New York SHIELD Act Will Impact Businesses Nationwide

Regulation ¦ March 23rd, 2020, 11:00 pm

The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act (S5575B) came into force on March 21st, 2020, and brings important changes for businesses and persons who hold personal data of New York residents.

Who's in scope?

The Act applies to “any person or business which […] owns or licenses computerized data which includes private information [of New York residents]”. This means that the SHIELD Act also covers businesses that are domiciled outside of the state of New York, as long as they use or hold data of the private information of at least one new Yorker. Any company, no matter its size, should be paying attention, if they have at least one New York customer.

What’s in scope?

The SHIELD Act extends the scope of “information” currently enforced under the federal Information Security Breach and Notification Act of 2005. 

  • Personal information is “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”

  • Private information is either

(i) any personal information combined with certain sensitive data elements, such as a Social Security Number, ID-card or driver’s license number, payment information or biometric information, or

(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account

What's considered a data breach?

The definition of the term data breach has also been extended. Before, private information needed to be actively acquired by an unauthorized party to constitute a breach. The SHIELD Act defines a data breach as “the unauthorized access to or acquisition of computerized data that compromises the security, confidentiality or integrity of private information”, meaning that as soon as data is accessed by an unauthorized party, data breach notification requirements come into play. 

What obligations do businesses have?

In a nutshell, businesses must have strong security measures in place to protect personal information and must report on data breaches without undue delay. 

Specifically, businesses must:

Implement and execute a reasonable security program

  • Designate responsible person to coordinate the data security program

  • Perform risk assessments

  • Assess the safeguards already in place to control the identified risks

  • Institute employee security program practices and procedures

  • Complete vendor and service provider risk assessments

Implement “reasonable technical safeguards”

  • Assess risks in software and network design

  • Detecting and fixing security issues, as well as responding to attacks or system failures

  • Regularly test and monitor the effectiveness of key controls, systems, and procedures

  • Deleting private information on a regular basis

Breach notification duties

  • If private information has been breached, businesses or persons must notify all New York residents whose data was compromised without any “unreasonable delay” 

  • The State Attorney General, the department of state and the division of the state police should be informed about any breach notifications communicated to New York residents, amongst other details they should be provided a copy of the notice-template sent out 

Fines and enforcement

The failure to provide an adequate breach notification can be penalized with the greater of $5,000 or $20 per failed notification, capped at $250,000. The New York State Attorney General, currently Letitia James, is responsible for enforcement; there is no private right of action. 

How to get ready

Designate a person responsible for the data security plan

  1. Make sure that reasonable security measures are implemented to protect private data

  2. Perform internal and external (service provider) risk assessments

  3. Prepare a robust plan to ensure that risks in software, hardware, data storage, and staff are regularly re-assessed

  4. Prepare appropriate breach notification, breach notification workflows, and breach notification communication methods

Need help? Datawallet can advise you on how to get ready for the NY SHIELD Act. Contact us at

Get the Data Digest in your inbox