The Stop Hacks and Improved Electronic Data Security Act (SHIELD)

The Stop Hacks and Improved Electronic Data Security Act (SHIELD Act) is a significant piece of legislation that was signed into law in New York in 2019, aiming to enhance data security and protect New York residents from data breaches by imposing more stringent requirements on businesses that handle personal information. The SHIELD Act is a comprehensive update to New York's data breach notification law, expanding the scope of what constitutes a data breach and the types of businesses that must comply with its provisions.

One of the key features of the SHIELD Act is its broad definition of "private information." This includes not only traditional personal information like Social Security numbers and driver's license numbers but also biometric data, such as fingerprints and facial recognition data. The act requires businesses to implement reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of this private information. These safeguards must be appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the personal information it handles.

The SHIELD Act also expands the requirements for data breach notifications. Under the act, businesses must notify affected individuals and the New York Attorney General's office within a reasonable time after discovering a breach. The notification must include specific details about the breach, such as the date of the breach, the types of information compromised, and the steps individuals can take to protect themselves. This ensures that individuals are promptly informed and can take the necessary actions to mitigate potential harm.

Another important aspect of the SHIELD Act is its extraterritorial reach. The law applies to any business that owns or licenses private information of New York residents, regardless of where the business is located. This means that even out-of-state companies must comply with the SHIELD Act if they handle the personal information of New York residents. This broad applicability helps to ensure that New York residents are protected, regardless of where their data is processed or stored.