Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT)

New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT) which was signed on July 25, 2019 by Governor Cuomo.

The SHIELD Act amends New York’s existing data breach notification statue to impose additional requirements on businesses that hold private information of New York residents. Section 3 of the SHIELD Act broadens the definition of private information to include i) biometric information such as fingerprints, voiceprints, retina or iris images, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain an individual’s identity, ii) a username or email address in combination with a password or security question and answer that would permit online account access, and iii) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password. The SHIELD Act also expands the circumstances that trigger breach notification obligations and requires businesses to implement reasonable administrative, technical, and physical safeguards to protect private information. Being “reasonable” is defined both as a general standard and with a list of specific measures that the businesses should comply.

Specific reasonable administrative safeguards include designating one or more employees to coordinate the security program of the business, identifying reasonably foreseeable internal and external risks, training employees to coordinate the security program, selecting service providers capable of maintaining appropriate safeguards by contract, and adjusting the security program in light of business changes while reasonable technical safeguards include, among others, regularly testing and monitoring the effectiveness of key controls, systems,and procedures, and detects, prevents and responds to attacks or system failures. Disposing of private information within a reasonable time after it is no longer needed for business purposes and protecting private information against unauthorized access are counted among reasonable physical safeguards.

Regulated entities complied with another cybersecurity legal regime i.e. Gramm-Leach-Bliley Act, HIPAA or New York Department of Financial Services’ Cybersecurity Regulation are deemed compliant with the SHIELD Act’s reasonableness standard.

The SHIELD Act does not authorize a private right of action, but the attorney general may bring an action for the violations of the law and civil penalties may be imposed by the court. Further, any business that holds private information of New York residents is required to comply, not only companies doing business in New York.
The SHIELD Act provisions on information security took effect on March 21, 2020, while the other provisions took effect on October 23, 2019.

If you have any questions about the SHIELD Act, please contact Fulya Kazbay at