States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law. The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.
Effective March 2020, the proactive portion of the SHIELD Act will:
- Apply to any business that has personal information (“PI”) regarding any New York resident
- Require those businesses to adopt proactive measures to safeguard that PI
- Require businesses to vet vendors entrusted with or with access to that PI
The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).
While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control. And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business.