Legislation Tracker

New York's NY SHIELD Act & What it Means for Your Business

The SHIELD Act requires any person or business owning or licensing computerized data that include the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The SHIELD Act will have far-reaching effects, as any business that holds private information of a New York resident—regardless of whether the organization does business in New York—must comply with the new law.

NY SHIELD Act 

What does the “SHIELD” Act stand for?

The SHIELD Act stands for Stop Hacks and Improve Electronic Data Security Act and it amended New York’s data breach notification law. The Act added to the growing list of states enacting privacy and data security laws such as the California Consumer Privacy Act (CCPA) and Nevada Senate Bill 200 Online Privacy Law. The SHIELD Act was signed into law on July 25, 2019, which expanded the state’s current data breach law and imposed affirmative cybersecurity obligations on covered entities. The Act became effective on October 23, 2019 and the data security requirement became effective on March 21, 2020. 

What is the SHIELD Act? 

The SHIELD Act requires any person or business owning or licensing computerized data that include the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. 

What is under the SHIELD Act?

The SHIELD Act detects, prevents, and responds to intrusion; protects against unauthorized access to or use of private information; disposes of private information within a reasonable time from once it is no longer needed, and the bill expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers. It broadens the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any person or entity with private information of a New York resident, not just to those conducting business in New York State. It updates the notification procedures companies and state entities must follow when there has been a breach of private information. It creates data security requirements tailored to the size of a business.

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to any person or business which owns or licenses computerized data which includes private information of a resident of New York. Formerly, the obligation to provide notification of a data breach under New York’s breach notification law applied only to the person or business that conducted business in New York. 

Did the SHIELD Act change the notification content requirements in the event of a reportable breach? 

No, however, the SHIELD Act added some new requirements. Under the SHIELD Act, notifications must include telephone numbers and websites of the relevant state and federal agencies that provide information on security breach response and identify theft prevention and protection information. The SHIELD Act also requires the notices encompass access of private information, not just acquisition. Additionally, the new law adds another requirement when notifying state agencies, including the Attorney General. In addition to the content and distribution of the notices and an approximate number of affected persons, persons and businesses now must include a copy of the template of the notice to be sent to affected persons. 

What are “reasonable” data security requirements? 

Although the SHIELD ACT does not mandate specific safeguards, it does provide several examples of practices that are considered reasonable administrative, technical, and physical safeguards. Some of the examples of safeguard businesses should be adopting but are not limited to are: 

Administrative Safeguards

  • Designate individual(s) responsible for security programs;
  • Conduct a risk assessments process that identifies reasonably foreseeable internal and external risk and assesses the sufficiency of safeguards in place to contract those risks; 
  • Train and manage employee in security program practices and procedures;
  • Select capable service providers and require safeguards by contract; and 
  • Adjust program(s) in light of business changes or new circumstances. 

Physical Safeguards

  • Assess risks of information storage and disposal;
  • Detect, prevent, and respond to intrusions;
  • Protect against unauthorized access/ use of private information during or after collection, transportation, and destruction/disposal; and 
  • Dispose private information within a reasonable amount of time after it is no longer needed for business purposes. 

Technical Safeguards

  • Assess risks in network and software design;
  • Assess risks in information processing, transmission, and storage; 
  • Detect, prevent, and respond to attacks or system failures; and 
  • Regularly test and monitor the effectiveness of key controls, systems, and procedures. 

NEW YORK RESIDENTS:

Do Residents have rights over their personal information under the SHIELD Act?

No, unlike the CCPA, the SHIELD Act does not create affirmative rights for New York residents. For example, natural persons residing in California (“consumers”) have the right to request that businesses covered by the law to delete their personal information. There is no such right under the SHIELD Act.

Do Residents have a private right of action under the SHIELD Act?

No, the SHIELD Act does not create a private right of action. In other words, if a New York resident believes that a business subject to the SHIELD Act failed to comply with the Law’s data protection requirement and caused the individual harm; as a result, that individual would not be able to sue the business under the SHIELD Act. However, the individual might be able to sue under theories of negligence or breach of contract. 

Are there penalties for failure to comply?

Yes, although the SHIELD Act does not authorize a private right of action, the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. 

For data breach notification violations, businesses can be subject to damages. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation. 

The SHIELD Act will have far-reaching effects, as any business that holds private information of a New York resident—regardless of whether the organization does business in New York—must comply with the new law.