Add blog to your RSS reader
Get blog updates by emailAll Topics
- .Com Disclosure Guide
- 140conf
- 140conf Long Island
- 140confLI
- 47 USC 230
- AAA
- ACI 2017
- Ads
- Advance Registration
- Advertising
- Advertising Agencies
- Advertising Agency
- Advertising Disclosure
- Advertising Industry
- Advertising Injury
- Advertising Law
- Advertising Practice
- advertising self-regulation
- Advertising Self-Regulatory Council
- Advertising Software
- Advertising, Marketing & Promotions News
- Advertorials
- Advisory
- Affiliate Marketing
- Affiliate Program
- AG
- All Natural
- Amazon
- Amazon Silk
- Amazon Tax
- Amazon.com
- Amendments
- American Advertising Federation
- American Bar Association
- Americans with Disabilities Act
- Android
- Annual Audit
- Annual Fee
- anti-fraud
- App Developers
- Apple
- Apps
- Arbitration
- Arbitration Clause
- Arbitration Rules
- Ashley Madison
- ASRC
- AT&T Mobility LLC v. Concepcion
- ATDS
- Attorney
- Attorney General
- Audio Beacons
- Augme
- Auto-dial
- Automatic Renewal
- Automobiles
- BBB AdTruth
- Bead Art Playsets
- Behavioral Advertising
- Best Lawyers
- Blackberry
- Bloggers and Influencers
- Bloomberg BNA
- Brain Training
- Branding
- Brands
- Breach
- Burden of Proof
- Business Law
- Business, Marketing & Promotions News
- Buyers
- California
- California Auto-Renewal Task Force
- California Consumer Privacy Act
- California Department of Alcoholic Beverage Control
- California’s Automatic Renewal Law
- California’s Unfair Competition Law
- Campaigns
- CAN-Spam
- Cancer Fund of America
- cannabis
- Caribbean & Latin American Corporate Counsel Summit 2017
- CARU's Guidelines
- CAS
- Cash prizes
- CASL
- CBBB
- CBD
- Celebrity Images
- Cell Phone Applications
- Cell phones
- CFPB
- CGMP
- Chambers 2017 USA Guide
- Chantal Tode
- Charge Pop-ups
- Charity Fundraising
- Charity Regulators
- Children's Advertising
- Children's Advertising Review Unit (CARU)
- children's marketing
- Children's Privacy
- Civil Penalties
- Class Action
- Class Action Lawsuit
- Class Certification
- Clean Diesel
- Cognitive Claims
- College Athletes
- Colorado
- Commerce Department
- Commercial Advertising
- Commercial Electronic Mail Act (CEMA)
- Communications Decency Act
- compliance
- conference
- Consumer Complaints
- Consumer Complaints List
- Consumer Contracts
- Consumer Data
- Consumer Data Protection Act (“CDPA”)
- Consumer Fraud
- consumer health guidelines
- Consumer Privacy
- Consumer Privacy Bill of Rights
- Consumer Protection
- consumer protection laws
- Consumer Sentinel Network
- Contract
- COPPA
- COPPA FTC Olshan Advertising Marketing Promotions Privacy
- Copyright Act
- Copyright Alert System
- Copyright Infringement
- Copyright Infringement Abroad
- Copyright, Trademark and Other Intellectual Property
- Corporate Law
- Council of Better Business Bureau
- Counterclaims
- Court Decisions
- COVID-19
- Cramming
- Credit Card Payment Surcharges
- Crowdfunding
- Cryptocurrency
- cybersecurity
- D.C. Circuit Court
- Daily Fantasy Sports Contests
- dark patterns
- data breach
- Data Broker
- Data Collection Practices
- Data Protection
- Data Security
- Data Transfers
- Debt collectors
- Deceptive Advertising
- Deceptive Pricing
- Deceptive Tracking
- Department of Commerce
- Department of Labor
- Department of Labor (DOL)
- dietary supplements
- Digital
- Digital Advertising
- Digital Media
- Direct listings
- Direct Marketers
- Direct marketing programs
- Direct response marketing
- DirectTV
- Disclosure
- Disclosure Obligations
- Disclosure Rules
- Discounts
- DMA
- DMCA
- Do Not Call
- Do Not Track
- DOJ
- Domain Extensions
- Domino's Pizza
- Dot Com Disclosures
- DPPA
- DraftKings
- Drawing By Chance
- Elder Abuse Prevention and Prosecution Act
- Emissions Testing
- endorsement
- Enforcement Action
- Enhanced Ads
- Entry Fee
- EPA
- Epic
- Ethics
- EU Commission
- EU-US Privacy Shield
- European Commission
- European Court of Justice (ECJ)
- European Union
- European Union registration holders
- European Union Trademark
- Exchange listing
- Ezor
- Factory outlets
- Fair Credit Reporting Act (FCRA)
- Fair Debt Collections Practices Act
- Fair Information Practice Principles
- Fair Labor Standards Act
- false advertisement
- False Advertising
- FanDuel
- Fantasy Contests Act
- Fantasy Sports
- Fantasy Sports Operators
- Farm Bill
- fashion law
- Fax broadcsters
- Faxes
- FCC
- FCC Developments
- FCC Solicited Fax Rule
- FDA
- FDCA
- Federal Laws & Regulations
- Federal Overtime Regulations
- Federal Trade Commission
- Final Rule
- FIPP
- First Amendment
- Fit Products
- Fit Tea
- Florida
- Force Majeure
- Fraud
- FTC
- FTC Act
- FTC Chair
- FTC Guidance
- FTC restitution
- FTC’s Jewelry Guides
- Gambling
- Gambling Laws
- Game Promotions
- GDPR
- General Data Protection Regulation
- Geo-targeted Advertising
- Georgia
- Guide
- HARO
- Health-related Mobile Apps
- Health-related Products
- Healthy
- HIPAA
- History Sniffing
- HitPath
- Homestead Laws
- HTC
- Hurricane
- IAB
- ICANN
- illegal content
- Illegal Gambling
- Illinois
- IMDb
- Influencer Marketing
- Injury in Fact
- Insider Trading
- Inspection Resources
- Insurance Company
- Insurance Coverage
- INTA
- Intellectual Property
- Internet and Privacy Law
- iOS
- Iowa
- IP Awareness Assessment Tool
- IPOs
- Jeff Pulver
- Jewelry
- JOLT
- Jurisdiction
- Kindle Fire
- Lanham Act
- Law
- Law Enforcement
- Law Review Article
- law school
- Laws
- Leading Lawyers
- Lee Bogner
- Legal 500 United States 2017
- Legislation
- letter of consent
- Licensing Fees
- Lily Robotics
- List managers
- Litigation
- Lumosity
- Lumosity ads
- Lumosity games
- Lustigman Firm
- Luxury Daily
- made in the usa
- Magazine publishers
- Mail Order Sales Rule
- Manufacture
- Manufacturer’s Suggested Retail Price (“MSRP”)
- Marden-Kane
- Marketing
- Marketing & Promotions News
- Marketing and Advertising Law
- Marketshare
- Mass texts
- Material Disclosures
- Mc Donalds
- Media and Entertainment
- Media Companies
- Microsoft
- MLM
- Mobile Financial Services
- Mobile In-app Charges
- Mobile Marketer
- Mobile Marketing
- Mobile Payment Systems
- Mobile Payment Systems Security Programs
- Mortgage Bankers Association
- Mortgage Investors
- NAD
- NARB
- Native Advertising
- Native Advertising Guidelines
- Nautilus, Inc.
- NCAA
- Network Advertising Initiative
- New Jersey
- New Jersey Supreme Court
- New York
- New York Law Journal
- New York SHIELD Act
- New York’s Automatic Renewal Law
- NIL
- Nomi
- Non-Commercial Calls
- Non-profit Organization
- Notice
- Nutrient Content
- NY Attorney General
- objective consumer harm
- Off-label Prescriptions
- Office for Civil Rights (OCR)
- Office of Foreign Assets Control (OFAC)
- Office of National Coordinator for Health Information Technology (ONC)
- Ohio
- Oklahoma
- Olshan
- Olshan Grundman
- Olshan News
- Online Advertising
- Online Apps
- Online Cancellation
- Online Contracts
- Online Discount Pricing
- Online Entertainment Co
- Online Retail
- Online Reviews
- Online Tracking
- Online travel agencies
- Overstock
- Paid Promotions
- pandemic
- Patents
- Payment Methods
- Penny Auction
- Performance Marketing
- Personally Identifiable Information
- Pet Care
- Peter Shankman
- Pharmaceutical Advertising
- Pharmaceutical Manufacturers
- pre-orders
- Pre-recorded Message
- Price Match Guarantee
- Pricing Guides
- Pricing Practices
- Privacy
- Privacy Act
- Privacy Policy
- Privacy Practices
- Privacy Shield
- Pro-Consumer
- Products
- Professional Association for Customer Engagement (PACE)
- Promotion
- Proposed Rulemaking
- Public Database
- Publication of Age
- Publisher Magazine
- Q&A
- RCT Requirements
- Real Estate
- Real-estate-advertising
- Reasonableness
- Registration
- Regulations
- Resale Value
- Resignation
- Restrictions
- retail
- Retail Stores
- Revisions
- Risk
- Robocalls
- Roundtable
- Safe Harbor
- Sales
- Sales Practices
- Sales Tax
- Sandy
- SDNY
- SEC
- SEC disclosure
- SEC disgorgement
- SEC Form 10
- Section 17600 of the Business and Professions Code
- Securities Act of 1933
- Securities Act Section 17(b)
- Securities Exchange Act of 1934
- self-regulatory
- Sellers
- Service-Mark Infringement
- Settlement
- Sex Offenders
- SilverPush Apps
- Skill Contest
- Skin Care Products
- Smartphone
- Social Media
- Social Media Accounts
- Social Media Marketing
- Social Media Posts
- Social Networking
- South Dakota
- Southern District of Florida
- Spam
- Special Olympics
- Spotify
- Staff Reshuffling
- State Law
- Statute of Limitations
- Subscribers' privacy rights
- Subscription Arrangements
- substantiation rules
- Super Lawyers
- Supreme Court
- Sweeping
- Sweepstakes Law
- Sweeptstakes Contest
- symposium
- Tasty
- TCCWNA
- TCPA
- TCPA Appeals
- TCPA Claim
- TCPA Class Actions
- TCPA Lawsuit
- TCPA Liability
- TCPA Regulation
- TCPA Ruling
- Tech Companies
- Tech Day New York 2017
- Telecom Law
- Telemarketers
- Telemarketing
- Telemarketing Calls
- Telemarketing Law
- Telemarketing Sales Rule (TSR)
- Telephone Consumer Act
- Terms & Conditions
- Text Message Ads
- Text Messages
- Text Messengers
- Textile Fiber Products Identification Act
- The 2017 ANA/BAA 39th Marketing Law Conference: Breakthrough: Legal Strategies for Dynamic Businesses
- The Americans with Disabilities Act
- The Electronic Retailing Self-Regulation Program
- The Kardashians
- The Pennsylvania Record
- Third Circuit Court
- Throttling
- Top Ten Complaints
- Trademark Clearinghouse
- Trademark Protection
- Trademark Rights
- Trademarks
- Transactions
- Transnational Criminal Organization (TCO
- Truth-in-Consumer Contract, Warranty & Notice Act
- U.S. Patent and Trademark Office
- Unauthorized Data
- United Kingdom
- Unsolicited Advertisement
- Unsubscribe Act of 2019
- US Supreme Court
- Use Tax
- Velti
- Vermont
- Vermont House Bill 593
- Vicarious Liability
- Violations
- virtual reality
- Wal-Mart v. Dukes
- Warning Letter
- Washington D.C.
- Washington Law
- Washington’s Consumer Protection Act
- WBO
- Web Agreements
- Web Browsers
- webinar
- webOS
- Websites
- Western District of Washington
- White House
- World Boxing Organization
- World Trademark Review
Recent Posts
- Andrew Lustigman and Morgan Spina to Speak on LAWorld’s Virtual Workshop Panel
- Olshan Advertising and Branding Attorneys Present the Legal Side of the Digital Marketing World Webinar Hosted by Social Media Association
- New York Law Journal Publishes Article on College Athletes and Fashion Brands by Andrew Lustigman and Scott Shaffer
- CBD Again Rejected as a Dietary Supplement
- CARU Issues Revised Guidelines for Responsible Advertising to Children
- Colorado Enacts New Automatic Renewal Law
- Void Quebec for Your Next Sweepstakes Promotion?: Peut-être pas si vite
- House of Representatives Votes to Restore FTC’s Legal Rights
- FTC Unveils New Strategy in “Pharma Bro” Case
- Law360 Quotes Mary Grieco on Apple’s New App Tracking Transparency Framework
Archives
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
Contact Us
212.451.2258
New York SHIELD Act
While much attention has been focused on the new sweeping California privacy law, the California Consumer Privacy Act (CCPA), other laws governing the handling and protection of personal data by businesses have been passed without nearly as much fanfare. One such law is the New York Stop Hacks and Improve Electronic Security Data Act, also known as the SHIELD Act. Although not nearly as broad as the CCPA, the SHIELD Act may affect any person or business that collects, uses, and/or stores “private information” from a New York resident. Under the SHIELD Act, any such person or business must implement adequate security measures, set forth in the Act, to protect “private information” of New York residents. The Act also outlines the steps that must be taken by a business to notify affected individuals of any security breach in which “private information” was or is reasonably believed to have been compromised.
The SHIELD Act applies to “private information,” which means either of the following information:
• Personal information (such as a name, telephone number, or email address) when such personal information is coupled with other identifying information such as a social security number, driver’s license or state ID number, credit or debit card number (in combination with a security code, access code, password, or other information that would permit access to the account), or biometric information; or
• A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
The SHIELD Act requires persons and businesses who collect, use, and store “private information” to implement a data security program with the following components:
• Administrative safeguards – such as designating one or more employees to coordinate the security program; identifying reasonably foreseeable risks; assessing the sufficiency of the safeguards in place; training and managing employees in the security program; selecting adequate service providers capable of maintaining adequate safeguards; and adjusting the security program in light of business changes;
• Technical safeguards – such as assessing risks in network and software design and information processing, transmission and storage; detecting, preventing, and responding to attacks or system failures; and regularly testing and monitoring the effectiveness of key controls, systems, and procedures; and
• Physical safeguards – such as assessing risks of information storage and disposal; detecting, preventing, and responding to intrusions; protecting against unauthorized access to or use of private information; and disposing of private information within a reasonable amount of time when it no longer has a business purpose by erasing it so it can no longer be read or reconstructed.
A person or business covered by the SHIELD Act must report a breach of the security of the system to the affected individuals. A breach of the security system includes unauthorized access to, as well as unauthorized acquisition of, the private data. Such notice must be made “in the most expedient time possible” and “without unreasonable delay.” In addition, any breach that affects 500 or more New York resident must be reported to the NY State Attorney General within ten (10) days of a determination that a breach has occurred.
Compliance with the SHIELD Act is enforced by the NY State Attorney General. Failure to comply with the Act may result in injunctive relief and penalties up to $5,000 per violation for failure to implement appropriate data protection and up to $250,000 for failure to provide proper notice in the event of a data breach.
Takeaway: As the SHIELD Act applies to all persons and businesses who collect, use, or store private information of any New York residents, such persons and businesses are encouraged to take data protection seriously and implement the proper protections and training necessary to assure compliance with the Act, as well as other data privacy laws that may be applicable.