NY SHIELD Act - Are You Ready To Comply?

October 1, 2019

By: Jessica L. Copeland and Curtis A. Johnson

As you likely already know, on July 25, 2019, Governor Cuomo signed into law the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD” or “the Act”). Imbedded in the dense text of the Act are upcoming deadlines of which many New York organizations are possibly unaware. Below are significant deadlines to be prepared for if your entity is covered by the Act:

  1. By October 23, 2019, any organization collecting and/or processing New York resident data must be prepared to comply with the heightened breach notification requirements outlined by the Act. This includes organizations/entities that are already heavily regulated by NYS DFS, HIPAA, HITECH, GLBA, and “any other data security rules and regulations” of the Federal or New York State government. While SHIELD certainly does not require duplication in notification requirements for these aforementioned organizations, it does impose state agency notification to be provided to the NYS Attorney General, State Police and Secretary of State.
  2. By February 19, 2020 (120 days from Effective Date) State Entities as defined by New York Technology Law § 208 (1)(c)(2) must have a Breach Notification policy in place, and be prepared to implement the plan should an incident or breach occur. As an alternative, such State Entity may adopt a local law consistent with the breach notification requirements set forth in Section 899-aa.
  3. By March 21 2020, any organization collecting and/or processing New York resident data must be in full compliance with the electronic and physical security controls outlined in the Act and detailed in the two previous information memos circulated by Bond in August of this year. 

Links to both memos can be found here and here

Affected organizations and individuals (i.e., anyone who possesses a wide range of electronic data related to New York residents, including login and password combinations, payment and account information, biometric data etc.) are encouraged to take steps now to ensure compliance by the applicable deadlines.

For more information regarding the NY SHIELD Act, and whether your organization is in compliance with the Act, contact Jessica Copeland, Curtis Johnson or anyone of our attorneys focused on Cybersecurity and Data Privacy law.