New Cybersecurity and Privacy Law in New York Affects Employers in New York and Beyond

Tue, 10/08/2019 - 14:20

The SHIELD Act will impose substantial new obligations on any employer with an employee residing in New York State, as well as on many employers across the country that conduct online hiring.Takeaways:

  • Regardless of their location or size, employers that receive, collect or otherwise possess private information about New York residents must comply with the New York SHIELD Act.
  • Even employers with no New York employees may trigger coverage based on information collected through their online hiring processes.
  • Employers with such data must adopt cybersecurity data safeguards that comply with the provisions of the SHIELD Act and are subject to notification requirements in the event of a data breach.

New York recently passed a new cybersecurity and data breach law that is scheduled to go into effect on October 23, 2019. The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) applies to “any person or business that owns... computerized data which includes private information,” as defined in the Act, regardless of corporate structure, revenues, or location. The Act subjects many businesses outside of New York to new cybersecurity and data privacy compliance obligations, beyond those of the jurisdictions in which the business may be based. The Act also broadens the scope of New York’s current data breach notification and private data protection laws in two ways: (1) covered entities are required to adopt comprehensive data protection programs to safeguard “private information,” and (2) covered entities must comply with heightened data breach notification requirements.