New York’s SHIELD Act Now Effective – Take Steps to Ensure Compliance

Privacy & Cybersecurity Update

Date: April 23, 2020

The confluence of the COVID-19 crisis and the growing facility with remote work has moved more and more work to online and other digital platforms. As with any technological advance, cybercriminals see this as creating new targets of opportunity, increasing the risk of cybersecurity events and reemphasizing for many regulators the importance of data security. As these risks multiply, businesses would do well to assess their current legal obligations and ensure that their data security programs comply with regulations in all applicable jurisdictions.

Take New York, for example. As we reported in our previous alert, in July 2019 New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act, which became effective on March 21, 2020, imposes more expansive data security requirements on companies and amends the state’s data breach notification law.

Data Security

The SHIELD Act imposes on businesses that maintain New York residents’ private information new obligations to “develop, implement and maintain reasonable safeguards” to secure the information in both its use and disposal. Companies that are already subject to, and compliant with, certain federal and state data security regulations, such as financial institutions regulated by the Gramm-Leach-Bliley Act or health care organizations covered by the Health Insurance Portability and Accountability Act, are deemed to be in compliance with the SHIELD Act as well.

Under the SHIELD Act, an organization that is not already subject to these or similar regulations must implement and maintain specified administrative, technical and physical safeguards to protect private information, which include designating personnel to oversee the organization’s data security program; implementing due diligence and contractual requirements on third-party service providers; regularly testing key cybersecurity controls, systems and procedures; and implementing physical access controls. However, the SHIELD Act affords “small businesses” (as defined in the law) greater flexibility in implementing and maintaining their information security programs.

Breach Notifications
Types of Information Covered

The SHIELD Act expands the scope of New York’s breach notification law by broadening the types of personal information that trigger notification obligations. Previously, state law required notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, was compromised. The SHIELD Act adds to this list biometric information as well as user names and email addresses, if they are coupled with passwords or other credentials allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.

Mere “Access” Can Trigger Reporting

Previously, New York’s data breach law only required notification when there was an unauthorized acquisition of computerized data, the determination of which was based on several factors identified in the law. The SHIELD Act broadens this requirement by also mandating notification when there is unauthorized access to protected information, meaning that reporting is now required in situations where personal information is exposed but not necessarily used or exfiltrated. To assist firms in determining their reporting obligations, the SHIELD Act also provides specific factors they may use to establish whether there was unauthorized access, including whether the information was viewed, used or altered by a person or communicated to another without authorization. Importantly, the new law does not change the time requirement for consumer notification – a breach must still be reported “in the most expedient time possible and without unreasonable delay.”


Companies should expect that New York, like many regulators, will fiercely enforce its data security and breach notification laws, especially given the increasing risk of cybersecurity events. Those obligated to comply with the SHIELD Act should ensure that their data security programs meet the law’s requirements and seek guidance as needed.


For more information, please contact:

Mona Adabi

Darcy M. Brosky

Brian Doyle-Wenger

Craig A. Foster

Steven G. Stransky

Thomas F. Zych

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.