March 23, 2020updated 24 Mar 2020 10:27am

New York SHIELD act: Patchwork legislation could create “competing requirements and confusion”

By Ellen Daniel

As of March 21, New York State has passed new, more stringent data privacy regulations, in the form of the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD act.

The SHIELD act broadens the scope of information covered under the notification law in order to “keep pace with current technology”, according to the New York State Senate.

What are the requirements of the SHIELD act?

The new requirements of the SHIELD act started being implemented back in October 2019, but as of March 21, all four new requirements are now in place.

The state’s existing data breach notification law has been expanded to cover new forms of data and bring in stricter reporting requirements if data is mishandled. Under the new law, any business with private information on a New York resident, not just those that “conduct business” in the state, will have to notify users of a data breach or instance of data mishandling.

It also broadens the definition of a data breach to include an unauthorised person gaining access to information and sets out requirements for “reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities”.

The law also expands what is included in “private information” to include biometric data, and email addresses or user names in combination with a password or security question answer.

According to Lexology, fines for not complying with the new regulations will be $20 per “instance of failed notification”, up to $250,000, and up to $5,000 per violation, with no cap in certain circumstances.

State-by-state regulation

This comes after the introduction of the California Consumer Privacy Act (CCPA), which was passed in 2018 and came into effect on January 2020. The  CCPA gives Californians greater rights when it comes to their data, giving individuals the right to know if data is being collected about them, whether it is being sold, and the ability to bar organisations from selling their data.

The notable lack of federal privacy laws in the US has attracted attention, with some speculating whether General Data Protection Regulation (GDPR) style regulation will ever be introduced across the whole country.

Last year, 51 tech CEOs sent a letter to Congress on behalf of the Business Roundtable (a non-profit association made up of CEOs from US companies), calling for a “comprehensive federal consumer data privacy law”.

However, at the same time some parts of the tech industry have lobbied against privacy legislation such as the CCPA, fearing that it may create significant regulatory hurdles.

The introduction of more legislation by New York could indicate that more states will follow suit with their own privacy rules, but while businesses that are already compliant with GDPR and CCPA will not be affected by the new laws, some in the industry are concerned that legislating on a state-by-state basis could lead to a patchwork of laws across the country.

“Competing requirements and confusion”

Chad McDonald, VP of Customer Experience at Arxan said:

“Barring any federal legislation that would apply privacy protections across the US, the SHIELD act is another state’s attempt at protecting their own citizens. SHIELD should have no material impact on those organisations that are already in compliance with GDPR and CCPA. This is largely one more that will likely be a state-by-state expansion of privacy protections. Notably SHIELD does expand notification requirements beyond the capture of personal information, to also include access to that information. In this regard, expect to see a spike in breach notifications once SHIELD takes effect.

“For those organisations involved in our election process, SHIELD will likely be impactful. Reporting requirements surrounding campaign donations from or communications with foreign sources will be tracked at the state level. SHIELD requires some level of rigor in ensuring that broadcasters prevent foreign sources from purchasing campaign advertising as well. This section of the legislation, while critical to helping ensure fair and honest elections should not impact the majority of organisations.

“Ultimately, SHIELD is another piece of legislation filling the void left with our continued lack of federal protections for personal information. The US continues to trail here affording more rights to corporate America than to the individual. Until federal protections are in place, expect to see more legislation at the state level with the risk being in competing requirements and confusion.”

Read more: Christopher Wylie: US privacy law needed to control “reckless behaviour of the tech industry”.

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: