The definitive guide to the New York SHIELD Act

Every day, we share personal information online. Whether we’re paying bills, connecting with friends on social media, or simply browsing websites, we’re giving pieces of our personal information away.

And the sheer volume of shared information — coupled with rampant identity theft, data hacking, and other fraudulent activity — has prompted officials worldwide to adopt data privacy laws. At their core, these laws regulate how personal information is collected, shared, and stored.

Still, at a federal level, the U.S. lacks its own overarching data security law. Thus, individual states are taking matters into their own hands.

Over the last few years, several states have enacted a patchwork of privacy laws to protect consumers. And in 2019, lawmakers took a closer look at a long-standing New York privacy law, discovered several evolutionary gaps and inefficiencies, then worked to amend and update it. Today, the latest iteration is known as the SHIELD Act.

What is New York’s SHIELD Act?

The SHIELD act, or the Stop Hacks and Improve Electronic Data Security Act, amends the state’s existing data breach notification law. It imposes more data security requirements on companies that collect information on New York residents.

The SHIELD law became fully enforceable in March 2020.

But why were amendments introduced in the first place? The updated New York privacy law came after the state’s attorney general discovered a 60% increase of state data breaches in 2016. Just weeks prior to the SHIELD law introduction, one of the largest credit reporting agencies in the country, Equifax, identified a breach that affected more than 8 million New Yorkers.

Through the SHIELD Act, companies incurred additional data privacy requirements that, collectively, provide better overall breach protection for New York residents.

What are the SHIELD Act's requirements?

The SHIELD Act introduces significant changes to existing law:

• It broadens the definition of “private information.” SHIELD expands the definition to include account numbers, biometric information, credit/debit card numbers (even without a security code), access codes, usernames, email addresses, passwords, and security questions and answers.
• It expands the definition of a “breach.” Originally, a breach was defined as an “unauthorized acquisition of unencrypted computerized data.” But more broadly, it refers to unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information. The law provides samples of unauthorized access and includes updated procedures in the event of a breach.
• It expands the territorial scope. Previous New York privacy laws were limited to parties who conducted business in New York. The SHIELD Act broadens the scope to any person or business that owns or licenses private information of a New York resident. Essentially, even if you don’t do business in New York, it’s likely the SHIELD Act applies if you operate anywhere in the U.S.
• It imposes new data security requirements. The SHIELD law enforces companies to adopt safeguards to protect the security, confidentiality, and integrity of private information. Companies should implement a data security program with specific measures, employee training, vendor contracts, risk assessments, and timely data disposal. The law also requires organizations to designate an employee who oversees cybersecurity operations.

The good news? Many companies already protect consumers' data (and have been, long before the SHIELD Act was ever a twinkle). And likely, they already meet SHIELD’s mandates. 

For instance, an entity is already aligned with the SHIELD Act if it complies with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act, or New York’s cybersecurity requirements for financial services.

Companies are considered compliant if they implement reasonable administrative, physical, and technical safeguards. The bill offers several ways to ensure compliance:

Administrative safeguards

• Conduct risk assessments.
• Train employees in security program practices and procedures.
• Designate someone responsible for the security program.
• Carefully select vendors and set safeguards by contract.
• Adjust security programs as the business changes.

Physical safeguards

• Assess the risks of information storage and disposal.

• Create systems to prevent, detect, and respond to physical intrusions.

• Dispose of private information within a reasonable amount of time.

• Protect against the unauthorized access of private information at any point during collection, transportation, and disposal.

Technical safeguards

• Identify risks in network and software design.
• Identify risks in information processing, transmission, and storage.
• Prevent, detect, and respond to system failures and attacks.
• Monitor and test the effectiveness of system controls and procedures.

If you own a small business and those bullets feel daunting, don’t worry: The SHIELD Act makes exceptions for businesses with fewer than 50 people and/or less than $3 million in annual revenue. Still, you must implement a reasonable security program that's appropriate for the size and complexity of your business.

If companies fail to comply with these security requirements, they could face civil penalties of up to $5,000 per violation. There are no caps on penalties, so fines can rack up quickly. Additionally, a $250,000 fine exists for failing to notify authorities when a data breach occurs.

What is the SHIELD Act’s impact?

As state legislation, the SHIELD Act encourages data protection and general breach notification. Following in its footsteps, individual states will continue to write and expand their own data privacy laws. But because the New York privacy law applies to any business that collects or maintains private information on New York residents, its effects are far-reaching.

Obviously, New York is economically significant. Most major companies hold some kind of private information on New York residents. These companies will be forced to abide by the new security requirements concerning respective residents.

But maintaining multiple security standards is complex, time-consuming, and inefficient. For the sake of expediency and cost, it’s easier for most companies to apply the SHIELD Act’s standards to all private information they collect and maintain, not just on New York residents.

Why is this so? Because we’ve seen it before with the European Union’s General Data Protection Regulation (GDPR). Rather than create and maintain multiple privacy standards, most companies that deal with EU customers simply declare GDPR as standard practice.

And we see similar action with the California Consumer Privacy Act (CCPA): Because entities that do business with California companies are obligated to abide by CCPA, it's easier for companies to meet those standards for all customers.

Will New York’s privacy law change how all companies behave? Probably not — at least not yet. Over time, as consumers learn to enjoy the protection provided by data security standards, pressure to do the same among other state and local governments will ramp up.

Proactive companies survive

If you're a company that collects and maintains private information, it's not a matter of if, but when you’ll endure a cyber incident. It's important to think proactively about how your organization handles data to protect customers, users, followers, and the livelihood of your business. And the sooner you take steps to protect consumer privacy, the sooner you’ll comply with inevitable requirements.

Keeping your business up-to-date with the latest data privacy practices isn’t optional. Still, you don’t have to do it on your own. You can use tools like Osano to monitor changes in privacy laws, understand what vendors do with your data, and ask privacy professionals on-demand questions.