Key Dates on Data Security Measures
July 25, 2019 – SHIELD Act signed into law.
Oct. 23, 2019 – Revised data breach notification requirements in effect.
March 21, 2020 – Those subject to the SHIELD Act are required to adopt specific data security controls.
Who Must Comply with Data Protection Requirements?
Every employer with employees in New York must comply with the SHIELD Act. In addition, it expands its territorial application to businesses that do not have a New York presence but maintain the private information of New York residents. "Private information" is defined to include data elements such as social security numbers, driver's license numbers, payment card numbers, financial account numbers, biometric information, and username or e-mail address with a password that permits access to an online account.*
There are certain exemptions. Some companies that are already subject to other data security regulation, such as the Gramm-Leach Bliley Act, HIPAA or New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies may be deemed compliant with the SHIELD Act. Organizations should consult with legal counsel to determine whether or not their organization meets these compliance requirements and whether or not this exemption may apply.