On July 25, 2019, New York Governor Anthony Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The Act creates additional protections for the residents of New York and their private information. It also endeavors to improve cybersecurity measures for those who possess private information about New York residents.
Importantly, the SHIELD Act (1) amends General Business Law Section 899-aa, New York’s data breach notification statute, to provide updated definitions and additional coverage, and (2) creates the new General Business Law Section 899-bb, which imposes data security requirements on any person or business that owns or licenses computerized data that includes private information for a New York resident.
Modifications to the data breach notification law (Section 899-aa) will become effective on October 23, 2019, while the new data security protections (Section 899-bb) will become effective on March 21, 2020.
Data Breach Notification Law
The New Definition of “Private Information”
New York’s original data breach notification law included definitions for both “personal information” and “private information.” The current definition of “personal data” remains unchanged, and will continue to be “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
However, the SHIELD Act amends the definition of “private information” to include three new types of personal information that are covered by the law: (1) an account number, credit or debit card number, even without additional identifying information or a password; (2) biometric information, such as an individual’s fingerprint, voice print, or retina image; and (3) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Expanding the Definition of a “Breach”
Not only has New York i ..