SCHEDULE NOW
CALL US
212-865-9848
Schedule Your Appointment
Home /Blogs/What You Need to Know About the SHIELD Act in New York
February 5, 2020 | From the blogUncategorized

What You Need to Know About the SHIELD Act in New York

post image

Updated: 2021 Mar. 2

Data breaches occur far too often.  As a result, many states are passing laws that impose stricter cybersecurity obligations on businesses.  New York recently became one of those states with the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, which requires businesses that collect private information about New York residents to implement reasonable administrative, technical and physical security measures that meet certain standards.  The Act, which will have a much broader impact than previous federal and state laws, was signed into law on July 26, 2019, and takes effect March 21, 2020.  To prepare, businesses must understand their obligations.

CHANGES IN NEW YORK LAW

The SHIELD Act amends and adds to New York’s existing breach notification law in several ways, such as:

  • “Private information.” The Act broadens the definition of “private information” to include personal information combined with one or more non-encrypted data elements, such as driver’s license or non-driver ID card numbers; social security numbers; and certain account, credit or debit card numbers, including those without security or access codes. Other examples of non-encrypted data elements include biometric information (g., a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or ascertain an individual’s identity) and usernames or e-mail addresses, together with any passwords or security questions and answers, that would permit access to an online account. 
  • “Breach.” The Act also broadens the meaning of “breach,” which is now defined as unauthorizedaccess of computerized data that jeopardizes individuals’ private information, security or confidentiality.  Previously, a “breach” was limited to the unauthorized acquisition of computerized data.
  • The Act adds that when a breached business transmits a breach notification to affected individuals, it must do so without delay, and the notice must describe the types of information exposed as a result of the breach and include the contact information of the proper state and federal agencies, namely those that provide information on identity theft detection and prevention and security breach response.
  • Territorial scope. The Act applies to any business that collects private information about New York residents. Previously, the law applied only to companies that conducted business in New York. 
  • Businesses that fail to comply with the Act face higher penalties. The New York State Attorney General can seek $20 per failed notification (up from $10 under prior law) with a maximum penalty of $250,000 (up from $100,000).

IMPACT ON CONSUMERS 

The SHIELD Act does not provide for a private right of action, so consumers cannot sue a company for failing to comply with the Act.  However, the New York Attorney General can bring an action against a business, as well as impose stiff penalties—a strong incentive for businesses to comply.  Ultimately, consumers benefit from enhanced data protection efforts.  For example, the Act’s requirement that breached businesses issue a prompt notice to consumers allows consumers to change passwords, close accounts, institute credit report monitoring and take other immediate action to protect themselves.  In addition, New York residents have these same protections even if a breach occurs in a company that is located outside of New York because, as discussed above, the Act applies to any business that collects private information about New York residents. 

IMPACT ON EMPLOYERS/BUSINESSES 

The SHIELD Act’s implementation affects many companies across the U.S. and internationally.  Affected businesses should take the following steps:

  • Review data security policies, procedures, and technology. The Act requires that companies implement various administrative, technical and physical safeguards to protect their data and prevent security breaches. Such safeguards may include conducting risk assessments, designating at least one employee to implement and monitor a security program, regularly monitoring and testing security systems, selecting capable vendors, securely and timely disposing of sensitive private information and other actions set forth in the law.  
  • Update HR policies and training. Employers should instruct employees on the importance of properly securing customer information both internally and externally. Employers should also educate employees on when the SHIELD Act applies, how to handle customers’ private information, procedures related to breach notification, and data retention and disposal policies. 
  • Vet data security of third parties. When entering into a third-party contract with a vendor who might handle consumers’ private information, businesses should make sure that the vendor also maintains data safeguards under the SHIELD Act and, to mitigate any potential liability, include data security provisions in the contract.

Conclusion

Note that small businesses—businesses with fewer than 50 employees or less than $3 million in gross annual revenue—are held to a less stringent standard and may tailor their data safeguards based on the size and nature of their business and the sensitivity of the private information it handles.  If you have questions about compliance with the SHIELD Act, consult an experienced business and employment attorney for advice.

Schedule an appointment for a case evaluation

This field is for validation purposes and should be left unchanged.
Tags:  New York Law,  Security Policy,  SHIELD ACT

Related Articles

Feb 05, 2020 From the blog  |  Uncategorized What You Should Know About NFTs
Non-fungible tokens or NFTs have become hot commodities in recent years. Celebrities, artists, and entertainment companies are offering NFTs for millions of dollars in some cases and collectors are buying them up. However, this is a new and evolving area. As a result, there are people on both sides that do not fully understand what
 
Intellectual Property Licensing and Assignments
Copyright Registrations and Terminations
Trademark Infringement
Copyright Infringement
Copyright Claims Board (CCB)
Account Stated Claims
Arbitration
Breach of Contract
Breach of Fiduciary Duty
Business Torts
Class Actions
Civil Litigation
Counterfeiting
Debt Collection
Defamation
Demand Letter
Digital Millennium Copyright Act (DMCA)
Fraud Claims
Fraudulent Conveyance in Bankruptcy
Freelancers
Insurance
Limited Liability Company (LLC) Disputes
Partnership Disputes
Preference Claims in Bankruptcy
Right of Publicity
Shareholder Disputes
Trademark Infringement Defense
Trade Libel
Trade Secrets
Unfair Competition
White-Collar Crimes
Age Discrimination
Defending Discrimination Claims
Defending Discrimination Claims in California
Disability Discrimination
Employment Agencies
Employee Handbooks
Employee Misclassification
Employment Law Mediation
EEOC Claims
Family Medical Leave Act
Hostile Work Environment
Independent Contractor Agreements
Non-Compete and Non-Solicitation Agreements in Employment Law
Offer Letters and Employment Agreements
Political Discrimination
Pregnancy Discrimination
Race Discrimination
Religious Discrimination
Separation and Severance Agreements
Sexual Harassment
Sexual Orientation and Gender Identity Discrimination
Union Grievances
Wage and Hour
Wrongful Termination
Adult Entertainment Films
Art Law
Comedy Law
eSports Law
Fashion Law
Film Financing
Intellectual Property Rights Clearance for Film and Television Productions
International Trademark: Madrid Protocol
Music Law
Podcast Collaborations
Production Counsel
Publishing
Talent Agency & Artist Management Contracts
Theatre Law
Trademark Registration
TV & Film Agreements
Social Media Influencers
Sports Law
Student-Athlete Name, Image & Likeness Rules
Blockchain Technologies & Digital Currencies
Business Agreements
Business Divorce
Cannabis Law
Contract Negotiation
Corporate Financing
Corporate Law
Data Privacy & Cybersecurity
E-Commerce
General Counsel
Insolvency
Internet Law
Legal Due Diligence
Mergers & Acquisitions
Non-Fungible Tokens (NFT)
Non-Profit Formation & Law
Privacy Policies and Terms and Conditions
Purchase & Sale of Business
SaaS Agreements
Secured Transactions
Small Business Law
Business Start-Up Law
Technology Law
Venture Capital
Share This