What New York’s New Data Breach Notification Law Means for Interactive Media Companies

Last July, consumer-rights advocates rejoiced when the New York State Assembly passed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act). Following a nationwide trend to strengthen online consumer protections, the SHIELD Act made three major changes to the state’s data breach notification law. These changes directly impact businesses that collect personal information from the state’s residents – even if the company itself is outside the state.

The first two changes were to broaden the statutory definitions of private information and security breach, which went into effect last month. The third change was to impose a reasonable security standard on entities that maintain data of the state’s residents, which is set to go into effect March 2020. This post will briefly address the changes from the state’s old breach notification law and the first two changes as it applies to interactive media companies. A subsequent post will examine the third change. 

What’s so different from the old data breach notification law?

Originally, like most states, the breach notification statute applied only to businesses that operate within the state. Under the SHIELD Act, any company that collects personal information from a New York resident will be subject to the Empire state’s regulatory arm. 

The specific language of the statute is that any company or individual “that owns or licenses computerized data which includes private information of a resident of New York” will be subject to the new breach notification requirements. For companies that have an extensive online presence, this means wading into an expansive web of state-government regulation, and with it increased compliance costs.

SHIELD is especially challenging for companies that derive their primary source of revenue from providing free access to their content in exchange for users’ personal information and sell that data to other companies for advertising and marketing purposes. Those companies may never step foot in the states their users access content from, and yet SHIELD subjects the companies to the state’s breach requirements. 

Does being subject to a breach notification law affect online media companies?

In a field where technology is constantly evolving, online media and gaming companies are ripe targets for cyber criminals eager to plunder users’ personal information for two primary reasons. 

First, some of these companies are in the business of collecting and selling data and constantly finding new ways to gather that information. Second, innovation in collection methods outpaces implemented security measures to protect that data. Hackers take advantage of that flaw, and are constantly finding ways to penetrate existing security protocols. 

Just earlier this year, Zynga was the subject of a massive data breach. Though users’ financial information was not at risk, users’ names, email addresses, logins, phone numbers, and social media sites were illegally accessed. This not only resulted in reputational harms, but actual economic loss for the company. 

So, how does SHIELD’s changes affects these companies?

  1. Expanding the elements that trigger notification requirements. 

SHIELD requires companies to notify individuals when their private information is breached. The statute defines private information to be personal information (information concerning a natural person) in combination with any one of the enumerated data elements. 

Traditionally, these elements were SSNs, driver’s license numbers, and more typical financial account numbers. However, SHIELD extends those data elements to include “user name[s] or email address[es] in combination with a password or security question and answer that would permit access to an online account.” In the Zynga example above, this amendment would subject that company to the notice requirements of SHIELD, and with it increased costs of doing business.

Though companies like Zynga may have been subject to N.Y.’s breach notification requirements before SHIELD for other reasons (i.e. operating within the state), smaller start-up companies trying to break into the market may now be subject to a tremendous burden of insuring against a breach, knowing proper compliance measures, and being on the hook for notification costs should such an event occur. 

  1. Broadening the statutory definition of a breach

Under SHIELD, a breach is now considered unauthorized acquisition or access. This change greatly widens the zone of notifiable breaches. The former law in New York required notification only if information was actually acquired.

In addition, SHIELD imposes an obligation to investigate. Companies who believe their information has been accessed may not be subject to the breach so long as a certain litany of factors are considered. This requirement still places the company responsible for investigating the unauthorized access; however, it begs the question of how access poses the same dangers to consumers as acquisition of their personal information as to warrant notification. 

Regardless, companies whose primary function is to collect user information are subjected to guarding it, for fear of having to incur the cost of notice anytime such information is impermissibly accessed. 

The third major change—requiring reasonable security procedures—will be discussed in a subsequent post.

Trey Ferguson

Trey is a current law student at Campbell University's School of Law, where he is a teaching scholar for the first-year writing course and a member of the Campbell Law Review. As a former high school math teacher, Trey is a self-admitted math nerd. Follow him on Twitter or connect with him on LinkedIn.

Contact Us


4600 Marriott Drive, Suite 520
Raleigh, NC 27612


(919) 813-0090



39 thoughts on “What New York’s New Data Breach Notification Law Means for Interactive Media Companies”

  1. Pingback: best miami boat rentals

  2. Pingback: slot demo 2023

  3. Pingback: ทดลองเล่นบาคาร่าเช็กชี่

  4. Pingback: ดูดวงยูเรเนียน

  5. Pingback: dihydrocodeine 30 mg nedir

  6. Pingback: buy magic mushrooms online australia

  7. Pingback: หวย24

  8. Pingback: เว็บ บอล ที่ ดี

  9. Pingback: ทินเนอร์คุณภาพสูง

  10. Pingback: สล็อตเบทฟิก

  11. Pingback: Hunter898

  12. Pingback: skaties te

  13. Pingback: เสาเข็มไมโครไพล์

  14. Pingback: penis envy mushroom chocolate bar

  15. Pingback: แทงหวย

  16. Pingback: ป้ายบิลบอร์ด

  17. Pingback: พรมกระดุม

  18. Pingback: เกมออนไลน์ LSM99

  19. Pingback: สมัครบาคาร่า lsm99

  20. Pingback: phuket lawyer

  21. Pingback: สล็อตออนไลน์ lsm99

  22. Pingback: 다시보기

  23. Pingback: http://cliniform.net/2023/10/13/2310756509492361146/

  24. Pingback: sidegra

  25. Pingback: ตรวจลอตเตอรี่

  26. Pingback: bonanza178

  27. Pingback: superkaya88

  28. Pingback: โรงแรมสุนัขพักได้

  29. Pingback: สมัคร lsm99

  30. Pingback: ข่าวบอล

  31. Pingback: https://www.superreplicawatches.co/

  32. Pingback: บานประตู wpc

  33. Pingback: pk789 สล็อต

  34. Pingback: ks lumina

  35. Pingback: magic mushroom chocolate bars

  36. Pingback: side effects of ozempic

  37. Pingback: cornhole

  38. Pingback: naga356

  39. Pingback: เค้กทุเรียน

Comments are closed.