Guide to

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act

What Is The Stop Hacks and Improve Electronic Data Security (SHIELD) Act?

The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York state law that provides consumers substantially greater privacy and data protection than before, and requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

According to the bill, “private information” includes name, social security number, a driver’s license number, credit or debit card number, financial account number (with or without security code, as long as an authorized person could gain access to the account), biometric information, and username or email address with a password that permits access to an online account. The bill expands the definition of “breach of a security system” to include unauthorized access, rather than solely unauthorized acquisition of information.

Who is Subject to the SHIELD Act?

Every employer with employees in New York must comply with the SHIELD Act, because private information includes an individual’s name and Social Security number. Any business that collects or maintains private information about a New York resident needs to comply with the SHIELD Act.

Businesses that are compliant with other regulations requiring information security, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies are deemed compliant with the SHIELD Act.

What Does the SHIELD Act Require of Covered Businesses?

The SHIELD Act necessitates that each covered entity take measures including:

Designate an employee or employees to coordinate the data security program;
Assess risks to information systems that contain/process private information, implement controls to reduce those risks;
Vet service providers and bind them contractually to safeguard private information;
Destroy private information within a reasonable amount of time after it is no longer needed for business purposes;
Train employees on security program practices and procedures; and
Notify the state attorney general about data breaches in a timely manner when a business determines that a breach has occured.
If a breach involves the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within 10 days of that determination.

Who Enforces the SHIELD Act and What are the Penalties for Non-Compliance?

The New York state attorney general has the authority to enforce the SHIELD Act. While the SHIELD Act does not permit a right of action, it doubles the penalty recoverable by the attorney general from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.