The data security program requirements of the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) come into effect on March 21, 2020. (The SHIELD Act’s changes to the state’s breach notification requirements were effective as of October 23, 2019.)

This should serve as a helpful reminder. The Insights Association alerted members to the SHIELD Act requirements in September 2019.

Anyone owning or licensing "private information of a New York resident" must have developed, implemented and maintained "reasonable safeguards to protect the security, confidentiality and integrity" of that data, which requires a "data security program" sporting reasonable administrative, technical and physical safeguards.

Violations will be punished by the state AG on behalf of "the people of the state of New York to enjoin such violations and to obtain civil penalties" of up to $5,000 per violation.

Marketing research and data analytics companies and organizations should review the details of the SHIELD Act requirements, review Insights Association guidance on data security. Further, IA company members should adopt the ISO 27001 Information Security standard, line up some professional liability insurance, and get help with customized cybersecurity solutions.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.