Companies that own or license electronic private information of New York residents, even if they do not operate or conduct business in New York, are now subject to “reasonable security” requirements pursuant to New York’s first data security law, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The law also updates data breach notification requirements, expanding the definition of breach to include even unauthorized access to – not acquisition of – private information. In this first installment of our two-part article series covering the SHIELD Act, we explore its requirements and definitions. Part two will include guidance on how to comply with the Act and what the future of enforcement in New York and beyond looks like. See also “The Hidden Requirements in NYDFS’ Cybersecurity Regulation” (Oct. 24, 2018).