New York SHIELD Act: Everything You Need to Know for Compliance

New York’s Privacy Laws: A Legacy and a Challenge

New York is a leader in finance, culture, and technology. Less than a decade ago, it was also a forerunner in privacy and cybersecurity regulation. As the home of Wall Street and a hub for global commerce, the state was among the first to recognize the need for robust data protection measures. The New York Department of Financial Services (DFS) Cybersecurity Regulation, introduced in 2017, was groundbreaking, setting a high bar for financial institutions. Similarly, the state’s Information Security Breach and Notification Act (2005) was one of the earliest breach notification laws in the U.S., predating similar efforts in many other jurisdictions.

However, as privacy laws crop up across the U.S., New York has struggled to keep pace with other states implementing comprehensive frameworks like California’s CCPA or Virginia’s VCDPA. While the proposed New York Privacy Act (NYPA) aimed to fill this gap, it remains stalled in the legislature, leaving New York reliant on a patchwork of industry-specific New York data security laws. 

Despite these gaps, New York’s existing regulations, particularly the New York SHIELD Act, showcase the state’s commitment to protecting its residents’ data. Passed in 2019, the NY SHIELD Act requirement modernized breach notification rules and introduced a flexible framework for data security, ensuring it remains relevant in a rapidly changing digital landscape.

This guide will explore New York’s privacy landscape, focusing on the New York State SHIELD Act, its implications, and its role within the broader ecosystem of state privacy regulations.

New York’s Privacy Landscape: A Patchwork Approach

New York employs a sector-specific approach, unlike some states that have enacted overarching privacy legislation. While this means businesses must navigate a collection of laws, each regulation serves a distinct purpose.

Key Privacy Regulations in New York

1. SHIELD Act

The most widely applicable law, covers all businesses that process private information of New York residents, regardless of physical location. It emphasizes breach notifications and strong data security safeguards.

2. DFS Cybersecurity Regulation (23 NYCRR 500)

Enacted by the Department of Financial Services (DFS), this law applies to financial institutions and requires companies to implement cybersecurity programs, conduct risk assessments, and certify compliance annually.

3. NYC Biometric Identifier Information Law

This city-level regulation mandates transparency and disclosure when collecting biometric data, such as fingerprints or facial recognition, for commercial purposes.

4. NYDOH Oversight (10 NYCRR 405.46)

The New York Department of Health enforces standards for securing healthcare data, complementing HRIPA and federal HIPAA requirements.

The SHIELD Act: Strengthening New York’s Data Security

The SHIELD Act, passed in 2019, builds on New York’s earlier Information Security Breach and Notification Act (2005). It introduces more stringent requirements for protecting private information and expands the definition of a data breach.

Expanded Definitions

The SHIELD Act modernizes key definitions to reflect the realities of today’s digital environment:

Private Information: Beyond traditional identifiers like Social Security and account numbers, the SHIELD Act includes:

• Biometric data (e.g., fingerprints, retina scans).
• Email addresses or usernames combined with passwords or security questions.
• Account numbers or credit/debit card numbers that could enable unauthorized transactions—even without a security code.

Data Breaches: A breach now includes unauthorized access to data, not just its acquisition. This change accounts for modern cyber threats such as phishing, malware, or insider threats.

Applicability

One of the SHIELD Act’s most significant features is its broad scope. It applies to any organization that owns or licenses the private information of New York residents, regardless of whether the business is physically located in the state.

How to Comply with the SHIELD Act

The SHIELD Act requires organizations to implement reasonable safeguards to protect private information. These safeguards fall into three categories: administrative, technical, and physical.

Administrative Safeguards

These measures ensure the effective management and oversight of data security programs:

• Designate personnel to oversee the security program.
• Conduct periodic risk assessments to identify vulnerabilities.
• Train employees on security best practices and ensure New York SHIELD Act compliance.
• Ensure that third-party vendors comply with security standards through contracts.

Technical Safeguards

These involve leveraging technology to prevent, detect, and address cyber risks:

• Regularly assess IT infrastructure for vulnerabilities.
• Use tools to detect and prevent unauthorized access or attacks.
• Perform routine tests and monitoring to ensure security systems are effective.

Physical Safeguards

These measures are designed to secure physical access to sensitive data:

• Protect sensitive information during collection, transportation, and storage.
• Limit physical access to areas where private information is stored.
• Ensure proper disposal of records and equipment containing private data.

What to Do in the Event of a Breach

Even with robust safeguards, breaches can happen. The SHIELD Act establishes clear steps for businesses to follow if private information is compromised.

Notification Requirements

Organizations must notify affected individuals as quickly as possible, considering the needs of law enforcement. Notifications must include:

• A description of the breach.
• The type of data affected.
• Steps individuals can take to protect themselves.
• Contact information for further inquiries.

Additionally:

• Notify the New York Attorney General, Department of State, and State Police.
• If more than 5,000 New York residents are affected, notify major consumer reporting agencies (e.g., Equifax).

Exceptions

Not every incident requires notification. If the breach is unlikely to result in harm (e.g., accidental access by authorized personnel), notification may not be required. However, such incidents must still be documented for five years.

Consequences of Non-Compliance

Failure to comply with the SHIELD Act can result in significant penalties:

• Up to $250,000 for delayed breach notifications.
• Up to $5,000 per violation for failing to implement safeguards.
  The New York Attorney General may also seek restitution or injunctive relief.

Understanding Reasonable Safeguards Under the SHIELD Act

The SHIELD Act requires businesses to implement “reasonable safeguards” to protect private information, a term that often raises questions about its scope and application. At its core, reasonable safeguards are risk-based measures tailored to an organization’s specific circumstances. The law recognizes that no system is entirely secure, focusing instead on proactive and good-faith efforts to mitigate risks. 

Unlike rigid standards, the SHIELD Act’s flexibility allows businesses of all sizes to scale their safeguards appropriately while maintaining accountability.

A key feature of reasonable safeguards is their dynamic nature. The SHIELD Act does not allow businesses to adopt a “set-it-and-forget-it” approach. Safeguards must evolve alongside emerging threats and technological advancements. Regular reviews and updates to security programs are necessary to remain compliant and effective. This adaptability reflects a broader understanding that compliance is a continuous process rather than a static milestone.

Addressing Misconceptions

Myth: Small businesses are exempt from the SHIELD Act.
Reality: All businesses handling private information must comply, although safeguards may vary in complexity.

Myth: Compliance ensures perfect security.
Reality: The goal is realistic risk mitigation, not unattainable perfection.

Newsworthy Enforcement Cases of the NY SHIELD Act

1. EyeMed Vision Care (2022)

EyeMed reached a $600,000 settlement with the New York Attorney General following a 2020 data breach that exposed the personal information of over 2 million individuals, including nearly 99,000 in New York. The Attorney General found that EyeMed had inadequate safeguards for password management and data retention. EyeMed was required to establish a written information security program and provide annual training to employees​.

2. Dunkin’ Donuts (2022)

Dunkin’ paid a $650,000 penalty after customer accounts in its DD Perks rewards program were hacked. The settlement also imposed obligations such as maintaining a comprehensive information security program and improving incident response measures. This case illustrates the SHIELD Act’s emphasis on transparency and robust data protection practices​.

NY SHIELD Act Compliance with Help from Centraleyes

The SHIELD Act’s emphasis on flexible, risk-based safeguards sets a high standard for protecting private information in New York. It provides businesses with a roadmap for compliance while fostering trust among customers and stakeholders.

At Centraleyes, we take the frustration out of privacy compliance. Our unified privacy framework provides the tools and controls to align your data privacy practices with varying state laws. No more juggling multiple frameworks or fretting over missed deadlines. Centraleyes is your shortcut to mastering compliance.

Ready to simplify your data privacy strategy? Explore how we can help with our proprietary Centraleyes Privacy Framework and get on the fast track to U.S. state privacy compliance!

The post New York SHIELD Act: Everything You Need to Know for Compliance appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/new-york-shield-act/