In August, New York State signed into law the
SHIELD Act or the “Stop Hacks and Improve Electronic Data Security” Act.
This is an enhancement to New York States previous law and has several keys
points that anyone doing business in New York should take note of. This law
goes into effect on March 21, 2020 with a notable exception noted below.
The SHIELD Act now pertains to any business, inside New
York or outside of New York that stores private information on New York
residents. This is an expansion of the jurisdiction from the previous statute.
Expanded definition of private data: New York has expanded
the definition of private data to include biometric data and any combination of
username, email address and access codes that could lead to the compromise of
electronic accounts. Interestingly, New
York did not take the additional step of covering DNA as some other states
Increased reporting requirements: In past, HIPAA covered organization could get by with reporting a suspected breach to the Department of Human Services. The SHIELD Act requires the New York State Attorney General also be notified of a data breach. In addition, the definition of a breach has been expanded to viewed data, not just downloaded data as was previously the case. This part of the act goes into effect October 23, 2019 before the remainder of the Act. Fines for non-compliance have increased as well.
As a business, you have a responsibility to know and comply with this law. Not knowing the law is never an excuse for violation. The act requires businesses to comply in three different areas: Administrative, Technical and Physical. While the individual safeguards are too numerous to put in this post, Colden Company can assist your business within each area of the Act and set your company on a path to compliance. Please feel free to reach out to us at (888) 600-4560 by phone, or email@example.com via email.