General Data Protection Regulation

What would companies need to do to comply with the law?

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes requirements in two areas: cybersecurity and data breach notification. The cybersecurity provisions of the proposed SHIELD Act would require companies to adopt “reasonable safe-guards to protect the security, confidentiality and integrity” of private information. The Act provides examples of appropriate administrative, technical, and physical safeguards, such as designating an employee to oversee the company’s data security program; identifying “reasonably foreseeable” risks to data security; selecting vendors that can maintain appropriate safeguards; detecting, preventing and responding to attacks and system failures; and preventing unauthorized access to private information. 

In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. This blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.

In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to the affected individuals, third parties, and regulators. As headline-grabbing security incidents increasingly become a fact of life, litigators need to develop familiarity with the issues associated with data breaches so they can be prepared to walk their clients through the aftermath. This is the first in a series of blog posts about what commercial litigators need to know about data breaches.