Print PDF


RSSAdd blog to your RSS reader

All Topics

Contact Us



New York SHIELD Act

While much attention has been focused on the new sweeping California privacy law, the California Consumer Privacy Act (CCPA), other laws governing the handling and protection of personal data by businesses have been passed without nearly as much fanfare. One such law is the New York Stop Hacks and Improve Electronic Security Data Act, also known as the SHIELD Act. Although not nearly as broad as the CCPA, the SHIELD Act may affect any person or business that collects, uses, and/or stores “private information” from a New York resident. Under the SHIELD Act, any such person or business must implement adequate security measures, set forth in the Act, to protect “private information” of New York residents. The Act also outlines the steps that must be taken by a business to notify affected individuals of any security breach in which “private information” was or is reasonably believed to have been compromised.

The SHIELD Act applies to “private information,” which means either of the following information:

• Personal information (such as a name, telephone number, or email address) when such personal information is coupled with other identifying information such as a social security number, driver’s license or state ID number, credit or debit card number (in combination with a security code, access code, password, or other information that would permit access to the account), or biometric information; or

• A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

The SHIELD Act requires persons and businesses who collect, use, and store “private information” to implement a data security program with the following components:

• Administrative safeguards – such as designating one or more employees to coordinate the security program; identifying reasonably foreseeable risks; assessing the sufficiency of the safeguards in place; training and managing employees in the security program; selecting adequate service providers capable of maintaining adequate safeguards; and adjusting the security program in light of business changes;

• Technical safeguards – such as assessing risks in network and software design and information processing, transmission and storage; detecting, preventing, and responding to attacks or system failures; and regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and

• Physical safeguards – such as assessing risks of information storage and disposal; detecting, preventing, and responding to intrusions; protecting against unauthorized access to or use of private information; and disposing of private information within a reasonable amount of time when it no longer has a business purpose by erasing it so it can no longer be read or reconstructed.

A person or business covered by the SHIELD Act must report a breach of the security of the system to the affected individuals. A breach of the security system includes unauthorized access to, as well as unauthorized acquisition of, the private data. Such notice must be made “in the most expedient time possible” and “without unreasonable delay.” In addition, any breach that affects 500 or more New York resident must be reported to the NY State Attorney General within ten (10) days of a determination that a breach has occurred.

Compliance with the SHIELD Act is enforced by the NY State Attorney General. Failure to comply with the Act may result in injunctive relief and penalties up to $5,000 per violation for failure to implement appropriate data protection and up to $250,000 for failure to provide proper notice in the event of a data breach.

Takeaway: As the SHIELD Act applies to all persons and businesses who collect, use, or store private information of any New York residents, such persons and businesses are encouraged to take data protection seriously and implement the proper protections and training necessary to assure compliance with the Act, as well as other data privacy laws that may be applicable.

Back to Page