Does your company hold personal data on New York residents? If so, you may need to comply with a new law that creates data security and data breach reporting requirements. New York’s SHIELD Act is designed to protect New Yorkers against data security risks, and non-compliance will come at a cost.
Stop Hacks and Improve Electronic Security
New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act, abbreviated as the SHIELD Act, into law during the summer of 2019.
Speaking about the SHIELD Act, Governor Cuomo said, "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."
The SHIELD Act changes previous law by creating stricter requirements for businesses handling consumer data.
The Rise of Data Breaches
A string of high-profile data breaches has put personal information at risk. One of the worst data breaches has arguably been the one experienced by Equifax, a credit reporting agency, in 2017. New York reached a $19.2 million settlement with Equifax over this breach.
The SHIELD Act updates New York’s law in order to protect residents and their data. When Governor Cuomo signed the SHIELD Act into law, he also signed another law that requires credit reporting agencies that suffer a data breach to offer identity theft services to affected consumers.
Requirements Under the SHIELD Act
Under the SHIELD Act, businesses that handle personal data have stronger obligations to keep that data safe. The new law includes several key changes to previous legislation.
The types of data that are subject to data breach notification requirements now include biometric information, as well as email addresses with passwords or security questions and answers. The definition of a data breach has also been expanded and now includes unauthorized access to private information.
Organizations are required to meet reasonable data security standards that are appropriate for the size of the organization and to follow new notification requirements and procedures following a data breach.
These requirements apply to any individual or organization with personal data on New York residents. As a result, even companies that are located outside of New York may need to comply with the SHIELD Act if they have customers in New York.
The penalty for non-compliance is also increasing. According to SHRM, the fine for each failed notification is increasing from $10 to $20, while the maximum penalty is increasing from $100,000 to $250,000.
An Increasingly Complex Legal Landscape
Other states have been passing similar legislation. In California, for example, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020.
As more states pass new legislation to protect the data privacy rights of their residents, companies operating in multiple states must take steps to ensure that they are complying with all relevant laws.
Would your cyber liability coverage pay for fines related to SHIELD Act noncompliance? This law is just one more reason for businesses to take a close look at their cyber liability insurance and to know exactly what is covered. Reach out to your Higginbotham broker to learn more.