On March 21, 2020, the last of the features of the NY Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) became effective: its data security requirements. The SHIELD Act is a sweeping statute governing individual rights relating to data breaches. It was adopted in July 2019 and has been rolled out in the months since then: its breach notification provisions took effect on October 23, 2019, and its data security requirements have now taken effect. Companies and individuals doing business with New York residents are advised to familiarize themselves with the obligations contained in this new law. We summarize below the highlights.
The Privacy of “Private Information” is Protected.
The SHIELD Act requires protection of “private information,” which is a combination of “personal information” and information sufficient to access personal data accounts. “Personal information” for purposes of the SHIELD Act is a name or other identifying feature from which you can determine someone’s identity. The other information required to meet the definition of private information in combination with personal information includes a Social Security number, driver license number, bank or credit card number (with the passwords or access codes needed to access the bank or credit facility), or biometric information that can be used to authenticate or ascertain the individual’s identity.
Separate and apart from the above definition of “private information,” the SHIELD Act also includes in the definition of “private information” a user name or email address along with the password or security information needed to access the account.