The Definitive Guide to the New York Shield Law

  • by Noah Ramirez, JD / CIPP
The Definitive Guide to the New York Shield Law

Every day, we share personal information about ourselves online when we pay bills, connect with friends on social media sites, and even when we are just browsing. The sheer volume of information that is shared, plus the proliferation of identity theft, data hacking, and other fraudulent activity, has led to the enactment of many data privacy laws designed to regulate how personal information is collected, shared, and stored.

The most comprehensive data protection legislation enacted to date is the General Data Protection Regulation, which went into effect on May 25, 2018, and covers the treatment of personal data collected from people who live in the European Union. All 50 U.S. states have some form of data protection legislation in place. The most comprehensive to date has been the California Consumer Privacy Act, passed in 2018 and set to take effect in January of 2020. The California statute provides data protection on a par with the GDPR to residents of that state.

On July 25, 2019, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was signed into law, and is set to go into effect in March of 2020. The introduction of the SHIELD Act to the legislature came in response to a report showing a 60% increase in data breaches in New York in 2016. Just weeks prior to the introduction of the SHIELD Act, Equifax, one of the largest credit reporting agencies in the country, had reported a breach that affected over 8 million New York residents.

The SHIELD Act amends New York’s existing data breach law, General Business Law §899aa, requiring anyone who conducts business in New York to notify data subjects for whom they collect or store personal information of any unauthorized disclosures of their personal data. The new law also creates a new §899bb, defining new requirements for the protection of personal information.

The key elements of the SHIELD Act are:

Data Breach Procedures

The current General Business Law 899aa is amended to expand the definition of “personal information” to include a data subject’s name, address, email address, phone number, credit card numbers, social security numbers, passwords and/or security questions that could be used to gain access to financial accounts, and biometric information, such as fingerprints and retina scans.

The definition of “data breach” is also expanded to include not only the unlawful acquisition of personal information but any unlawful access to personal information by unauthorized parties outside of the organization.

Any entity that holds the personal information of a New York resident is required to notify the resident of any security breach immediately upon discovering the breach. Notice may be given by postal mail or telephone, or by electronic communication if the resident has previously given permission for such communications. Notice must also be given to the state attorney general and the state police. If the cost of personal notification is prohibitively expensive, (over $250,000), alternate forms of notification, such as posting on the website and publication through news media outlets, may be allowed.

Application of the Law

Perhaps the greatest change brought about by the SHIELD Act is the scope of its application. The previous data protection law applied only to companies doing business in New York. Under the SHIELD Act, any company that holds the personal information of a New York resident is subject to the state’s data protection law, regardless of the company’s location. This follows the trend set in Europe by the GDPR and in California with the CPPA. While it may be possible for a business to exclude residents of those jurisdictions from their customer base, it may not be economically feasible to do so. As more jurisdictions enact their own data protection laws, business will find that the cost of compliance may be less than the revenue lost by excluding more and more potential customers. Further, it may be impossible to avoid accidentally collecting information about New York residents through the use of cookies or other automated technologies.

Small businesses with fewer than 50 employees, less than $3 million in revenues, or owning less than $5 million in assets, may adjust their data protection policies according to their size, the nature of the business, and the type of personal information collected.

Data Security

The new General Business Law 899bb requires companies holding the personal information of New York residents to implement “reasonable safeguards” to secure such information against potential breaches. These include:

  1. Designating an employee to oversee data security.
  2. Conducting regular security risk assessments and responding to changes in circumstances.
  3. Implementing a security training program for employees.
  4. Ensuring that third party vendors handling personal information are capable and contractually bound to maintain the security of personal information.
  5. Implementing reasonable data retention policies.
  6. Maintaining proper physical controls over data centers.

The Next Step

Any company that operates a website is likely to reach customers in California, New York, the European Union, or some other jurisdictions with strict data protection laws. It is certain that more states will be strengthening their data protection requirements as well, so any business that operates a website should be examining its data security practices. Steps should include:

  1. Assess the company’s current data security practices.
  2. Appoint a data security officer.
  3. Review the company’s current data retention policy, and create one if none exists.
  4. Assess the data security practices of the company’s current third- party vendors. Create data processing agreements for all vendors.
  5. Implement security training procedures for current employees and new hires. Restrict employee access to personal information to those who need to have such access, and have all employees sign confidentiality agreements.
  6. Review the company’s privacy policy to make sure required notices are present. Make sure the privacy policy is prominently displayed on the company’s website.

Bringing a business into compliance with new data protection laws cannot be accomplished overnight. The SHIELD Act goes into effect on March 21, 2020, giving businesses a few months to implement necessary changes in their data collection, storage, and retention policies.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.