Businesses holding New Yorker’s sensitive data must comply with the standards set by the legislation. The standards apply to any entity doing business in New York or not. The attorney general said the standards are “sensible, and commensurate with the sensitivity of the data retained and the size and complexity of the business.”
Additionally, the SHIELD Act will also expand the type of data that trigger reporting requirements. The triggers include username and password combinations, biometric data, and HIPAA-covered health plan.
Furthermore, the legislation will provide strong incentives to companies with the highest standards of data security measures. Companies must obtain independent certification indicating they meet the highest data security standards. As incentive, companies will receive safe harbor from state enforcement action.
