On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The law boosts the protection of consumers’ private information, and holds accountable any company that does business within the state. Although there are federal and state protections of varying strictness already in existence, the New York law will have a broader impact simply due to the size of the state. Here’s what you need to know.
On the business side, every company that has any customers in New York—whether the company is based in another state or another country. Virtually any medium- and enterprise-size company with even one New York customer needs to implement this new policy.
On the consumer side, every New York consumer. But it could affect consumers in other states, too. Here’s how: a large company would not be likely to implement separate types of privacy plans for customers in 50 different states. If a company doing business in New York has to meet the SHIELD Act’s requirements, it will simply apply all these new requirements to its consumers in New Hampshire, Oregon and everywhere else.
The full law identifies a significant number of steps a business needs to take. We highlight three important ones.
The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000. And New York means business when it comes to data security: by August 2019, the Attorney General’s office has levied fines of more than $600 million related to data breaches, based on existing statutes. It has also announced multiple high-profile breach investigations.
Cyber & Privacy Innovation Institute Leader, PwC US
Principal, Cybersecurity and Privacy, PwC US
Director, Cybersecurity and Privacy, PwC US