The Stop Hacks and Improve Electronic Data Security (SHIELD) Act
What Is The Stop Hacks and Improve Electronic Data Security (SHIELD) Act?
The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York state law that provides consumers substantially greater privacy and data protection than before, and requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
According to the bill, “private information” includes name, social security number, a driver’s license number, credit or debit card number, financial account number (with or without security code, as long as an authorized person could gain access to the account), biometric information, and username or email address with a password that permits access to an online account. The bill expands the definition of “breach of a security system” to include unauthorized access, rather than solely unauthorized acquisition of information.
Who is Subject to the SHIELD Act?
Every employer with employees in New York must comply with the SHIELD Act, because private information includes an individual’s name and Social Security number. Any business that collects or maintains private information about a New York resident needs to comply with the SHIELD Act.
Businesses that are compliant with other regulations requiring information security, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies are deemed compliant with the SHIELD Act.
What Does the SHIELD Act Require of Covered Businesses?
The SHIELD Act necessitates that each covered entity take measures including:
Who Enforces the SHIELD Act and What are the Penalties for Non-Compliance?
The New York state attorney general has the authority to enforce the SHIELD Act. While the SHIELD Act does not permit a right of action, it doubles the penalty recoverable by the attorney general from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.