The New York SHIELD Act in Effect: What Businesses Need to Know featured image

The New York SHIELD Act in Effect: What Businesses Need to Know

by John DiGiacomo

Partner

Data Breach

In late March 2020, all provisions of the New York SHIELD Act went into effect. This is New York’s amended data privacy and cybersecurity law. “SHIELD” is an acronym for Stop Hacks and Improve Electronic Data Security. Like many similar statutes recently enacted, the SHIELD Act not only applies to New York businesses, but also applies extraterritorially to any business that collects and stores data with respect to individuals living in New York. Thus, even non-New York businesses need to be aware of what the Act requires. Here is a quick overview of some of the more important features of the new Act.

What is New for Affected Businesses?

The SHIELD Act heightens and expands the statutory mandates with respect to the cybersecurity measures that a business must have in place to protect personal data from hackers, unauthorized access and other forms of malicious exfiltration. The Act also broadens New York’s data breach notification requirements.

One of the expanded requirements relates to disposal, deletion and destruction of data. The Act mandates that all businesses must prepare and implement “reasonable” policies and procedures to protect data. Those policies and procedures must now be expanded to protect data that is being deleted and equipment that is being disposed/destroyed. The Act also now requires that all companies that collect personal data must designate a data security officer (an individual or small group).The data security officer is to be tasked with implementation and oversight of data security protocols and with the responsibility to lead the team that is designated to respond to any breach or attempted breach.

Businesses are considered in compliance with the Act if the policies and procedures implements comply with the safeguards listed in the statute. For example, with respect to administrative safeguards, companies need to appoint their data security officer, identify and guard against foreseeable external and insider risks, provide training and more. With respect to technical safeguards, companies must have proper and state-of the art software and hardware, must have programs and tools designed to detect efforts at unauthorized access, must regularly update systems against new threats and more. Reasonable physical safeguards must also be in place to prevent physical theft and unauthorized access to or use of confidential data. A new provision also mandates businesses must remove or delete private information “within a reasonable amount of time” after information is no longer needed. As noted, reasonable security measures must be in place for data destruction to ensure that the data cannot be read or reconstructed.

What is the Expanded Definition of Personal Information?

The new Act broadens the definition of “personal information” (now designated as “private information”) to cover biometric data, email addresses, passwords, other account security information and “health information.” This brings New York into line with other states like California and Illinois that recognize a much broader definition of privacy data and information. The new definition still retains the old list of personally identifiable information such as names, addresses, social security and driver’s license numbers, credit/debit card information, financial account numbers, etc.

How Has Breach Notification Been Expanded?

Notification of a “breach” is now required where there has been unauthorized access. Under the old breach notification provisions, some sort of exfiltration or “taking” of the data was needed before the notice requirement was triggered. Now, notice can be triggered by unauthorized access of private information even if there is no evidence or indication of use, alteration, copying or other taking of the information.

How does the SHIELD Act compare with the GDPR and the California Consumer Privacy Act (CCPA)?

In general, the SHIELD Act does not go beyond any mandates found in the European Union’s General Data Protection Regulation or the California Consumer Privacy Act. Thus, if businesses are in compliance with those statutes, then businesses should be in compliance with the SHIELD Act.

Does the SHIELD Act Have a Private Right of Action?

No, nothing has changed in this respect. Enforcement of the Act remains with the New York Attorney General’s Office.

Contact Us Today

For more information about the SHIELD Act or if you have legal questions about data security or how to respond to a data breach, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side