New York State SHIELD Act | NY Cybersecurity Regulations


Your Guide to the New York SHIELD Act Cybersecurity Regulations

Have you heard the news?

On October 23rd, 2019, the NY SHIELD or “Stop Hacks and Improve Electronic Data” Act (Senate Bill S5575B) officially came into effect. The SHIELD Act looks to protect New York residents’ personal and private data by making sure companies use reasonable security measures.

With this new cybersecurity regulation in effect, companies now have until March 21st, 2020, to comply.

Join us as we explain everything you need to know about the SHIELD Act and what you need to do to avoid hefty fines.

What is the SHIELD Act?

In a nutshell, the New York SHIELD Act builds upon the State’s current cybersecurity regulations by updating legal definitions, adding new stipulations for notifying individuals of a breach and protecting personal as well as private data.

Its primary aim is to safeguard New York residents’ personal and private data from cyberattacks.

But not all cyberattacks are preventable, so the SHIELD Act also explains how companies should respond and inform individuals following a data breach. 

Under this new regulation, companies must notify affected individuals via email, public posting or statewide media announcement, as soon as possible.

However, you don't need to notify individuals if someone authorised to access the information inadvertently shared it, and the information is unlikely to be misused or cause financial or emotional harm. 

Businesses must still create a written record and retain this record for at least five years. 

When an incident impacts more than 500 New York state residents, businesses will need to submit a written report to the State Attorney General within ten days.

Why Does the NY Shield Act Matter?

Recent reports from Norton shows that over 4.1 billion records were exposed in 2019, a 54% increase from 2018.

With data breaches and cyberattacks on the rise, businesses must safeguard individuals’ personal and private information. The SHIELD Act attempts to make sure New York cybersecurity regulations are up-to-date and match the current situation.

How is Personal Information Defined in the New York SHIELD Act?

The NY SHIELD Act establishes cybersecurity regulations for protecting personal and private information.

  • Personal information - any information that could be used to identify a natural person like a name, phone number or personal mark. 
  • Private information - any sensitive details connected to a natural person like their social security number, driver’s license or ID card number, bank account, etc. Interestingly, private information also includes log-in details like usernames and passwords.


Watch our NY State Shield Act Webinar On-Demand


Who Does the SHIELD Act Apply To?

Businesses that process or store New York residents’ private information online or on a computer must comply with the SHIELD Act. Even if your company isn’t based in New York, but still works with NY customers or employees, you’ll need to comply. 

As we explained earlier, you must report larger breaches affecting more than 500 New York residents to the State Attorney General. However, any company that collects health-related data must also report such incidents to the Federal Authorities.

Who Does the NY SHIELD Act Not Apply To?

Some small businesses are exempt from these cybersecurity regulations. For example, you don’t need to comply with the NY SHIELD Act if you have less than 50 employees, $3 million in gross revenue during the last three fiscal years, or less than $5 million in total year-end assets.

Instead, you’re expected to scale your data security as appropriate for your size, business activities and sensitivity of the personal information you collect.

Companies that already comply with the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) or New York State Department of Financial Services cybersecurity regulations are also exempt as their current cybersecurity arrangements are considered SHIELD compliant.

What Are the Consequences of Failing to Comply with the Shield Act?

Failing to comply with the New York SHIELD Act can carry some serious consequences. 

If your cybersecurity system isn’t SHIELD compliant and you don’t notify victims within a suitable time frame, data breach victims can take your company to court. The court might then award damages for actual costs as well as financial losses.

If the court decides you knowingly or recklessly violated the SHIELD Act, they can also impose a civil penalty between $5,000 to $250,000 depending on the size of the breach.

5 Easy Steps to Comply with the New York SHIELD Act

Thankfully, there are a few steps you can take to make sure your business complies with the New York SHIELD Act and avoids any financial penalties.

  1. Review your current cybersecurity set-up. Start by conducting a thorough audit of your existing IT infrastructure, resources, devices, protocols and access controls looking for any internal or external weaknesses. This will help you to prioritise cybersecurity fixes and create a plan of attack.
  2. Examine access controls. What individuals within your organisation have access to sensitive information? Make sure to regularly review and update your list of employees to make sure your access controls are appropriate and up-to-date. 
  3. Review incident response and disaster recovery plans. What would happen if your company experienced a data breach? Do you have the protocols in place for employees to react quickly and efficiently? Review and update any incident response and disaster recovery plans to make sure everyone knows how to respond.
  4. Cybersecurity training. Your employees are your first line of defense against cyberattacks. So everyone must know how to identify phishing attacks and always uses cybersecurity best practices, like creating smart passwords. 

Reassess processes for storing private data. As part of the New York SHIELD Act, you must assess any risks for processing, sending and storing personal or private data. After you've finished with a customers’ private information, you must erase the data so it cannot be read or reconstructed.

Attend Our New York Shield Act Webinar

Learn more about the New York SHIELD Act and how you can make sure you’re fully compliant with our webinar on 22nd of January 2020 at 11am. Book your spot today.

Spaces are limited.


Watch our NY State Shield Act Webinar On-Demand


Recent Posts