New York SHIELD Act: The Latest Amendment to NY State’s Cybersecurity Law
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

New York SHIELD Act: The Latest Amendment to NY State’s Cybersecurity Law

New York is updating their cybersecurity laws — here’s how these changes impact your business (even if you’re not in NY)

The New York SHIELD Act. It sounds like it something straight out of a popular superhero movie franchise.

However, although it may share the name of an elite defense organization from the blockbuster movie series, the recently passed New York SHIELD Security Act is very real and may impact businesses inside and outside the state. It’s an expansion of the existing New York data security law and General Business Law (GBS §899-AA), and marks the creation of §GBS 899-BB, by adding to the section on breach notifications, updating definitions, and adding new cybersecurity requirements.

In this article, we’ll dive into what the New York SHIELD Act is, how it affects your business, and what you can do to be compliant with this update to the New York cybersecurity law.

Avengers, assem — I mean…

Let’s hash it out.

New York SHIELD Act: What It Is and How It Applies to Me

What the SHIELD Acronym Stands For

The “SHIELD” in the New York SHIELD Security Act (Senate Bill S5575B) stands for “Stop Hacks and Improve Electronic Data.”

I wonder how much time they spent coming up with the full name for the act that would match that acronym…


Graphic: Gavel representing New York SHIELD Law

The SHIELD Act is an expansion of the state’s existing data breach law. Although it isn’t poised to protect New Yorkers from an alien invasion, it does aim to protect the state’s residents from personal and private information exposure due to cyber hacks. It does this by making the organizations they work for or do business with responsible for the safety and security of their data.

Should the information be exposed through intentional or unintentional disclosure, the organization must provide notice to any affected individuals via:

  • written notice,
  • electronic notice,
  • phone notification, or
  • another notification method (such as email, a public posting, or an announcement via statewide media).

The disclosure about the breach must be made expediently and “without reasonable delay.” However, there is one very important caveat. Notice to affected individuals is considered “not required” if:

… the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials… Such determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”

The Act Covers Two Types of Info

What kinds of info does the New York SHIELD Act specify need protection? This information includes:

  • Personal Information. This refers to “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identity such natural person.”
  • Private Information. This includes a variety of information such as a person’s Social Security number, driver’s license or another ID card number, financial or account related information (such as credit cards), or biometric information that’s not encrypted or is encrypted “with an encryption key that has also been accessed or acquired.” It also includes users’ login info.

Does the New York SHIELD Security Act Affect You?

Graphic: Whom the New York SHIELD Law applies to

The Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that if your business or organization has employees or customers who live in New York, this legislation may apply to you.

If 5,000 or more New York residents are notified of such a breach simultaneously, the organization also needs to report the “timing, content and distribution of the notices and approximate number of affected persons” to consumer reporting agencies that the state attorney general determines pertinent.

In the event of a data breach, for example, companies whose customers or employees include New York residents must inform the state attorney general about the intentional or non-intentional info disclosure. However, the New York SHIELD Act specifies that companies that collect health-related data must take this a step further by reporting such breaches to federal authorities as well as the attorney general.

Important Deadlines: The Act requires the recording of data breaches starting on Oct. 23, 2019, but the deadline for adopting reasonable security measures isn’t until March 21, 2020. For organizations that did not follow the New York Department of Financial Services (NYDFS) regulations previously, they must increase their protections by the March 21 deadline to avoid regulatory scrutiny.

This means that if the NYDFS laws didn’t affect your business before but does now, you’d better get your act in gear sooner rather than later to ensure compliance.

What the New York Data Security Act Specifies:

According to the New York SHIELD Act:

This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.”

The new act of the cybersecurity law defines boundaries, security requirements, enforcement, and consequences for employers who fail to follow these standards and best practices. It also serves as an amendment of the general business law and the state’s technology law concerning notifications of security breaches.

The text provides updated definitions for multiple terms, including “personal information,” “private information,” “breach of the security of the system,” and “biometric data.” This is important as many companies are using biometric technology and data for employee authentication and time-management tasks.

All of this is great news for consumers — except for one important caveat: The Act doesn’t create a private right of action for affected residents. Much like the California Consumer Privacy Act (CCPA), enforcement of the New York SHIELD Act is provided by the state attorney general’s office. This means that if someone is financially or personally affected by the disclosure of their information, it’s up to the state’s attorney general to bring action in their name and on behalf of the state’s population.

But what are the risks for businesses who are not compliant with the new SHIELD Act?

The Consequences of Noncompliance

Although the New York data security act isn’t enforced by individuals in robotic suits or colorful, star-spangled uniforms, it’s still trying to stand as an imposing force. If you’re a small to midsize business that handles New York residents’ data, you especially need to take it seriously — or else it can cost you dearly.

If an organization doesn’t comply with the regulation by notifying their employees or customers of any disclosures, the new legislation states that preliminary relief may be granted (under Article 63 of the civil practice law and rules) to the victim. If any New York resident who is entitled to notification of an information disclosure doesn’t receive one but suffers losses or damages as a result of the disclosure, the court can award damages for actual costs or financial losses they incur. Furthermore:

Whenever the court shall determine in such action that a person or business violated this article  knowingly or recklessly,  the court may impose a civil penalty of the greater of five thousand dollars or up to [ten] TWENTY dollars per instance of failed notification, provided that the latter amount shall not exceed [one] TWO hundred fifty thousand dollars.”

Penalties of $5,000 may not be a big deal. But considering that it can be up to $250,000, now we’re talking some serious dough for small businesses.  While this won’t make much of a dent in the coffers of an enterprise, it can cause a small or midsize organization to close its doors.

How You Can Make Your Business Compliant with the SHIELD Security Act

To comply with the new act, businesses of all sizes need to assess their existing IT infrastructure, resources, devices, policies, and access controls. For example, to ensure your organization is compliant and to reduce the risk of data exposure:

  • Check for Vulnerabilities. Review and test your network, devices, and other IT systems for any internal and external vulnerabilities. This can include performing cyber risk assessments and penetration tests. Perform your due diligence to mitigate risks ahead of time.  
  • Review and Implement Access Control. Regularly review and update your list of employees to determine who has access to what, and whether each person’s level of access is necessary based on their job and responsibilities. Minimize the number of users with access to personal and private data to only those who need it. This can include the use of policies of least privilege (POLP).
  • Review and Update Your Existing Policies and Procedures. To ensure that your organization is prepared to respond to a data breach, be sure to review and update your existing incident response (IR) and disaster recovery (DR) plans. If your organization doesn’t have any such plans, now’s the time to create them!
  • Implement Cyber Training for Employees. Ensure that all of your employees — everyone from the CEO on down to the janitorial staff — are operating with cyber security best practices in mind. Training also can provide them with knowledge about how to safely identify and respond to potential threats such as phishing emails.
  • Review How You Store and Dispose of Private Information. This SHIELD New York data security law dictates that when you’re done using personal and private data, you can’t just get rid of it any ol’ way. It specifies that businesses must assess risks relating to information processing, transmission and storage. It also states that you need to dispose of private information “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”
  • Implement Encryption. When dealing with sensitive private and personal information, it’s generally a best practice (and a smart business move in general) to use encryption to help keep that info secure. Use SSL/TLS certificates to protect data in transit on your website or mail server. S/MIME certificates add the benefit of encrypting data at rest to secure data when it sits on your server. Another great encryption method includes database encryption. These tools can help you to ensure that only the people who are supposed to see information have access to it.

TL;DR: What Does All of This Mean?

In a nutshell, the New York SHIELD Act specifies that companies that handle, store, or use New York residents’ personal and private information are required to implement specific data security measures and to report any breaches within a timely manner (or risk facing enforcement from the state’s attorney general).

The New York SHIELD Act dictates that organizations with existing security protections will need to improve their assessment standards and tools. Employers and companies who lack any type of security systems and testing practices will be required to adopt a new security infrastructure. Any organizations that fail to do so could face civil penalties that cost up to $250,000.

However, there are things you can do to protect your organization, employees, and customers:

  • Run cyber risk assessments and pen tests to identify vulnerabilities.
  • Maintain up-to-date employee access lists.
  • Review and update any existing policies and procedures; create new ones as necessary.
  • Make cyber awareness training mandatory for all employees.
  • Assess risks in information processing and use proper data storage and disposal techniques. 

We hope that this article provided you with useful insights about the New York SHIELD Act that you can use to make important decisions for your business and best serve your customers.

As always, leave any questions or thoughts in the comments!


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.