As of March 21, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect.
In order to “keep pace with current technology”, the SHIELD act, signed into law last July, broadens the scope of information covered under the notification law.
The act expands the definition of “private information” to include:
- A username or email address in combination with a password or security question and answer that would permit access to an online account;
- Financial account numbers in circumstances where the information can be used independently to access an individual’s account; or
- Biometric information, which includes fingerprints, voice prints, retina or iris images, or other unique physical representations or digital representations of biometric data that are used to authenticate or ascertain the individual’s identity.
The act also expands the definition of a covered data breach to include:
- “Access to,” in addition to acquisition of, computerised data that is detrimental to the security of private information.
In addition, SHIELD broadens the list of factors considered by covered businesses when evaluating a data breach to include “indications that the information was viewed, communicated with, used, or altered by a person without valid authorisation or by an authorised person.”
Companies found violating the SHIELD Act can be subjected to a penalty of up to $5,000 per violation.
The SHIELD Act comes after the California Consumer Privacy Act (CCPA) came into effect in January. CCPA is currently the strictest privacy law in the US and represents a significant step forward into data privacy protections.