New Cybersecurity Law To Go Into Effect Soon In New York

• New York recently passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) that will go into effect on October 23, 2019.
• The law is applicable to employers who possess information about New York residents to implement cybersecurity measures for the data and report data breaches.

With only a few days left for the law to go into effect, here’s everything you need to know.

What’s the matter?

A new cybersecurity and data breach law was passed by New York that details various requirements businesses must adopt to ensure data security.

• The required data protection programs can be implemented by March 21, 2020, but data breaches are to be notified starting October 23, 2019.
• This Act adds to the existing New York’s data breach law.
• Prior to this law, data elements included Social Security Number and Driver’s License Number/Non-Driver Identification Card Number.
• The SHIELD Act expands data elements to include biometric information, bank account numbers, credit and debit card numbers.
• It defines what constitutes a small business, and provides the minimum requirements of the data protection programs of larger businesses.

Who is the Act applicable for?

Any employer who possesses the personal data of New York residents, irrespective of corporate structure, revenue, or location, must comply with the SHIELD Act.

• This means employers who don’t employ any New York residents but have information from their online hiring process must also comply with the Act.
• Both small and large businesses must implement the recommended data security measures and report breaches.

What should employers do?

Because this Act extends to any employer who deals with the personal data of New York residents, it is recommended that:

• Employers outside New York with online hiring processes that collect the personal information of New York residents must deploy measures to adhere to the Act’s requirements.
• If employers don’t maintain personal information, necessary precautions must be in place to ensure that such information is not received.