New York SHIELD Act (S.5575B/A.5635) Deadline Oct 23

The arrival of colonists from both the Netherlands and England in the mid-1600s marked a tragic end to Native Americans living in New York despite their SHIELDS.

In New York political circles it’s called the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Unless I’m reading that sentence wrong, it should be called the SHIELDS Act.

Leaving off the last S is kind of ironic, when you think about an act meant to prevent people from leaving off security.

In any case, S.5575B/A.5635 was meant to impose stronger regulations to force notification of security breaches for any New York resident’s data. Passed July 25th this year (three days after the NY government announced a $19.2 million settlement with Equifax over their data breach), its breach notification becomes effective one week from today (240 days after passage) on October 23, 2019.

Notable changes:

  • Broader definition of a breach: unauthorized access to private information
  • Broader definition of private information: includes bank account and payment data, biometric information and email addresses with any corresponding passwords or recovery flow (security questions and answers)
  • Broader definition of whose information is protected: any NY resident no matter where their data is stored (not just business operations in NY)
  • New state government notification requirements (deadline for data protection programs is March 21, 2020, but data breaches must be recorded starting October 23, 2019)
  • “Tailored” data security requirements based on “size of a business”

The inclusion of biometric information in state data protection legislation is a huge deal in America. This recently has come to light when people realized their rights were being egregiously violated by technology companies, given Illinois regulations that already are ten years old:

As residents of Illinois, they are protected by one of the strictest state privacy laws on the books: the Biometric Information Privacy Act, a 2008 measure that imposes financial penalties for using an Illinoisan’s fingerprints or face scans without consent. Those who used the [unprecedentedly huge facial-recognition database called MegaFace] — companies including Google, Amazon, Mitsubishi Electric, Tencent and SenseTime — appear to have been unaware of the law, and as a result may have huge financial liability, according to several lawyers and law professors familiar with the legislation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.