Much like GDPR, if you’re capturing or processing information on NY state citizens, irrespective of where you’re based, you need to take note…:
States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law. The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.
Effective March 2020, the proactive portion of the SHIELD Act will:
- Apply to any business that has personal information (“PI”) regarding any New York resident
- Require those businesses to adopt proactive measures to safeguard that PI
- Require businesses to vet vendors entrusted with or with access to that PI
The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).