Back in July, the State of New York adopted the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which operates as an amendment to New York's existing data breach notification statute. Certain parts of the SHEILD Act become effective today:
- The breach notification provisions formerly applied only to those conducting business in New York. Now, like many other state breach notification laws, the statute applies to any person or business that owns or licenses private information of a New York resident.
- A security breach will now include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, which is intended to include most ransomware. ("Acquisition" of data is no longer required.)
- "Private information" will now include biometric information, as well as a username/email address in combination with a password or security questions and answers, and account numbers (including credit/debit card numbers) even without a password or code if the account could be accessed without a code.