On July 25, the Governor signed into law Senate Bill 5575, the “Stop Hacks and Improve Electronic Data Security Act” (the SHIELD Act), which had passed the Legislature on June 17, 2019. The SHIELD Act was originally proposed in the 2017-2018 session, but died in committee. It returned with gusto in 2019: proposed in the Legislature in February and passing both houses in a little more than four months.
The SHIELD Act does two things, primarily: It amends New York’s data breach notification statute, General Business Law §899-aa to update its definitions, and also creates a new §899-bb requiring substantive data security controls of any person or business that owns or licenses computerized data including the defined “private information” of a New York resident. In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act also adopts the approach of several states, including Massachusetts, Florida, and Nevada, which purport to extend their jurisdictional reach to any person or business, anywhere in the world, that owns or licenses data concerning a resident of that state. In this regard, New York has converted §899-aa into, and created a new §899-bb that functions as, a possession statute: If you process computerized private information concerning a New Yorker, you now fall under the statute’s requirements.
