Amidst A Pandemic, New York Quietly Implements Its Enhanced Data Security Law
While much attention and focus has rightly been placed on the California Consumer Privacy Act and the dramatic expansion of privacy rights for California residents that it heralds, a number of other states have quickly followed suit, working to strengthen their respective data security and privacy laws. Signed into law on July 25, 2019 by Governor Andrew Cuomo, New York enacted the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”). The SHIELD Act amends New York State’s data breach notification law, by broadening existing the state’s data breach notification requirements and requires covered businesses to have “reasonable” data security safeguards.
Among other things, the Act:
- Broadens the scope of “Private Information” covered under the Act to include biometric information (e.g., a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data, which are used to authenticate or ascertain the individual’s identity), and a user name or e-mail address, in combination with a password or security question and answer, that would permit access to an online account. N.Y. Gen. Bus. Law § 899-aa(1)(b).