NY SHIELD Act Summary

Effective March 21, 2020

On March 201, 2020, the New York SHIELD Act goes into effect. This act, aimed at protecting consumer information, creates safeguards to protect the security, confidentiality, and integrity of private information.

Depending on your business you may have to comply with the new standards in place.

This cheat sheet is aimed to help you understand what your requirements are based on how you do business and what information you process and/or store.

Here is a breakdown of the SHIELD Act and its requirements.

New York SHIELD Act Summary

What is the SHIELD Act?

  • SHIELD stands for “Stop Hacks and Improve Electronic Data Security”
  • Takes effect on March 21, 2020
  • Requires businesses to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information
  • Does not mandate specific safeguards

Whom Does the Act Apply to?

  • Employers in the state of New York with employees
  • Any business that maintains the private information of New York residents

Two Types of Businesses Can Be in Compliance Without Having a Security Program:

  • Small business (fewer than 50 employees OR less than $3M in gross annual revenue)
    • Do need to verify data security safeguards are appropriate for:
      • the size and complexity
      • the nature and scope of business activities
      • the sensitivity of personal information the business handles •
  • Businesses that comply with other regulatory schemes:
    • Gramm-Leach-Bliley Act (GLBA)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • NY State Department of Financial Services’ (NYDFS) Cybersecurity Requirements for Financial Services Companies

What Must Be Protected?

  • Private Information of an individual:
    • Social Security Number (SSN)
    • Driver’s license number o Credit or debit card number
    • Financial account number (without required security code if an unauthorized person could access the account)
    • Biometric information
    • Username or email address with a password that permits access

Amendments Added:

  • Definition of breach:
    • Now includes unauthorized access instead of solely unauthorized acquisition
  • Breach notification requirement for inadvertent disclosures of private information that are not likely to result in the misuse of information. Employer must:
    • Document its determination that the inadvertent disclosure is not likely to result in misuse
    • Maintain that documentation for five (5) years
    • If the incident were to involve the private information of more than 500 New York residents:
      • Required to submit the documentation to the State’s Attorney General within 10 days of that determination
  • Penalties for failure to notify the Attorney General:
    • $20 per failed notification o Maximum penalty $250,000

For More Information: