On July 25, 2019, the Governor of New York signed a law that would alter the way in which companies in New York could hold and secure the private information of its residents. Known as the Stop Hacks and Improve Electronic Data Security Act (The “SHIELD Act”), this new law expanded the definition of a security breach, offering more security to the consumer. In the previous version of the act, a “breach” simply meant to access data in an unauthorized manner. Now the meaning is more broad, allowing the consumer to more privacy as well as forcing the reporting agency, or any company holding information for that matter, to utilize more secure methods of information storage and follow stricter guidelines of compliance.
The SHIELD ACT made some significant changes to the original law, those being
- Changes to the definition of “Private Information”
“Private information” now includes; an individuals account number, credit/debit card number, banking security code or password, biometric data (biometric data being data electronically measured and stored to determine an individual’s unique traits ie. Fingerprinting, DNA testing),
- Changes to the meaning of “Breach”
A “breach” is now defined as the unauthorized access of information as well as the access of computer data that ultimately risks the security and confidentiality of private information of the consumer; information that companies should be trying to protect!
- Widening the scope of the law:
The law previously only applied to those conducting business in New York. Now it means that anyone, whether private or a business, who owns or distributes private information of a resident of New York State is required to follow these rules.
- Creating security requirements –
Companies are required to adopt security measures to protect the information that they obtain and redistribute. They are now required to utilize security programs, employee training and destroy data in a timely manner. Last October, on the 23rd, it became a requirement for companies operating to notify those affected by a potential breach. On May 21st, 2020, the data security measures will be mandatory.
What could this mean for the future? Ideally, companies would be held to a higher standard of accountability when it comes to the storage and acquisition of private, sometimes sensitive information.