Guide to

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act

What Is The Stop Hacks and Improve Electronic Data Security (SHIELD) Act?

The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York state law that provides consumers substantially greater privacy and data protection than before, and requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

According to the bill, “private information” includes name, social security number, a driver’s license number, credit or debit card number, financial account number (with or without security code, as long as an authorized person could gain access to the account), biometric information, and username or email address with a password that permits access to an online account. The bill expands the definition of “breach of a security system” to include unauthorized access, rather than solely unauthorized acquisition of information.

Who is Subject to the SHIELD Act?

Every employer with employees in New York must comply with the SHIELD Act, because private information includes an individual’s name and Social Security number. Any business that collects or maintains private information about a New York resident needs to comply with the SHIELD Act.

Businesses that are compliant with other regulations requiring information security, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies are deemed compliant with the SHIELD Act.

What Does the SHIELD Act Require of Covered Businesses?

The SHIELD Act necessitates that each covered entity take measures including:

  • Designate an employee or employees to coordinate the data security program;
  • Assess risks to information systems that contain/process private information, implement controls to reduce those risks;
  • Vet service providers and bind them contractually to safeguard private information;
  • Destroy private information within a reasonable amount of time after it is no longer needed for business purposes;
  • Train employees on security program practices and procedures; and
  • Notify the state attorney general about data breaches in a timely manner when a business determines that a breach has occured.
  • If a breach involves the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within 10 days of that determination.

Who Enforces the SHIELD Act and What are the Penalties for Non-Compliance?

The New York state attorney general has the authority to enforce the SHIELD Act. While the SHIELD Act does not permit a right of action, it doubles the penalty recoverable by the attorney general from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.

SHIELD Act: Frequently Asked Questions

The SHIELD Act requires compliance from any person or business, regardless of their physical location, that owns, licenses, or maintains computerized data containing the private information of New York residents. This broad applicability means that even if a company is based outside of New York, it must comply if it handles data on New York residents. This includes businesses of all sizes, as well as individuals who process or manage such data, making the SHIELD Act one of the more comprehensive state-level data protection laws in the U.S.

Under the SHIELD Act, “private information” refers to personal information that is combined with one or more specific data elements when the data elements are not encrypted or are encrypted with an encryption key that has also been accessed or acquired. This includes:

  • Social Security Numbers (SSNs)
  • Driver’s license or non-driver identification card numbers
  • Account numbers, credit or debit card numbers, in combination with any required security code, access code, or password
  • Biometric information, which refers to data generated by automatic measurements of an individual’s unique physical characteristics (e.g., fingerprints, facial recognition data)
  • Username or email addresses combined with passwords or security questions and answers that permit access to online accounts

The SHIELD Act imposes several key requirements on businesses handling the private information of New York residents:

  • Data security program: Businesses must implement and maintain a data security program with reasonable administrative, technical, and physical safeguards to protect private information.
  • Administrative safeguards: This includes designating employees to coordinate security programs, conducting risk assessments, selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract, and training employees on security practices.
  • Technical safeguards: Businesses must ensure secure systems for data storage and transmission, implement processes to detect, prevent, and respond to cyber threats, and routinely test and monitor the effectiveness of key controls, systems, and procedures. 
  • Physical safeguards: Measures should be in place to protect against unauthorized physical access to sensitive information. This could include restricting access to physical storage locations and ensuring proper destruction or disposal of data.
  • Third-party security: Businesses must ensure that their service providers also comply with these reasonable security measures by including appropriate contractual obligations.
  • Breach notification: If a breach occurs, businesses must notify affected individuals and relevant New York state agencies promptly.

The SHIELD Act grants the New York State Attorney General the authority to enforce the law and impose civil penalties on businesses that fail to comply. The penalties can be substantial:

  • For failure to implement reasonable security measures: For knowing or reckless violations, the Attorney General can seek civil penalties of the greater of $5,000 or up to $20 per instance to a maximum of $250,000. This can accumulate quickly if multiple residents are affected by a single breach.
  • For failure to notify affected individuals and authorities in the event of a breach: Penalties can also apply here, with fines that can increase depending on the severity and duration of the violation. These penalties are designed to incentivize timely and transparent breach reporting.

The SHIELD Act provides a flexible, context-based definition of “reasonable” security measures. Rather than mandating specific technologies or protocols, it requires businesses to adopt security practices that are appropriate to their size, complexity, and the nature of the data they handle. The law breaks down these measures into three main categories (described above):

  • Administrative safeguards
  • Technical safeguards
  • Physical safeguards

While both the SHIELD Act and the General Data Protection Regulation (GDPR) aim to protect individuals’ data, they have different scopes, requirements, and enforcement mechanisms:

  • Jurisdiction: GDPR applies to any organization processing the personal data of EU residents, regardless of where the organization is based. The SHIELD Act applies specifically to businesses handling the private information of New York residents, even if the business is not located in New York.
  • Focus: GDPR places a strong emphasis on data privacy and individual rights, including the right to access, correct, and delete personal data. The SHIELD Act focuses more on data security and breach notification requirements.
  • Penalties: GDPR imposes much higher potential fines for non-compliance (up to 4% of global annual revenue or €20 million, whichever is higher), compared to the SHIELD Act’s $5,000 per violation cap.
  • Data types: GDPR applies to a broader range of personal data, including any information that can identify an individual. The SHIELD Act is narrower, focusing on specific types of sensitive data that could lead to identity theft or fraud.

The SHIELD Act and the California Consumer Privacy Act (CCPA) both focus on protecting consumer data, but they have distinct differences:

  • Scope: CCPA provides broader consumer privacy rights, such as the right to know what personal data is being collected, the right to delete personal data, and the right to opt-out of the sale of personal data. The SHIELD Act is primarily concerned with data security and breach notification, rather than granting broad privacy rights.
  • Applicability: CCPA applies to for-profit businesses that meet certain criteria, such as having annual gross revenues over $25 million, processing data of 100,000 or more consumers or households, or earning 50% or more of their annual revenue from selling personal data. The SHIELD Act applies to any entity that processes the private information of New York residents, regardless of business size or profit status.
  • Data categories: CCPA covers a wide array of personal information, while the SHIELD Act is focused on specific types of sensitive data that are more likely to result in identity theft or fraud.
  • Penalties: CCPA allows for consumer lawsuits in the event of a data breach, while the SHIELD Act’s enforcement is handled by the New York State Attorney General, with no direct private right of action.

In the event of a data breach involving private information, businesses must act swiftly to comply with the SHIELD Act’s notification requirements:

  • Notify affected individuals: Businesses must notify any New York residents whose private information was or is reasonably believed to have been accessed or acquired by an unauthorized person. This notification must occur “in the most expedient time possible and without unreasonable delay.”
  • Notify New York state agencies: If the breach affects more than 500 New York residents, businesses must notify the New York Attorney General’s Office, the Department of State, and the Division of State Police.
  • Content of notification: The notification must include a description of the breach, the types of information compromised, the steps the business is taking to address the breach, and contact information for individuals to learn more or seek assistance.
  • Mitigation and remediation: Businesses should also take immediate steps to contain the breach, mitigate its effects, and prevent future incidents.

Yes, there are certain exemptions under the SHIELD Act:

  • Entities compliant with other regulations: Businesses already subject to and in compliance with data security requirements under federal or state regulations, such as HIPAA (Health Insurance Portability and Accountability Act) or the Gramm-Leach-Bliley Act (GLBA), may be deemed compliant with the SHIELD Act’s data security requirements. However, these entities must still comply with the SHIELD Act’s breach notification requirements.
  • Small businesses: The SHIELD Act allows flexibility for small businesses (defined as having fewer than 50 employees, less than $3 million in annual revenue, or less than $5 million in year-end total assets). These businesses are required to implement security measures appropriate to their size, complexity, and the nature of the information they handle.

Businesses can demonstrate compliance with the SHIELD Act by:

  • Developing a written information security program: Documenting the administrative, technical, and physical safeguards in place to protect private information.
  • Conducting regular risk assessments: Evaluating potential risks and vulnerabilities in their data security practices and making necessary adjustments.
  • Implementing and updating security measures: Keeping security measures current and effective, including encryption, secure access controls, regular employee training, and incident response plans.
  • Engaging third-party audits or assessments: Periodically engaging third-party experts to assess the effectiveness of their data security program and ensure it meets the SHIELD Act’s requirements.
  • Maintaining records of compliance activities: Keeping thorough records of all compliance efforts, including risk assessments, training programs, breach notifications, and any other relevant documentation, to demonstrate their commitment to protecting private information in the event of an investigation by the New York State Attorney General.

Hyperproof makes SHIELD compliance simple

  • Take a project management approach to meet SHIELD Act requirements for streamlined execution
  • Collect and view risks, data protection controls, and control statuses in one place 
  • Leverage control crosswalks to align overlapping controls across multiple frameworks, speeding up your compliance work and reducing manual processes
  • Effectively collect and document evidence to demonstrate that you have met SHIELD Act requirements
  • Monitor your progress toward meeting the requirements of the SHIELD Act with a robust, exportable dashboards
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader