Arizona businesses should be aware of a recent act initiated in New York that looks to change the way companies approach security practices nationwide. The Stop Hacks and Improve Electronic Data Security Act, also known as the SHIELD Act, broadens the scope of consumer privacy and places requirements on protecting personal data for organizations that collect information on residents. What went into effect on March 21 in New York, is now expected to make waves throughout the country, as companies of all sizes are considering changes to the way they secure and transmit private data and sensitive consumer information. Read the full wording of the SHIELD Act here.
The SHIELD Act – A Summary of the New Act
An amendment to New York state’s data breach notification law, this bill significantly expands the scope of data security protection and consumer privacy in the following ways:
- The act changes data security requirements so that they are now relative to the size of the business.
- The act expands the meaning of data breach so that it now also includes unauthorized access to private information.
- The act broadens the current data breach notification law so that information subject to the act now includes biometric information, email addresses, and passwords for each.
- The act requires an update to how companies and states notify individuals when there is a major breach of information.
- The act now requires that notifications are given to any person with a breach of private information, even if they are not a resident of New York state.
What does this mean for Arizona businesses?
As we consider the effects of the SHIELD Act for Arizona businesses, it’s prudent to look at point #5 above: the requirement that extends the bill’s reach to any businesses that collect or maintain private information outside of New York state residents. Basically, any major business that collects Personally Identifiable Information on New York residents will have to follow the rules of the SHIELD Act. To be in compliance, companies will have to implement several data security practices outlined in the bill. Many businesses with a multi-state client base will be subject to this requirement. It’s also important to remember, all requirements and evaluated compliance will be tailored to business size and scope.
Furthermore, many states will look to New York’s SHIELD Act as an example of how to expand their own data breach notification laws in their own states. States, specifically Arizona, can likely expect to see similar legislation passed within their own state in due time as the outcomes of the SHIELD Act become more apparent.
Companies who do not comply with the existing SHIELD Act in New York, can expect to be met with fines, again, based on company size and scope. Companies should implement the requirements of the SHIELD Act to avoid penalties, including: implementation of quality cyber hygiene practices, monitoring and reporting measures, conducting thorough asset inventories and implementation of expert cybersecurity practices.