Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities - for instance, data security and breach notifications - on companies that collect personal information, whether from their customers, their employees, end users, or others. That legislative trend has recently expanded previous obligations of companies conducting business in New York State.
On October 23, 2019, perhaps the most impactful part of New York's groundbreaking Stop Hacks and Improve Electronic Data Security (SHIELD) Act takes effect, bringing with it numerous increased - and potentially onerous - privacy-related requirements for businesses and employers throughout the Empire State. Signed into law in July 2019, the SHIELD Act substantially expands the scope and applicability of New York's existing data breach and security laws. In the simplest terms, the SHIELD Act, as detailed in our prior blog post, broadens how the terms "data breach" and "private information" are defined under state law, to ensure that previously-excluded categories of information are now captured, to establish security requirements to safeguard that information, and to augment previous notification obligations in the event that information is breached. As a result, all businesses across the country that do business in New York may be subject to the law's new requirements.