Why Businesses Throughout The Country Should Be Worried About New York’s SHIELD Act

Written by: Richard Sheinis, Esq.

New York’s SHIELD Act has passed the New York Senate, and now awaits passage in the Assembly before it goes to the Governor to sign into law.  While the Act contains new rules regarding data breaches and data breach notification, businesses should be most concerned about the increased geographic coverage of the Act, and the new requirement that businesses implement “reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

The earlier version of the Act was limited in applicability to businesses which conduct business in New York state.  The words “conducts business in New York state” have been removed from the Act.  The removal of this language expands the reach of the Act to any person or business which owns or licenses private information concerning a resident of New York state.  This makes the Act applicable to any business that is not physically located in New York, but obtains the private information of New York residents such as through online sales, or hotels in other states that provide accommodations to New York residents.

The requirement that businesses implement reasonable security safeguards is quite lengthy.  The required safeguards include a data security program, designation of an employee to coordinate the security program, identification of foreseeable internal and external risks, assessing the sufficiency of the safeguards in place, employee training, requirements for contracts with service providers, revising the security program based upon business changes, assessing risks in network and software design, information processing, transmission and storage, detection and response to attacks, system monitoring and proper disposal of private information.

The Attorney General may bring an action against a business to impose civil penalties for violation of the Act.  Perhaps the saving grace of the Act is that it specifically states it does not create a private right of action.  If the Act is passed, most of its provisions will take effect 90 days after it passes, however, the requirement that security safeguards be implemented would not take effect until 240 days after the Act is passed.

In view of the far-reaching effects of the SHIELD Act, we will let you know if/when the Act passes the Assembly.