New York enacts new data breach security laws – SHIELD Act

by Paul Lanois

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S.5575B), also known as the “SHIELD Act“, which amends New York’s breach notification law and creates new cybersecurity obligations. The SHIELD Act takes effect on March 21, 2020.

The key changes of the SHIELD Act include expanding the definitions of ‘private information’ and what constitutes a ‘breach’ (it now includes the ‘unauthorized access’ to ‘private information’) and requiring businesses that own or license New York residents’ ‘private information’ to implement and maintain security safeguards.

Here is the breakdown of what is introduced in the SHIELD Act:

  • The SHIELD Act expands the definition of ‘private information’ that may trigger notification to include the following types of data,: a) biometric information, including a fingerprint, voice print, retina or iris image; b) Account number, credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account without additional identifying information; and c) user names or email addresses in combination with a password or security question and answer that could permit access to an online account.
  • The definition of a breach has been extended to now include the ‘unauthorized access’ to ‘private information’, whereas the law previously only covered the unauthorized acquisition of ‘private information’. In determining whether information has been ‘accessed’, or is reasonably believed to have been ‘accessed’, by an unauthorized person or a person without valid authorization, the SHIELD Act provides that “factors to consider include indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person“.
  • There is an exception to the breach notification obligation where the exposure of ‘private information’ was due to an inadvertent disclosure by persons authorized to access private information, and the person or business makes a reasonable determination (which must be documented in writing and maintained for at least 5 years) that such exposure “will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials“.
  • There is also an exception to the breach notification obligation if a notification is already made pursuant to other regulations, such as those promulgated under the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, or by other official department, division, commission or agency of the federal or New York state government.
  • The SHIELD Act requires businesses that own or license New York residents’ private information to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data“. This requirement can be fulfilled either by:
  • complying with regulations such as Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or the New York State Department of Financial Services Cybersecurity Requirements (23 NYCRR 500), or
  • implementing a data security program that includes:
  • reasonable administrative safeguards such as:
  • designating one or more employees to coordinate the security program;
  • identifying reasonably foreseeable internal and external risks;
  • assessing the sufficiency of safeguards in place to control the identified risks
  • training and managing employees in the security program practices and procedures;
  • selecting service providers capable of maintaining appropriate safeguards, requiring those safeguards by contract, and
  • adjusting the security program in light of business changes or new circumstances;
  • reasonable technical safeguards such as:
    • assessing risks in network and software design;
    • assessing risks in information processing, transmission and storage;
    • detecting, preventing and responding to attacks or system failures; and
    • regularly testing and monitoring the effectiveness of key controls, systems and procedures;
  • reasonable physical safeguards such as:
  • assessing risks of information storage and disposal;
  • detecting, preventing and responding to intrusions;
  • protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
  • disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
  • In relation to small businesses, the SHIELD Act recognizes simply requires “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.
  • The Attorney General may pursue civil penalties for violations, but the SHIELD Act expressly provides that there is no private right of action.”

In addition to the SHIELD Act, New York Governor Andrew Cuomo also signed on the same day the Identity Theft Prevention and Mitigation Services Act (Senate Bill S.3582) requiring credit reporting agencies to offer “reasonable identity theft prevention services and, if applicable, identify theft mitigation services” for up to 5 years at no cost to such consumers. The legislation also requires credit reporting agencies to provide “all information necessary for such consumers to enroll in such services” and information as to how such consumers can request a security freeze. This comes after Governor Cuomo, the State Department of Financial Services and State Attorney General James announced on July 22, 2019 that a $19.2 million settlement has been entered into with Equifax over the 2017 data breach that “exposed the sensitive financial and personal information of millions of Americans, including 8.5 million New Yorkers“.[1]

The SHIELD Act illustrates the growing trend among states to expand the definition of information covered by breach notification requirements. Businesses will need to identify if they hold ‘private information’ relating to New York residents’ and carefully review their security policies and procedures and make any necessary adjustments to their data security program and incident response plans.


[1] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1907221

Paul Lanois is Director in Privacy and Security at Fieldfisher. Paul has lived and worked in Paris (France), London (UK), Luxembourg, Zurich (Switzerland), Hong Kong and the United States. He has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP) and is a Certified Information Privacy Professional specialized in Asian law (CIPP/A), US law (CIPP/US), European law (CIPP/E) and Canadian law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Technologist (CIPT).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.