Senate Protects New Yorkers’ Private Data

(Albany, NY) Today, the Senate will pass the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). This bill, S.5575-A, sponsored by Senator Kevin Thomas, Chair of the Consumer Protection Committee, will return control of personal data back to New Yorkers and require businesses to put customers’ privacy over profits. Specifically, the SHIELD Act will broaden the definition of a data breach, expand the scope of information subject to current data breach notification laws, and empower the Attorney General to bring action over privacy violations. 

“Technology is evolving at an ever increasing pace, and government needs to step up to protect New Yorkers’ privacy and personal data,” Senate Majority Leader Andrea Stewart-Cousins said. “Consumers deserve the peace of mind of knowing that their personal information isn’t being disseminated without their consent. The SHIELD Act will provide expanded protections for New Yorkers to safeguard private data as technology continues to progress. I applaud Attorney General Tish James for her work on this legislation, and Senator Thomas for holding a hearing on this important issue and advancing this bill to help make New York State a leader in securing private data.”

Chair of the Consumer Protection Committee and Bill Sponsor, Senator Kevin Thomas said, “It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks. This legislation serves as a collaborative approach to privacy and consumer protection that will set the standard for New York and the rest of the nation.”

The SHIELD Act, S.5575-A, will:

• Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.
• Broaden the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any person or entity with the private information of a New York resident, not just to those that conduct business in New York State.
• Update the notification procedures companies and state entities must follow when there has been a breach of private information.
• Create reasonable data security requirements tailored to the size of a business and provides protection from liability for certain entities that take steps to verify their safeguarding of private information.