On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State (the “Incident”).

This settlement was the

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are

Increased remote work due to the COVID-19 pandemic has only exacerbated privacy and cybersecurity concerns, and likely has not changed the finding in Experian’s 2015 Second Annual Data Breach Industry Forecast:

Employees and negligence are the leading cause of security incidents but remain the least reported issue.

A more recent state of the industry

On January 13, House Delegate Sara Love Introduced the “Biometric Identifiers and Biometric Information Privacy Act” (the “Act”) substantially modeled after the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (the “BIPA”). Enacted in 2008, the Illinois BIPA only recently triggered an avalanche of class actions in Illinois, spurring other

The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to

Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic.  In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements.  Now, Michigan may follow

On July 21, 2020, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).    Reg 500, which took effect in March 2017, imposes wide-ranging and rigorous requirements on subject organizations and their service providers, which are summarized

On January 1, 2020 the California Consumer Privacy Act (CCPA) took effect. Largely considered the most expansive U.S. privacy law to date, there has been much anticipation over the impact the law will have on the privacy litigation landscape. Although the California Attorney General’s (“AG”) enforcement authority only begins on July 1, this has not

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations.

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with:
Continue Reading New York SHIELD Act FAQs