New York passed a cybersecurity and data breach law, effective October 23, and it expands many cybersecurity requirements to not only businesses operating in New York, but also those operating outside of the state. The SHIELD Act, as it is called, expands the scope of the current law by requiring covered entities to adopt a comprehensive data protection program and comply with additional data breach notification requirements.
The SHIELD Act expands the definition of private information to include biometric information and bank account or credit/debit card numbers, regardless of whether a password or security code is associated. Additionally, private information also now includes a username or email address in combination with a password or security question that would allow someone to access an online account.
The compliance requirements have also been expanded. If a business is not defined as “small”, it must designate and train employees to be responsible for compliance; require any third-party providers be capable of maintaining cybersecurity practices, with this requirement in the contract; perform risk assessments and monitor the effectiveness of the cybersecurity program; have safeguards in place to respond to attacks or failures; have processes for the disposal of private information; and update the cybersecurity program.
Obviously, franchisors and franchisees operating in New York must review the components of the SHIELD Act to ensure compliance. Moreover, employers who are not located in New York may still be required to comply with the SHIELD Act if they solicit or accept applications from a New York resident, if private information is part of this process. This is one area in particular where the Act could impact a non-New York franchisor. Many franchisors accept franchise applications from across the country, including from residents of New York. Although the franchisor may not be defined as an employer, it is a good practice for franchisors to review their cybersecurity systems to ensure compliance with the New York SHIELD Act. Moreover, any franchisees operating in this state must review the components to ensure they are following it.
Cybersecurity issues and data privacy laws are only going to become more complex, and the cost of compliance will likely increase. At the same time, this is a small price compared to the possible issues should there be a breach.