NY SHIELD Act, information privacy, New York state

Does your business have New York state residents as customers?

Then you must take “reasonable” cybersecurity measures to protect any private information you collect or hold regarding those customers. A new law, called the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) took effect two weeks ago.

The Albany Business Review reported that even small businesses, defined as fewer than 50 employees, or less than $3 million in gross annual revenue or less than $5 million in total year-end assets, must abide by this new law. It requires small businesses to take “reasonable safeguards” to protect customer data. A copy of the law is here.

If a business with New York residents as customers suffers a breach, the business must comply with several notification requirements. Those requirements include “conspicuous posting of the notice on such business’s web site, if such business maintains one; and notification to major statewide media” as well as notifying the New York Attorney General and the New York State Police and, of course, affected customers.

Violating the law could bring an injunction from New York’s Attorney General, and the imposition of a maximum fine of $250,000. The new law takes effect March 22, 2020.

If you think you need help complying, give us a call.