The NY SHIELD Act’s Impact on New York Businesses
Every New York business needs to have a data security program that is in compliance with the NY SHIELD Act as of March 21, 2020. Businesses with 50 employees or more must have a data security program that includes administrative, technical, and physical safeguards for securing the data of New York residents as prescribed by the NY SHIELD Act. The scope of the NY SHIELD Act broadens existing consumer privacy and data security protection by:
- Expanding the range of information subject to current data breach notification law to include biometric data, email addresses, passwords, and security questions/answers.
- Including unauthorized access to private information in the definition of a data breach.
- Increasing breach notification requirements to include any person with the private information of a New York resident, not just those conducting business in New York State.
- Requiring the update of procedures for notification when a breach has occurred.
- Mandating adherence to NY SHIELD Act data security requirements.
ARE YOU COMPLIANT?
Xperteks® Compliance Management Services includes a comprehensive cybersecurity assessment to identify areas of compliance risk, along with ongoing evaluations to ensure that changes are captured and updated as business operations change. Data security program augmentation of new or existing services is available using best-in-class security vendors, alongside evidence-based governance, risk, and compliance documentation that will satisfy any compliance audit.
Penalties for Non-Compliance
For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance, with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation.
The SHIELD Act gives New York Attorney General Letitia James the power to bring claims and seek restitution against businesses that fail to report a breach, and allows her to bring an action for injunctive relief against businesses that fail to enact reasonable data security measures.
Letitia James, NY State Attorney General, and Marcial Velez, CEO, Xperteks, January 2020