Does the SHIELD Act Cover Your Business and Are You Ready?

Does the SHIELD Act Cover Your Business and Are You Ready?

As we have previously written, the privacy and security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) are effective as of March 21, 2020. The SHIELD Act implements broad new data security requirements for all businesses that have the private information of New York residents, and reaches beyond New York’s own borders to compel companies – including companies that do not do business in New York – to take affirmative steps to protect the personal and private information of New York residents that the company may be collecting or storing. Initially, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a social security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.” Second, the SHIELD Act applies to any company that possesses the private information of even a single New York resident...

States Step Up Data Privacy and Security Regulation

States Step Up Data Privacy and Security Regulation

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its...