Private Data Protection – New York’s SHIELD Act
Following the adoption of California's Consumer Privacy Act, nine more states - Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, Washington - have recently passed legislation to protect private information.
Signed by Governor Cuomo on July 25, New York's "Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)" defines what constitutes a data breach and spells out notification responsibilities of the entity breached. The law also prescribes the "reasonable safeguards" - administrative, technical, and physical - that must be taken to protect data, which include disposal of "private information within a reasonable amount of time after it is no longer needed for business purposes."
Perhaps the law's chief shortcoming is that it expressly excludes a "private right of action" as consumer's recourse for breaches. Suits on behalf of consumers must be taken up by the Attorney General's office.
These state laws are powerful reasons to examine your organization's data security program, in particular its ability to provide protection for private information.
The full text of the New York law can be found here: https://www.nysenate.gov/legislation/bills/2019/S5575