Following up on our post from June 7, Governor Cuomo has now signed the SHIELD Act into law. New section 899-bb of the General Business Law, which creates substantive security obligations for all persons or businesses that own or license the defined “private information” of New Yorkers, goes into effect in 240 days, with the rest of the law taking effect within 90 days.
The SHIELD Act vastly increases the reach of New York’s data breach notification law, extending it worldwide to cover any person or entity that processes New York private information. And it widens the definition of private information to include biometric data as well as financial account information, even without an access code, if circumstances exist in which the account information could be used without a code to access the financial account. User name and password for access to an online account have also been added to the definition, bringing New York in line with a number of other states in relation to the definition of protected data in their data breach notification statutes.
In a recent New York Law Journal article, I discussed the remaining changes created by the Act. Click here to read, “New York SHIELD Act Promises More Data Breach Enforcement, and International Reach.”
With the Act in place, every business and organization in New York, and even organizations far from New York with New Yorkers’ private information, has a new and active regulator in the form of the New York State Attorney General’s office. The message in the Act is clear: take the security of personally identifying information seriously or face serious consequences. Organizations would be well served by using the Act as motivation to review their information security programs, their incident response plans, and most of all, their formal risk assessments (if they have even undertaken one), as all of these components are vital to establishing a SHIELD Act compliant approach to information security.