On July 25th, 2019, New York’s governor signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act into law. NY SHIELD amends the state’s existing data breach notification law. It also expands the definition of protected data to now include biometric information. This adjustment levels up with changing times as we use fingerprints, iris/retina images, voiceprints, and more to authenticate our identities.
However, the language of NY SHIELD is deliberately vague. It presents 14 “reasonable” requirements in three broad categories. The goal of NY SHIELD is to allow each organization to determine how best to meet these requirements. That’s not to say that NY SHIELD has no teeth: Covered businesses may be liable for a civil penalty for knowing or reckless violations of up to $5,000 per violation. The maximum penalty grew 250%, from $100,000 to $250,000.
As an expert IT partner to SMBs in New York and beyond, we’ve fielded a lot of questions about NY SHIELD: “What does SHIELD mean for a so-called small business versus a large business?” “Who’s going to decide if I’m compliant?” “Do I really have to worry about NY SHIELD?” So, where should you get started? Here’s what NY SHIELD requires in plain English.
Five Reasons Why You Can't Afford to
"Not Care" about NY SHIELD