With data breaches becoming more frequent and costly, organizations face stricter regulations to safeguard personal information.
One such regulation, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, imposes a set of data security requirements on businesses that handle private information about New York State residents.
This blog will discuss:
- The basics of the NY SHIELD Act
- Who does it affect
- The concept of private information under this Act
- How organizations can stay compliant
- Consequences of non-compliance
An Overview of the NY SHIELD Act
The SHIELD Act, enacted in March 2020, expands New York’s data security and breach notification law to protect residents’ private information more comprehensively. It affects businesses both within and outside the State of New York if they handle the personal information of New York residents.
Unlike many state regulations that apply only to companies operating within the state, the SHIELD Act’s scope is broader, applying to any business that collects, processes, or stores personal information of New York residents.
The SHIELD Act has three main goals:
- Expand the definition of private information
- Set clear requirements for data security programs
- Broaden the criteria for breach notification
What constitutes “private information” under the SHIELD Act?
The SHIELD Act broadens the scope of what’s considered private information to include:
- Personal identifiers — Names, Social Security numbers, driver’s license numbers, or non-driver ID cards.
- Account Information — Financial account numbers, credit and debit card numbers (along with any security codes or access credentials). This data qualifies as personal information even if you don’t have a security/access code or password in cases where these accounts/cards can be used without these security measures.
- Biometric data — Fingerprints, voiceprints, iris images, and retina scans.
- Online account information — Usernames or email addresses combined with passwords or security questions.
The Act also defines private information as any data that can be used to identify an individual or to access their financial accounts, broadening the definition in response to the evolving cyber threat landscape.
Who must comply with the SHIELD Act?
The SHIELD Act applies to any business or organization, regardless of size, that:
- Owns or licenses the personal information of New York residents.
- Processes this information in any capacity (even if the business is based outside New York).
So, the Act also applies to businesses outside New York.
Before it was passed, privacy requirements applied to companies operating within the State of New York. Now, however, regardless of where you run your business, you will need to pay extra attention to what information you collect about a New York resident and how you handle it.
This makes it more difficult for companies to break into the NY market and requires additional efforts to maintain the records properly.
This regulation includes private sector businesses, educational institutions, and healthcare organizations — particularly those covered by HIPAA. Even smaller businesses are subject to compliance requirements, though they may qualify for some exemptions based on size and revenue.
What counts as a breach under this regulation?
Under the SHIELD Act, a “breach” is defined as any unauthorized acquisition or access to private information of New York residents.
This definition is broader than many other data breach laws, capturing both the theft or copying of data (unauthorized acquisition) and situations where data is simply accessed without permission (unauthorized access).
The goal is to cover a range of incidents that could potentially put personal information at risk, even if it is not directly stolen or copied.
Here’s a closer look at what counts as a breach under the SHIELD Act:
- Unauthorized acquisition — When personal information is acquired by someone without authorization, including scenarios where data is downloaded, copied, or transferred.
- Unauthorized access — When someone views or potentially uses data without authorization (even without directly downloading or transferring it.) For example, if an unauthorized person accesses a database containing sensitive information but doesn’t download it, this still constitutes a breach.
- Incidents of “inadvertent disclosure” — If data is unintentionally exposed to unauthorized parties, even within the same organization, it is still considered a breach under the SHIELD Act. For example, mistakenly sending an email with private information to the wrong recipient would qualify.
- Intentional or accidental — The SHIELD Act considers both intentional breaches (e.g., hacking) and accidental exposures (e.g., an employee accidentally accessing data they’re not authorized to view) as potential breaches.
- Reasonable likelihood of misuse — The Act does not require immediate notification if the business can demonstrate a reasonable belief that the data won’t be misused. This allows organizations to assess the risk before deciding to notify affected parties.
In essence, any unauthorized access, even without clear malicious intent, counts as a breach if it involves the private information of New York residents.
Key Requirements of the SHIELD Act
The SHIELD Act outlines specific requirements that organizations must implement to achieve compliance.
Here are the three main pillars of the law:
Data security program
The SHIELD Act requires covered entities to implement a data security program that provides reasonable administrative, technical, and physical protections for private information.
Here’s how:
- Administrative safeguards — Conduct regular risk assessments, train employees on security practices, and have a designated person to oversee cybersecurity.
- Technical safeguards — Use robust network protections, encrypt sensitive data, regularly monitor systems, and establish a secure password protocol.
- Physical safeguards — Prevent unauthorized physical access to personal information and dispose of sensitive information properly.
Risk assessments
Organizations must conduct periodic risk assessments to identify vulnerabilities in their data security systems. These assessments should examine areas like:
- Data storage,
- Employee access to information, and
- Incident response protocols.
Breach notification
If a data breach occurs, the SHIELD Act mandates prompt notification to affected New York residents. Breach notifications must include the following:
- Type of information exposed,
- Potential impact, and
- Actions taken to mitigate risk.
Strategies for SHIELD Act Compliance
To meet the SHIELD Act’s requirements, organizations should consider implementing a range of compliance measures. Some effective strategies for ensuring compliance include:
Establish comprehensive data security policies
Develop policies addressing data storage, access controls, and data handling. Your policy should include procedures for regular risk assessments, employee training, and updates to data protection measures.
These policies will help enforce accountability at every level of your organization.
Train employees on data protection
Your data protection policy is only effective if employees understand it. Regular training can reduce the likelihood of human error, one of the most common causes of data breaches.
Training should cover topics like password management, phishing threats, and proper data disposal techniques.
Use encryption and multi-factor authentication (MFA)
Encrypting private information is a straightforward way to protect data, especially during storage and transmission. Multi-factor authentication (MFA) further enhances security by requiring an additional form of verification beyond just a password.
Monitor and log data access
Regular monitoring and logging of data access can help detect and prevent unauthorized attempts to view private information. Having a log of access records also aids investigations if a data breach occurs.
Partner with compliance and data security experts
For organizations that lack in-house resources for cybersecurity, partnering with third-party compliance and security providers can be a valuable investment. These providers can help with regular assessments, training, and developing data protection strategies tailored to your business.
Consequences of Non-Compliance with the SHIELD Act
Non-compliance with the SHIELD Act can lead to penalties and reputational damage. Penalties are primarily civil, allowing the New York State Attorney General to seek damages, which can include:
- Fines of up to $250,000 per violation
- Costs associated with breach response, notification, and remediation
- Loss of customer trust and potential legal liabilities from affected individuals
Common Challenges of SHIELD Act Compliance
While the SHIELD Act aims to standardize and strengthen data protection, organizations may encounter certain challenges in meeting these standards. Common obstacles include:
Balancing security with user experience
It can be difficult to ensure strong security measures without compromising user experience. Complex authentication or encryption processes, for instance, may slow down user access, creating friction that needs careful balancing.
Evolving cybersecurity threats
The threat landscape is constantly changing, which requires organizations to update their defenses regularly. Staying up-to-date with new vulnerabilities and threats is essential to maintaining compliance and protecting personal information.
Managing compliance costs
It can be costly to implement the SHIELD Act’s requirements, especially for smaller businesses with limited budgets. Organizations must consider both short-term compliance costs and long-term security benefits to optimize their approach.
SHIELD Act and Data Archiving
While the SHIELD Act will undoubtedly give individuals more rights over how their information is acquired, stored, and managed, it will also pose major challenges to companies operating in the State of New York and beyond.
Part of the challenge concerns data archiving and technical/software requirements, particularly how data is stored and disposed of in compliance with data retention laws.
To be compliant under the SHIELD Act, among other requirements, a company needs to implement a data program that has reasonable physical safeguards such as the following:
- Assessing risks in storage and disposal — Organizations must routinely assess the security risks associated with storing and disposing of personal information.
- Detecting, preventing, and responding to intrusions — The law requires proactive and reactive measures to guard against data breaches and intrusions into systems storing personal information.
- Preventing unauthorized access during handling and disposal —To prevent unauthorized access or use, companies must secure data from the time it’s collected through its disposal, implementing measures for transportation, storage, and ultimate destruction.
- Secure disposal — The SHIELD Act requires that organizations dispose of personal information within a reasonable timeframe after it’s no longer needed. Disposal must render the data irretrievable, such as by erasing electronic media to ensure information cannot be read or reconstructed, supporting secure data deletion practices for archived data as well.
For a full list of requirements, refer to the SHIELD Act text.
How This Affects You
To define the concrete steps you must take to ensure compliance with the Shield Act, have a look at the following table.
We’ve broken down the requirements into a list of questions you need to assess your current archiving system against and thus specify the compliance measures you should take.
*Please note that this table is for informative purposes only, and that you should consult your legal team for advice.
| Requirement | What you need to assess |
| “Assesses risks of information storage and disposal” |
|
| “Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information.” |
|
| “Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).” |
|
There are more requirements to account for in order to ensure full compliance with the NY SHIELD Act. In particular, there is a set of questions concerning adherence to similar data protection laws that requires entities to act in accordance with the following:
- Under the federal regulations promulgated pursuant to 15 U.S.C. 6801-6809 (Title V of the Gramm-Leach-Bliley Act);
- Under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);
- Under 23 NYCRR Part 500 (“Cybersecurity Requirements for Financial Services Companies”) promulgated by the Department of Financial Services; and
- Under any other data security laws and regulations of the federal and New York State governments;
This set of requirements refers to a broad range of conditions that businesses/institutions need to meet in order to comply with the provisions of the SHIELD Act.
Summary of the Main Points
- The SHIELD Act requires businesses handling New York residents’ personal information to implement strict data security measures.
- Key compliance areas include administrative, technical, and physical safeguards to protect sensitive data.
- Administrative safeguards involve conducting risk assessments, creating data protection policies, and employee training.
- Technical safeguards include encryption, access controls, and monitoring to prevent unauthorized access to private data.
- Physical safeguards require secure access to data storage locations and certified methods for data disposal.
- Data archiving compliance involves secure storage, setting data retention periods, and using certified disposal practices.
- Compliance with other regulations, such as HIPAA and GLBA, can support multi-regulatory adherence under SHIELD.
Stay compliant with Jatheon and ensure your data archiving practices meet the latest regulations. Our advanced archiving solutions are tailored to support compliance with the SHIELD Act. Book a demo to learn more.
FAQ
Does the SHIELD Act only apply to New York-based companies?
No, the SHIELD Act applies to any company that processes the personal information of New York residents, regardless of where the company is located.
What is the SHIELD Act’s definition of a data breach?
Under the SHIELD Act, a breach occurs when unauthorized individuals acquire or access the private information of New York residents.
Are there any exemptions for small businesses?
Yes, businesses with fewer than 50 employees, less than $3 million in revenue, or less than $5 million in total assets may qualify for limited compliance requirements based on their size.
What happens if I fail to comply with the SHIELD Act?
Non-compliance can result in fines of up to $250,000, as well as other civil penalties. Additionally, organizations may face reputational damage and liability.
How often should my organization conduct a risk assessment?
The SHIELD Act does not specify an exact interval, but annual risk assessments are generally recommended. Regular assessments are essential, particularly if there are changes in your data handling or security policies.
Read Next:The CLOUD Act and Data Archiving GDPR Compliance Checklist: Ensuring Your Business Stays Compliant Understanding Regulatory Compliance: Risks, Benefits, and Best Practices |
