Skip to main content

New York Gets New Cybersecurity Law

New York State recently passed the ‘Stop Hacks and Improve Electronic Data’ Security Act (SHIELD Act) and is set to go into effect by October 23rd of this year.

This will likely be a serious financial boost to the cybersecurity sector, more directly to the breach and attack simulation testing companies. 

The SHIELD law applies to employers with information about New York residents to implement cybersecurity measures for the data and to report data breaches. The sole purpose is to protect New York residents from exposure to hackers, through holding employers responsible.

 This comes at the same time that New York city companies are facing an onslaught of cyber threats never seen before. With the collateral damage on the rise, these new laws represent a shift in how companies that have undermined the importance of security to their users’ and customers’ privacy until now. 

What SHIELD will mean

New York’s SHIELD Act will, like the GDPR, define the boundaries, requirements, and consequences for companies those falling under the jurisdiction. Companies with security systems will now need to practice better testing standards and evaluation tools. Any business without security systems and practices will be forced to adopt an entire secure infrastructure.

SHIELD goes on to explains what counts as a data breach, for example ‘access to data’ will gain a wider definition and will now include the ability to view data without being able to download or steal copies, a huge change. The SHIELD act clearly refers to recent events such as the Cambridge Analytica fiasco and the Equifax disaster. SHIELD goes further than this though, charging companies with doing a 360 due diligence including the ways to test and assess risk, designating roles for company security, and developing improved technical frameworks for security. 

Facts on SHIELD:

  • The deadline for data protection programs is March 21, 2020, but data breaches must be recorded starting October 23, 2019.
  • This Act adds to the existing New York’s data breach law.
  • The SHIELD Act expands data elements to include not only social security number and driver’s licenses, but to biometric information, bank account numbers, and payment information.

Who is the Act for?

Compliance is required from any employer who falls under the act’s definition of a business, small or large, and who possesses computerized data of New York residents.

SHIELD is indicative of a new age in cyber protection with both enforcement and consequences clearly outlined. It is a true step away from ambiguous language and protection when it comes to data protection. Although the majority of states have some data privacy laws, they are deliberately vague, which allows companies to skirt around the laws.