ALBANY, N.Y.–In the midst of all the other challenges credit unions are dealing with, New York’s new data privacy law went into effect over the weekend.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires many larger businesses that store private information on a New York resident to implement and maintain reasonable safeguards to protect that data. It is expected to move institutions and consumers away from password-protected files and toward biometric security.
As CUToday.info reported here, New York has joined California, Massachusetts and Colorado in setting the data security standards.
The SHIELD Act requires implementation of an information security program to protect “private information” defined as:
- Any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image)
- Individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password
- A username or email address in combination with a password or security question and answer that would permit access to an online account
Exemptions
Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected, National Law Review said.