On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.

The Act makes five principal changes to existing New York law:

  1. Expanding the law’s jurisdiction to entities that maintain private information of New York residents, regardless of whether or not such entities actually conduct business within the State;
  2. Broadening the scope of “private information” triggering notification obligations in the event of a breach, including to biometric data;
  3. Expanding the definition of a “breach” to include unauthorized “access” to private information, in addition to unauthorized “acquisition” of such information;
  4. Increasing civil penalties for violations of notification obligations; and
  5. For the first time, affirmatively requiring covered businesses to develop, implement, and maintain “reasonable” data security safeguards, which include, among other things, conducting risk assessments and addressing identified risks.

The first four provisions go into effect on October 23, 2019, while the fifth provision requiring companies to adopt and maintain a cybersecurity compliance program becomes effective on March 21, 2020.

Please click here to read the full alert memorandum.