Last summer, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires all businesses and organizations in possession of electronic personal information about any resident of New York State to safeguard that information by March 21, 2020; the Act also expands requirements for reporting data breaches.
Attorney Jay L. Hack of the Manhattan law firm Gallet Dreyer & Berkey, LLP regularly advises clients facing these issues, and says that co-ops and certain incorporated condominiums qualify as ‘businesses’ covered by this law, as well as its predecessors, the General Business Law and the State Technology Law. (Hack says that it could be argued that unincorporated condominiums are not covered, but certainly their managing agents are—and as custodians of the condo’s data, they must comply.)
The existing provisions under these laws already require organizations to protect certain types of personal information, but the SHIELD Act expands on those to include not only identifying information like name and address, but also “private” information such as biometric data; health information protected by the Health Insurance Portability and Accountability Act (HIPAA); and any account number, email address, or identification number and associated password, access code, security question and answer, or other secured access information.
The Act also expands on the definition of a “breach.” Whereas previous laws determined that the unauthorized acquisition of protected data is considered a breach, the new law defines a breach as unauthorized access to the data, regardless of whether any information was in fact acquired. In this new definition, computerized private information that is viewed by or communicated to an unauthorized person or system is considered a breach, and must be reported. This amendment went into effect in October of 2019.