What Virginia Businesses Need to Know About the NY State SHIELD Act

What Virginia Businesses Need to Know About the NY State SHIELD Act

Over the past year, a lot of businesses have put a strong focus on the California Consumer Privacy Act, also commonly referred to as the CCPA. This act aims to expand privacy rights for residents of California and to improve safeguards for the protection of personal information. And while the CCPA does impact lots of businesses, it’s important not to forget the new SHIELD Act that recently went into effect.

What Is the SHIELD Act?

The SHIELD Act stands for the Stop Hacks and Improve Electronic Data Security Act. This act is meant to enhance the personal information protection standards of New York residents, helping them to avoid data breaches. Thanks to the SHIELD Act, businesses now have to implement more secure data practices and be more up to date on the data breach notifications they send out.

Why Should Virginia Businesses Care About the SHIELD Act?

Just because you operate a business that doesn’t have a physical brick-and-mortar store in New York doesn’t mean you should avoid trying to meet the requirements of the SHIELD Act. In fact, if you serve customers in New York or offer your services to residents of New York, then it’s all the more important that you do all that you can to adhere to the standards laid out in the SHIELD Act. According to the act itself, its standards and requirements are applicable to any person or company that owns or licenses computerized data (like private information) of a person that resides in New York.

It’s very important to note that there are very few exceptions to the SHIELD Act, and this applies even to small businesses. So, if you’re a freelancer or solo entrepreneur operating a small company or brand, you still need to be aware of the SHIELD Act if you intend to sell services or products to any person residing in the state of New York. The only exceptions to the act are as follows:

1. You have fewer than fifty employees;
2. You do less than three million dollars in gross annual revenue and this must apply for each of the last three fiscal years; or
3. You do less than five million dollars in year-end total assets and this must be calculated according to accounting principles that are generally accepted.

What Changes Does the SHIELD Act Bring About?

The SHIELD Act itself made several changes to “New York’s data breach notification statute, New York General Business Law (GBL) §899-aa.” These changes include the following:

1. Adding an exemption to the individual notice requirement for “inadvertent disclosure,” GBL §899-aa(2)(a)
2. Broadening the definition of “breach” to encompass “access” in addition to acquisition when it “is reasonably believed” that the “information was viewed, communicated with, used, or altered,” id. §899-aa(1)(c)
3. Broadening the legal definition of “private information” (that is subject to a breach notice and data security requirement) to also include “account number, credit or debit card number … without additional identifying information, security code, access code, or password,” biometric information, and “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account,” id. §899-aa(1)(b)
4. Imposing additional “reasonable” data security requirements on businesses, which requires the implementation of a statutorily compliant data security program for companies not otherwise regulated, id. §899-bb(2); and
5. Expanding the geographical scope of the statute to cover any company that “owns or licenses computerized data which includes private information of a resident of New York,” id. §899-bb(2)

Final Thoughts

Staying in compliance with the SHIELD Act shouldn’t overwhelm you, but if you’re a business that’s never dealt with the Act before, then it’s pertinent to ensure you are in compliance. Want to make sure your company is in compliance with the SHIELD Act? If so, contact The HelpDesk Company today.