New York SHIELD Act: How Does It Affect My Business?

The New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) has been in effect since March 21st, 2020. This law aims to provide more robust protection for the private information of New York State residents by holding persons and businesses that own or license such information accountable for developing, implementing, and maintaining reasonable safeguards to protect the information.

Who Must Comply with the NY SHIELD Act?

The New York SHIELD Act applies to any person or business which owns or licenses computerized data that includes the private information of a resident of New York State. In other words, any person or business that holds private information of even a single New York resident is bound by the provisions of the NY SHIELD Act, even if the company is based outside of New York or does not conduct business in New York. 

One of the key obligations is that parties subject to the Act are required to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information. There is some relief for small businesses1, which are required to maintain reasonable safeguards after taking into account the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected by the small business. 

Parties that are subject to and compliant with the data security requirements of the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), or the New York State Department of Financial Services (“NYDFS”) Cybersecurity Regulation are deemed to be compliant with the New York SHIELD Act’s data security requirements.

What Is “Private Information” Under the NY SHIELD Act?

The New York SHIELD Act defines both the terms “personal information” and “private information”. The Act defines personal information as “any information concerning a natural person which, because of a name, number, personal mark, or other identifier, can be used to identify such natural person”. Private information is defined by the Act as either:

  1. personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
    • social security number;
    • driver’s license number or non-driver identification card number;
    • account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password, or other information that would permit access to an individual’s financial account;
    • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;
  2. a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

“Private Information” does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records. 

How Do I Comply with the New York SHIELD Act?

Parties that are subject to the NY SHIELD Act are required to develop, implement, and maintain reasonable data security programs to protect the security, confidentiality, and integrity of private information, and to securely dispose of such information. The data security programs should include:

  • Administrative safeguards, such as drawing up and maintaining appropriate policies and procedures (including record retention and destruction policies and information security policies), updating disaster recovery and business continuity plans, training employees on the required security practices and procedures, identifying reasonably foreseeable internal and external risks, and ensuring that service providers comply with the New York SHIELD Act;
  • Physical safeguards, such as developing physical access control measures, implementing measures to detect, prevent, and respond to intrusions, and disposing of private information when it is no longer required; and
  • Technical safeguards, such as conducting risk assessments (e.g. to assess risks in network and software design and in information processing, transmission, and storage), conducting penetration testing; encrypting data in transit and at rest, the ability to detect, prevent, and respond to attacks or system failures, and implementing a process to regularly test and monitor the effectiveness of key controls, systems, and procedures. 

What Does the NY SHIELD Act Require When There Is a Data Breach? 

One of the key features of the New York SHIELD Act is the extensive provisions linked to breach notifications. Under the Act, a “breach of the security of the system” is any form of unauthorized access to private information. The term “access” includes information viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

Following discovery of a breach of the security of the system, persons and businesses are required to disclose the breach to any resident of New York whose private information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. 

There is an exception to this breach notification requirement. It is not necessary to give notice to affected persons if the exposure of the private information was inadvertent and the person or business reasonably determines that the exposure is unlikely to result in misuse of the private information. In this case, the person or business should document its determination that the inadvertent disclosure is unlikely to result in misuse, maintain the documentation for a period of five years, and in the case where the incident involves the private information of more than 500 residents of New York, submit such documentation to the New York Attorney General within 10 days of the determination.

Additionally, businesses that are subject to breach notification requirements in the GLBA, HIPAA, HITECH, NYDFS Cybersecurity Regulation, or any other data security rules, regulations, and statutes administered by any arm of the federal or New York State government, are not required to make additional notifications to any affected New York residents. However, notification to the New York Attorney General will still be required.

What Are the Penalties for Failure to Comply with the NY SHIELD Act? 

New York residents do not have any direct form of recourse or private right of action under the New York SHIELD Act. However, the New York Attorney General has the authority to bring claims against persons and businesses that fail to report a breach or that fail to develop, implement, and maintain reasonable data security measures as described above. 

Reckless violations of the Act, or violations which occurred with the person’s or business’s knowledge, may result in penalties of the greater of $5,000 or up to $20 per instance (with a cap of $250,000).

If a person or business fails to comply with the requirement to implement reasonable safeguards, it may be liable for a penalty of no more than $5,000 per violation.

If a person or business fails to provide notice of a breach of the security of the system to the affected New York residents, a court can award damages for the actual costs or losses incurred by the New York resident who was entitled to receive such breach notification.

Do You Need Help with New York SHIELD Act Compliance?

VeraSafe’s privacy team has all the resources to assist with your NY SHIELD Act compliance. We bring together outstanding privacy attorneys and cybersecurity experts to provide a one-stop-shop for your complex privacy, data protection, and cybersecurity needs across a myriad of legal frameworks. 

Schedule a free consultation with VeraSafe today to learn more about our cost-effective and business-facilitating New York SHIELD Act Compliance Program. 

Related topics: U.S. Privacy Laws

  1. 1.
    A small business is any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets, calculated in terms of generally accepted accounting principles.

Contact VeraSafe to discuss your data security management and privacy program today.