As we first reported on July 24, 2019 (and updated on September 24, 2019), an amendment of New York’s data breach notification law—the Stop Hacks and Improve Electronic Data Security Act, commonly referred to as the SHIELD Act—was signed into law on July 25, 2019. While the breach notification amendments of the SHIELD Act went into effect on the ninetieth day after being signed into law—October 23, 2019—the security requirements of the SHIELD Act officially go into effect on the two hundred fortieth day after the SHIELD Act was signed into law- March 21, 2020.
Data Security Obligations
The SHIELD Act added a requirement that covered entities implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including the disposal of data. In order to be in compliance, a business must implement a data security program that includes reasonable administrative, technical and physical safeguards, including:
Small businesses are permitted to scale the above reasonable security requirements as appropriate for the size and complexity of the business, the nature and scope of the business’ activities, and the sensitivity of the personal information the business collects. In addition, a business is deemed to be in compliance with the above reasonable security requirements if the business is subject to and in compliance with GLBA, HIPAA, part 500 of title 23 of the official compilation of codes, rules and regulations of the state of New York, or any other data security rules and regulations of any official department, division, commission or agency of the federal or New York state government.
For a full breakdown on the amendments to the SHIELD Act click here to view our September 24, 2019 article, and be sure to Locke-down your SHIELD Act compliance procedures.
Sign up for our newsletter and get the latest to your inbox.