New York Raises the Stakes in Relation to Breach Reporting and Securing “Private Information”

Following up on our post from June 7, Governor Cuomo has now signed the SHIELD Act into law.  New section 899-bb of the General Business Law, which creates substantive security obligations for all persons or businesses that own or license the defined “private information” of New Yorkers, goes into effect in 240 days, with the rest of the law taking effect within 90 days.

The SHIELD Act vastly increases the reach of New York’s data breach notification law, extending it worldwide to cover any person or entity that processes New York private information.  And it widens the definition of private information to include biometric data as well as financial account information, even without an access code, if circumstances exist in which the account information could be used without a code to access the financial account.  User name and password for access to an online account have also been added to the definition, bringing New York in line with a number of other states in relation to the definition of protected data in their data breach notification statutes.

In a recent New York Law Journal article, I discussed the remaining changes created by the Act.  Click here to read, “New York SHIELD Act Promises More Data Breach Enforcement, and International Reach.”

With the Act in place, every business and organization in New York, and even organizations far from New York with New Yorkers’ private information, has a new and active regulator in the form of the New York State Attorney General’s office.  The message in the Act is clear: take the security of personally identifying information seriously or face serious consequences.  Organizations would be well served by using the Act as motivation to review their information security programs, their incident response plans, and most of all, their formal risk assessments (if they have even undertaken one), as all of these components are vital to establishing a SHIELD Act compliant approach to information security.

Final Regulations Issued Addressing 501(c)(4) Noti...
Defense Contractors Get Ready: DoD Close to Unveil...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.