New York Imposes New Data Security Obligations on Businesses

Posted August 21, 2019 • 2 Minute Read
Category

It’s been almost one month since New York’s Governor Andrew Cuomo signed Senate bill S.5575B/A.5635 called the Stop Hacks and Improve Electronic Data Security Act (also known as the “Act” or “SHIELD Act”) into law, which amends New York’s data breach notification laws and imposes more data security obligations for those who conduct business in New York state. The Act will build significant changes onto the existing data breach notification laws and include new obligations to adopt “reasonable” security measures to protect the sensitive personal data of all New York residents. The amended breach notification laws take effect on October 23, 2019, and the personal data security obligations take effect on March 21, 2020.

The SHIELD Act includes a variety of adjustments, such as:

  • Expanding definitions, such as with “breach” or “private information”

The term “breach” currently refers to the unauthorized acquisition of sensitive data that can compromise its confidentiality or integrity. With the expanded definition, the term “acquisition” is changed to “access”—no person without authorization will be allowed access to the sensitive data of a company.

Similarly, the definition of “private information” will include more types and combinations of information. Things like biometric information and email addresses combined with security questions and answers will be labeled as private information and included under this definition.

  • New data protection security obligations

Entities will be required to put “reasonable” data security safeguards into action, protecting the security and integrity of the data. Criteria within the scope of data safeguards, such as risk assessments and properly trained employees, is also stated within the new law.

New York is following close behind states like California that have signed their own privacy and data protection bills recently, adding to the growing list of states in the past few years. These bills have to be mindful to not duplicate or violate preexisting laws and obligations at state and federal levels, or incur excessive costs that can distress small businesses. Businesses within New York state should prepare as early as possible for the new laws going into effect, as the process of reviewing your company security programs and getting them up to speed can be complex and time-consuming.

At Northwest Registered Agent, we can help you operate your business with an assortment of business services, forms, and how-to guides. Looking to form an LLC or corporation or hire a registered agent service? At Northwest, we have long been a proponent of data security, and we can provide a chance to keep your business running smoothly, even in busy times.