New York SHIELD Act

The New York SHIELD Act enhances the general business and state technology law focused on individuals’ privacy and notification of data breaches. Regardless of where they are based, any business must abide by the New York SHIELD Act if they electronically store data related to New York residents. The New York SHIELD Act requires businesses that own or license private information about residents to develop, implement, and maintain data protection safeguards.

What is the New York SHIELD Act?

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data security law passed in response to an increasing number of cyberattacks that impacted the private information of the state’s residents. The law replaced prior legislation that was focused on banks, financial services institutions, and insurance companies.

Key objectives of the New York SHIELD Act are to:

• Expand data security and breach notification requirements to cover any business that collects the private data of New York residents, not just companies that conduct business in the state.
• Change the definition of a breach to go beyond data being acquired to include data that was accessed by an unauthorized party. 
• Increase the scope of private information to include personal information (i.e., “information concerning a natural person which, because of name, number, personal mark, or other identifiers, can be used to identify such natural person”).
  

What Counts as a Data Breach?

The New York SHIELD Act’s specific terminology for what is commonly referred to as a data breach is “breach of the security of the system.” This extends coverage to situations where a system has been compromised, but it is not evident that data has been accessed or acquired. When referring to a data breach in regard to the New York SHIELD Act, accessed and acquired cover the following:

• Accessed information may have been:
  • Viewed
  • Communicated with
  • Altered
• Private information might have been acquired if:
  • A computer or device containing this information is lost or stolen.
  • There is evidence that the information has been downloaded or copied.
  • There are reports of identity theft using the information.
    

Access by employees in good faith does not count as a data breach unless there is evidence that information was disclosed to an unauthorized person.

Requirements of the NY SHIELD Act

To meet the requirements of the NY SHIELD Act, businesses must assess for and enable processes to mitigate risk as well as proactively react to a data breach. The New York SHIELD Act requires that businesses set up a data security program that includes reasonable safeguards to ensure the proper management of private information and manage notification of any breaches in security that resulted in information being compromised.

Safeguards Required by the New York SHIELD Act

Reasonable administrative safeguards

• Designate staff to coordinate a security program that adheres to compliance requirements
• Implement processes to identify internal and external data security risks
• Assess systems to address potential threats and vulnerabilities related to identified risks
• Provide comprehensive data security and compliance training and management for staff
• Select service providers capable of maintaining appropriate safeguards and contractually require those safeguards 
• Adjust data security protocols to reflect changes to the business and threat landscape
  

Reasonable technical safeguards  

• Software and network design, implementation, and security 
• How information is processed, transmitted, and stored 
• Detection, prevention, and response plans for attacks and system failures
• Security controls, systems, and procedures tested and monitored
  

Reasonable physical safeguards 

• Data storage and disposal across the business for digital and paper-based information
• Intrusion detection, prevention, and response 
• Protection of private information whenever collecting, transporting, or disposing of it
• Data destruction processes for both physical and digital sources
  

Notifications by the New York SHIELD Act

In the event of a data breach, the New York SHIELD Act requires a business to communicate directly with the individuals affected and inform appropriate public authorities. There are two types of notices depending on the nature of the data breach: individual and substitute. Both require that the following information is included:

• Contact information for the business or person making the notification
• Telephone numbers and websites of authorities and agencies that provide information regarding security breach response and identity theft prevention and protection information
• Private information that has been (or may have been) accessed or acquired

Individual notices

There are several ways to give individual notice of a data breach under the New York SHIELD Act, including:

• Written notice
• Electronic notice
• Telephone notification

Substitute notices

There are substitute notification methods, but these can only be used when one or more of the following applies:

• The cost of providing individual notices would exceed $250,000
• More than 500,000 people have been affected by the data breach
• Contact details are not available for the affected people

The substitute methods for notifying an individual of a data breach under the New York SHIELD Act include:

• Email notice
• Notice via business’s website, but it must be conspicuous
• Notification via statewide media

Authorities and agencies to be notified

The New York SHIELD Act requires that notice be sent to the Attorney General’s office, New York Department of State, and the New York State Police. If more than 5,000 New York residents have been affected by a breach, the New York SHIELD Act requires the notification of consumer reporting agencies (i.e., Equifax, Experian, Transunion). These organizations must be provided with the following information.

• Approximate number of people affected
• Date(s) that individuals were notified
• Content of the data breach notification
• How the notification was distributed

Businesses should prioritize giving notice to the individuals affected. Informing these authorities and agencies must not cause any delay in informing individuals.

Business Impact of the NY SHIELD Act

The primary business impact of the SHIELD Act is potential changes that must be made to adhere to data protection and security requirements. Without these systems in place, businesses face stringent penalties. Penalties for non-compliance with the New York SHIELD Act can include fines and legal action.

The New York SHIELD Act does not authorize individuals to take action related to failures to comply with the law. The New York Attorney General enforces the SHIELD Act and can obtain civil penalties per violation or failed notification. These penalties can be the greater of $5,000 per violation or $20 per failed notification with a maximum of $250,000.

Exceptions to the New York SHIELD Act

There are exceptions where businesses are not required to send breach notifications.

• If the exposure of private information was due to an inadvertent disclosure by someone authorized to access it, and the person or business makes a reasonable determination that such exposure of it will not result in harm (e.g., misuse, financial fraud, emotional damage)
• If notification is triggered and executed as directed by other regulations (e.g., Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act)

The Long Arm of the New York SHIELD Act

The New York SHIELD Act demonstrates how seriously the state takes its citizens’ privacy and data security. Any medium- or enterprise-size company with even one customer in New York state must comply with the law.

The New York SHIELD Act, and other similar legislation around the world, can be perceived as costly and onerous. However, preventing and quickly responding to security incidents that impact private information is in the best interest of all organizations. Having a robust security posture and a corporate position that prioritizes data security should not be considered a burden, but rather a matter of good business practice.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 21st December, 2021

Get started with Egnyte.

Request Demo