The Definitive Guide to the New York Shield Law

  • by Noah Ramirez, JD / CIPP
The Definitive Guide to the New York Shield Law

Every day, we share personal information about ourselves online when we pay bills, connect with friends on social media, and even when we are just browsing. The sheer volume of information that is shared, plus the proliferation of identity theft, data hacking, and other fraudulent activity, has led to the enactment of data privacy laws designed to regulate how personal information is collected, shared, and stored.

Without a comprehensive federal data security law in place, U.S. states are taking matters into their own hands. Several states have enacted a patchwork of privacy laws to protect consumers. Recently, enforcement has begun for New York’s data protection program: the SHIELD Act.

What is New York’s SHIELD Act?

In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, a law that amends the existing data breach notification law and imposes more data security requirements on companies who collect information on New York residents. The data security requirements of the law took effect in March, 2020, which means it’s now fully enforceable. 

The introduction of the SHIELD Act to the legislature came in response to a report showing a 60% increase in data breaches in New York in 2016. Just weeks prior to the introduction of the SHIELD Act, Equifax, one of the largest credit reporting agencies in the country, reported a breach that affected over eight million New York residents.

The SHIELD Act amended a previously enacted data breach law in New York - the much less catchily-named General Business Law §899aa. By placing additional requirements on companies, this law broadens the scope of consumer privacy. It provides better protection for New York residents from data breaches of their private information. 

What are the SHIELD Act's Requirements?

The SHIELD Act introduces significant changes to existing law:

  • It broadens the definition of “private information.” The Act expands the definition of this term to include account numbers, biometric information, credit/debit card numbers (even without a security code), access codes, usernames, email addresses, passwords, and security questions and answers.
  • It expands the definition of a “breach.” Previously, a breach was defined as unauthorized acquisition of computerized data. Now it refers to unauthorized access of a computerized data that compromises the security, confidentiality, or integrity of private information. The law also provides some samples of unauthorized access and updates the procedures entities must follow when there's a breach. 
  • It expands the territorial scope. Previous law was limited to parties that conducted business in New York. The SHIELD Act expands the scope to any person or business that owns or licenses private information of a New York resident. That means that even if you don’t do business in New York, it is highly probable that the SHIELD Act applies to you if you operate anywhere in the United States.
  • It imposes new data security requirements. The Act forces companies to adopt reasonable safeguards to protect the security, confidentiality and integrity of private information. Companies should implement a data security program with specific measures, employee training, vendor contracts, risk assessments, and timely data disposal. It also requires entities to designate an employee to oversee cybersecurity operations. 

“Wait a minute,” you might be thinking. “I thought companies were already required to protect my data!”

Many are. In fact, entities who handle the most sensitive information likely meet the SHIELD Act’s requirements already. For instance, an entity is already in compliance with the SHIELD Act if it complies with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), or the New York Cybersecurity Requirements for Financial Services.

Companies are considered compliant if they implement reasonable administrative, physical, and technical safeguards. The bill offers several ways to ensure compliance:

Administrative Safeguards
  • Conduct risk assessments.
  • Train employees in security program practices and procedures.
  • Designate someone to be responsible for the security program.
  • Carefully select vendors and set safeguards by contract.
  • Adjusted security programs as the business changes.
Physical Safeguards
  • Assess risks of information storage and disposal.
  • Create systems to prevent, detect, and respond to physical intrusions.
  • Dispose of private information within a reasonable amount of time
  • Protect against the unauthorized access of private information at any point during collection, transportation, and disposal.
Technical Safeguards
  • Identify risks in network and software design.
  • Identify risks in information processing, transmission, and storage.
  • Prevent, detect, and respond to system failures and attacks.
  • Monitor and test the effectiveness of system controls and procedures. 

If you have a small business and all of that sounds alarmingly complex, don’t worry. The SHIELD Act makes exceptions for businesses with fewer than 50 people and less than $3 million in yearly revenue, but you still have to implement a reasonable security program that's appropriate for the size and complexity of your business. 

If companies fail to comply with these new security requirements, they could face civil penalties up to $5,000 per violation. There are no caps on penalties here, so fines can add up quickly. There was also a $250,000 fine for failing to notify authorities when a data breach occurs.

What is the SHIELD Act’s Impact?

The SHIELD Act is the next piece of state legislation that’s designed towards protecting data and notifying the public and authorities about breaches. Individual states will continue to write and expand their data security laws. But since the SHIELD Act applies to any business that collects or maintains private information on New York residents, it has the potential to make a big impact on the entire nation.

Obviously, New York is economically significant. Most major companies hold some kind of private information on New York residents. These companies will be forced to abide by the new security requirements in regards to these residents. 

But maintaining multiple security standards is complex, time consuming, and inefficient. For the sake of expediency and cost, many companies will likely apply the SHIELD Act’s standards to all of the private information they collect and maintain, not just New York residents. 

Why is this outcome likely? Because we’ve seen it before with the European Union’s General Data Protection Regulation (GDPR). Rather than create and maintain multiple privacy standards, most companies who deal with EU customers simply declared GDPR their new standard. 

And we’re seeing the same practice with the California Consumer Privacy Act. Since anyone who does business with a California company is obligated to abide by the CCPA, it's simply easier for companies to meet those standards for all their customers. 

Will this law change how all companies behave? Probably not, at least at first. If a company in Oklahoma sells locally, it isn't obligated to abide by SHIELD Act. Over time, however as consumers learn to enjoy the protection provided by data security standards, there will be more pressure for state and local governments to pass security legislation. 

Proactive Companies Survive

If you're a company that collects and maintains private information (and remember, that term is very broad now), it's not a matter of if, but when you suffer some kind of cyber incident. It's important to think proactively about how you handle your data to protect your customers, users, followers, and - most importantly - the livelihood of your business.

Just because your state doesn’t hasn’t imposed data security regulations doesn’t mean it won’t. As you can see from the EU, California, and New York, the snowball is picking up speed. The sooner you take steps to protect consumer privacy, the sooner you’ll comply with those inevitable requirements. 

Keeping your business up to date with the latest and greatest data privacy practices isn’t optional. You don’t have to do it on your own though. You can use tools like Osano to monitor changes in privacy laws, watch what your vendors do with your data, and ask privacy professionals specific questions on-demand.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.