space, is widely respected as a clear and well designed guideline. If SHIELD is equally effectively structured, it could become a model for future privacy regulations from other US states.”