The state of New York will introduce the SHIELD Act, which stands for Stop Hacks and Improve Electronic Data Security Act. This law requires all businesses that hold sensitive data of New Yorkers to adopt administrative, technical and physical security measures. This applies to all business even those that are not based in New York or those that do not do business in New York.
Many states already have data breach notification laws. These laws require notification of individuals who are impacted by breach incidents that compromise username/password combos and biometric data. The Shield Act is a similar law that requires breach notification when unauthorized people get access to personal information including username/passwords, biometric data and protected heath information (PHI) already covered by HIPAA laws.
The SHIELD Act will implement a flexible standard to make it easy for small businesses to comply. The required safeguards will depend on the organization’s size for all businesses that have fewer than 50 employees or earn gross revenue of less than $3 million or possess assets of less than $5 million. Nevertheless, the Attorney General Schneiderman encourages businesses to go beyond the minimum required standards in the SHIELD Act by getting an independent certification of security controls, for example.
Some businesses are considered already compliant with the SHIELD Act’s data security requirements if they are already HIPAA-covered entities, or compliant with the Gramm-Leach-Bliley or NYS DFS regulations. Businesses that do not comply with the SHIELD Act are deemed violators of the General Business Law (GBL § 349). The state attorney general can bring a law suit and seek civil penalties under GBL § 350(d) against them.