The NY SHIELD Act [A Compliance Checklist]


Amid the COVID pandemic and other pressing concerns, a significant law has quietly come into effect that businesses need to be aware of – the NY SHIELD Act. Also referred to as the Stop Hacks and Improve Electronic Data Security Act.

Passed by the legislature more than two years ago, this law aims to protect the data privacy of New York State residents. It is crucial for businesses, regardless of their size or location, to understand its implications and take the necessary steps to comply with its requirements.

In this guide, we will explore the key points of the NY SHIELD Act and how businesses can ensure their data protection practices are in line with the law.

Table of Contents

What the Law Says

Governor Andrew Cuomo approved the SHIELD Act on July 25th, 2019. The law modifies the Information Security Breach and Notification Act of New York, enacted in 2005, and has several changes that aim to enhance data-security regulations in New York.

  • Firstly, the SHIELD Act broadens the scope of private information that companies are required to notify consumers about in case of a data breach. This means that companies must inform individuals if their personal information, such as social security numbers, financial account information, or biometric data, has been compromised.
  • Secondly, the SHIELD Act mandates that companies must establish reasonable measures to protect the security, confidentiality, and integrity of private information. This means that businesses must put in place various administrative, technical, and physical safeguards. We will go more in-depth into these safeguards later.

Does The Size of Your Business Matter?

One common misconception about the NY SHIELD Act is that it only applies to large businesses or those based in New York. However, this is not the case. The act applies to businesses of all sizes, including small and medium enterprises, regardless of their location. If your business collects and retains personally identifiable information (PII) of any New York State resident, you are subject to the law’s requirements.

Location Is Irrelevant: Out-of-State Businesses Must Comply

Even if your business is located outside of New York, if you handle data from New York State residents, you must comply with the NY SHIELD Act. This is like the European GDR Law, which requires businesses outside the EU to adhere to its regulations when dealing with the data of EU citizens.

For example, major companies like Apple and Amazon, though not based in New York, must ensure compliance due to their interaction with New York State residents.

Are You Already Compliant?

If you are wondering whether your existing compliance efforts cover the NY SHIELD Act, certain scenarios may indicate partial compliance. If your business adheres to HIPAA (Health Insurance Portability and Accountability Act) regulations or the New York State Department of Financial Services, you have some data protection measures in place.

However, it is essential to go through the specific requirements of the SHIELD Act to identify any potential gaps in your current compliance.

NY SHIELD Act Compliance Checklist
Infographic: NY SHIELD Act Checklist

Does the NY SHIELD Act Apply to Small Businesses?

The SHIELD Act provides some relief for small businesses, defining them as entities with fewer than 50 employees, less than $3 million in gross annual revenue for the last three fiscal years, or less than $5 million in year-end total assets.

Small businesses are required to implement a security program that is appropriate for the size, complexity, and sensitivity of the information they collect.

What Is "Private Information?"

Before we delve deeper into reasonable safeguards, it’s vital to understand what “private information” means under the SHIELD Act. Private information includes personal identifiers, such as names, combined with specific data elements like social security numbers, driver’s license numbers, account numbers, or biometric information.

Additionally, any username or email address combined with a password or security question and answer to access an online account is also considered private information.

Understanding Reasonable Safeguards

One critical aspect of the NY SHIELD Act is the requirement for businesses to implement “reasonable safeguards” to protect PII. The law does not prescribe specific technical solutions, leaving it open to interpretation.

What might be considered reasonable to one organization may not be sufficient for another. Therefore, it’s crucial to assess your data protection practices from a legal standpoint and ensure they align with the law’s expectations.

Navigating Compliance Requirements

Complying with the NY SHIELD Act involves multiple components, ranging from administrative controls to technical and physical measures. Let’s take a closer look at each of these and break down how to address the requirements. Note, this is not an exhaustive list.

Administrative Safeguards

To comply with the reasonable security requirement, businesses need to implement administrative safeguards. These include designating an employee to coordinate the security program, regularly assessing risks and vulnerabilities, training employees, and selecting reliable service providers to maintain security.

  • Designate a Certified CISO (Chief Information Security Officer) with the necessary expertise to oversee data protection efforts.
  • Conduct a Business Impact Analysis to assess potential risks and vulnerabilities.
  • Prioritize employee training on data security and privacy to minimize human errors.
  • Review third-party service providers to ensure they comply with data protection standards.
  • Develop a comprehensive Written Information Security Plan (WISP) detailing security policies and procedures.
  • Implement continuous security awareness training and phishing simulations to keep employees vigilant.

Technical Safeguards

Businesses must also employ technical safeguards to protect private information. This involves assessing the risks in their network, detecting and preventing attacks, and regularly testing and monitoring systems and procedures.

  • Perform a risk assessment to identify potential security weaknesses.
  • Monitor and review network and software regularly.
  • Utilize intrusion prevention and detection services to safeguard against cyber threats.
  • Ensure your endpoint protection goes beyond traditional antivirus solutions.
  • Employ Data Loss Prevention (DLP) measures, including encryption, to prevent unauthorized data access.
  • Consider a 24/7 cybersecurity protection service to proactively monitor and respond to threats.

Physical Safeguards

Physical safeguards are crucial in protecting private information. Businesses should evaluate the risks related to data storage and disposal, adopt access control measures, and ensure the secure destruction of private information when no longer needed.

  • Limit access to physical locations with sensitive data through locks and access controls.
  • Encrypt stored data to protect it in case of theft or unauthorized access.
  • Implement secure data disposal practices in compliance with regulations.
  • Regularly audit and monitor physical security measures.

What To Do If a Data Breach Occurs?

When a breach occurs, businesses have certain obligations that they must fulfill. They are required by law to notify the individuals who have been affected by the breach as soon as possible after discovering the breach in their computer data system. This notification should be made promptly and take into consideration the needs of law enforcement agencies.

Additionally, businesses are required to inform the Office of the New York State Attorney General (OAG), the New York Department of State, and the New York State Police about the breach. They must provide details regarding the timing, content, and distribution of the notifications, as well as an approximate number of individuals affected.

What Are the Penalties for Non-Compliance?

Failure to comply with the reasonable security requirement can result in penalties. The New York State Attorney General can sue non-compliant entities, and civil penalties can reach up to $5,000 per violation. Moreover, non-compliance with data breach notification requirements can lead to additional penalties.

Make Compliance Easy!

Compliance doesn’t need to be overwhelming. The NY SHIELD Act is a reminder that we all need to reexamine our security protocols, particularly for data breaches. Now that more organizations have incorporated remote work, there is a bigger attack surface for cybercriminals’ malicious activity.

Regardless of your compliance status, it’s essential evaluate your data security protocols and implement the necessary safeguards to protect private information. Don’t overlook the importance of employee training, awareness, and continuous security testing.

Our security team at Just Solutions can help you implement a data security program that includes reasonable administrative, technical, as well as physical safeguards. If you’d like further assistance, contact us to start the process with a compliance assessment.