Client Alert

Are you ready for the New York SHIELD Act?

18 Feb 2020

Data security provisions of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act take effect on March 21, 2020.

Businesses should review their information security programs to assess the “private information” they collect and evaluate their existing safeguards against the SHIELD Act’s data security requirements. Businesses that have taken steps to comply with similar state laws with data security program requirements that include data security elements (such as Massachusetts’ law requiring a written information security program) may find that they have a head start in compliance with the SHIELD Act.

What does the SHIELD Act require?

The SHIELD Act requires covered businesses to implement and maintain reasonable data security measures to protect the security, confidentiality and integrity of private information.

Businesses that have a data security program that includes the following safeguards are deemed to be in compliance with the Act’s requirements:

  • Administrative safeguards in which the business:
    • Designates an employee to coordinate the security program,
    • Identifies reasonably foreseeable internal and external risks,
    • Assesses the sufficiency of safeguards control identified risks,
    • Trains employees in the security program practices and procedures,
    • Selects service providers that maintain appropriate safeguards, and contractually requires those safeguards and
    • Adjusts the security program to meet business changes or new circumstances;
  • Technical safeguards in which the business:
    • Assesses risks in network and software design,
    • Assesses risks in information processing, transmission and storage,
    • Detects, prevents and responds to attacks or system failures and
    • Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
  • Physical safeguards in which the business:
    • Assesses risks of data storage and disposal,
    • Detects, prevents and responds to intrusions,
    • Protects against unauthorized access to or use of private information during or after the collection, transportation and disposal of the information and
    • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
To whom do the data security provisions of the SHIELD Act apply?
  • The data security provisions of the SHIELD Act apply to businesses that own or license private information of New York State residents. Under the Act, “private information” means either:

(a) unencrypted personal information consisting of any information in combination with any of the following data elements: (1) Social Security number; (2) driver’s license number or other identification card number; (3) account, credit or debit card number, in combination with any other information that would permit access to an individual’s financial account; (4) account, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account without additional information; or (5) biometric information; or

(b) a user name or email address in combination with a password or security question and answer that would permit access to an online account.

  • A business that stores or processes New York residents’ private information may be subject to the SHIELD Act – even if it does not have operations or employees in New York.
  • Businesses that are subject to and in compliance with certain specified federal and New York state laws and regulations[1] are exempt from the SHIELD Act’s data security requirements.  There are also special rules for small businesses.[2]
How do the SHIELD Act’s data security requirements compare to other U.S. laws’ data security requirements?

A number of U.S. legal regimes require companies to take reasonable measures to protect personal information. For example, under Section 5 of the FTC Act, a business is expected to take reasonable and necessary security measures to protect sensitive personal data.

Many U.S. state laws impose requirements on businesses to take reasonable data security measures to protect personal information from unauthorized access and use.

  • Massachusetts in particular has one of the more stringent data security requirements: since 2010, Massachusetts has required businesses that own or license personal information about Massachusetts residents to have a comprehensive information security program. Similar to the SHIELD Act, Massachusetts’ law sets forth minimum standards for what must be included in a written information security plan.
  • Illinois law illustrates another commonly seen approach: businesses that own or license personal information about Illinois residents must implement and maintain reasonable security measures to protect the information from unauthorized access, use or disclosure.

While the SHIELD Act does not provide a private right of action to consumers, the New York Attorney General has enforcement authority and may impose civil penalties of up to $5,000 for each violation and injunctive relief.

In addition to the data security requirements noted above, the SHIELD Act also revises New York’s breach notification requirements. Please see our previous client alert for our analysis of the SHIELD Act’s changes to New York’s breach notification requirements.[3]

[1] Title V of the Gramm-Leach-Bliley Act, HIPAA, New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York State government.

[2] Defined under the Act as any person or business with (i) fewer than fifty employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets.




Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.