In 2019, New York’s data breach laws underwent significant changes when the SHIELD Act was signed into law. The regulation has continued to evolve, with new amendments in December 2024. This article outlines the SHIELD Act’s requirements for businesses and protecting and handling New York state residents’ private information, from security requirements to breach notifications.
What is the New York SHIELD Act?
The New York Stop Hacks and Improve Electronic Data Security Act (New York SHIELD Act) established data breach notification and security requirements for businesses that handle the private information of New York state residents. The law updated the state’s 2005 Information Security Breach and Notification Act with expanded definitions and additional safeguards for data protection.
The New York SHIELD Act introduced several requirements to protect New York residents’ data. These include:
- a broader definition of what constitutes private information
- updated criteria for what qualifies as a security or data breach
- specific notification procedures for data breaches
- implementation of administrative, technical, and physical safeguards
- expansion of the law’s territorial scope
The law also increased penalties for noncompliance with its data security and breach notification requirements.
The New York SHIELD Act was implemented in two phases:
- breach notification requirements became effective on October 23, 2019
- data security requirements became effective on March 21, 2020
Who does the New York SHIELD Act apply to?
The New York SHIELD Act applies to any person or business that owns or licenses computerized data containing the private information of New York state residents. It applies regardless of whether the business itself is located in New York. This scope marked a significant expansion from the previous 2005 law, which only applied to businesses operating within New York state. The law’s extraterritorial reach means that organizations worldwide must comply with its requirements if they possess private information of New York residents, even if they conduct no business operations within the state.
What is a security breach under the New York SHIELD law?
The New York SHIELD Act expanded the definition of a security breach beyond the 2005 law’s limited scope. The previous law only considered unauthorized acquisition of computerized data as a security breach. The New York SHIELD Act includes the following actions that compromise the security, confidentiality, or integrity of private information:
- unauthorized access to computerized data
- acquisition without valid authorization to computerized data
The law provides specific criteria to determine unauthorized access by examining whether an unauthorized person viewed, communicated with, used, or altered the private information.
What is private information under the New York SHIELD Act?
The New York SHIELD law defines two types of information: personal and private.
Personal information includes any details that could identify a specific person, such as their name or phone number.
Under the 2005 law, private information was defined as personal information concerning a natural person combined with one or more of the following:
- Social Security number
- driver’s license number
- account numbers with security codes or passwords
The New York SHIELD Act expands this definition of private information to include additional elements:
- account numbers and credit or debit card numbers that could enable access to a financial account without additional security codes, passwords, or other identifying information
- biometric information that is used to authenticate and ascertain an individual’s identity, such as a fingerprint, voice print, or retina or iris image
- email addresses or usernames combined with passwords or security questions and answers
The law specifically states that publicly available information is not considered private information.
This definition is set to expand once again. On December 21, 2024, Governor Kathy Hochul signed two bills that strengthened New York’s data breach notification laws. Under one of the amendments, effective March 21, 2025, private information will include:
- medical information, including medical history, conditions, treatments, and diagnoses
- health insurance information, including policy numbers, subscriber identification numbers, unique identifiers, claims history, and appeals history
What are the data security requirements under the New York SHIELD Act?
This New York data security law requires any person or business that maintains private information to implement reasonable safeguards for its protection. There are three categories of safeguards required: administrative, technical, and physical.
Administrative safeguards include:
- appointing one or more specific employees to manage security programs
- finding potential risks from internal and external sources
- reviewing existing safeguards to check their effectiveness
- training employees on the organization’s security practices and procedures
- choosing qualified service providers who meet security requirements through contracts
- modifying security programs when business need change
Technical safeguards include:
- assessing risks in network structure and software design
- evaluating risks in information processing, transmission, and storage
- detecting, preventing, and responding to attacks or system failures
- regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Physical safeguards include:
- assessing risks related to information storage and disposal methods
- implementing systems to detect and prevent intrusions
- protecting private information from unauthorized access or use during collection, transportation, and disposal
- Properly disposing of electronic media within a reasonable timeframe to prevent data reconstruction when it is no longer needed
- disposing of private information by erasing electronic media when no longer needed for business purposes so that the information cannot be read or reconstructed
Businesses are deemed compliant with these safety requirements if they are subject to and compliant with certain federal laws, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).
What are the data breach notification requirements under the New York SHIELD law?
The New York SHIELD Act sets specific requirements for how and when businesses must notify individuals and authorities about data breaches involving private information.
The law previously required businesses that discover a security breach of computer data systems containing private information to notify affected consumers “in the most expedient time possible and without unreasonable delay.” The December 2024 amendment added a specific timeline to this requirement. Businesses now have a maximum of 30 days in which to notify affected New York state residents of data breaches. The 30-day time limit came into effect immediately upon the bill being signed.
The New York SHIELD Act also previously required businesses to notify three state agencies about security breaches:
- the Office of the New York State Attorney General
- the New York Department of State
- the New York State Police
The December 2024 amendment added a fourth state agency to be notified, with immediate effect: the New York State Department of Financial Services.
These notices must include information about the timing, content, distribution of notices, and approximate number of affected persons, as well as a copy of the template of the notice sent to affected persons. If more than 5,000 New York state residents are affected and notified, businesses must also notify consumer reporting agencies about the timing, content, distribution of notices, and approximate number of affected persons.
The law introduced specific restrictions on methods for notifying affected consumers. Email notifications are not permitted if the compromised information includes an email address along with a password or security question and answer that could allow access to the online account.
All notifications must provide contact information for the person or business notifying affected persons as well as telephone numbers and websites for relevant state and federal agencies that offer guidance on security breach response and identity theft prevention.
Enforcement of the New York SHIELD Act and penalties for noncompliance
The New York Attorney General has the authority to enforce the New York SHIELD Act, with the power to pursue injunctive relief, restitution, and penalties against businesses that violate the law.
The law establishes different levels of penalties based on the nature and severity of the violations. When businesses fail to provide proper breach notifications, but their actions are not reckless or intentional, courts may require them to pay damages that cover the actual costs or losses experienced by affected persons.
More severe penalties apply to knowing and/or reckless violations of notification requirements. In these cases, courts can impose penalties of up to USD 5,000 or USD 20 per instance of failed notification, whichever amount is greater. These penalties are capped at USD 250,000.
Businesses that fail to implement reasonable safeguards as required by the law face separate penalties. Courts can impose fines of up to USD 5,000 for each violation of these security requirements.
Impact of the New York SHIELD Act on businesses
The New York SHIELD law imposes significant obligations for any organization handling New York residents’ private information, regardless of location. Businesses must implement comprehensive data security programs with specific safeguards, meet strict breach notification deadlines, and prepare for expanded data protection requirements.
Key impacts include:
- 30-day mandatory breach notification requirement (currently in effect)
- the implementation of administrative, technical, and physical security safeguards
- expanded private information definition, in effect March 21, 2025
- potential penalties up to USD 250,000 for notification violations and USD 5,000 per security requirement violation
New York SHIELD Act Compliance Checklist
Below is a non-exhaustive checklist to help your business comply with the New York SHIELD Act. For advice specific to your organization, it’s strongly recommended to consult a qualified legal professional.
- Implement reasonable administrative, technical, and physical safeguards to protect the private information of New York residents.
- Create and maintain a process to detect data breaches affecting private information.
- Establish procedures to notify affected New York state residents within 30 days of discovering a breach.
- Set up a system to report breaches to the Attorney General, Department of State, State Police, and Department of Financial Services.
- Include contact information and agency resources for breach response and identity theft prevention in all notifications.
- Use appropriate notification methods (for instance, do not use email if the breach involves email/password combinations).
- Notify consumer reporting agencies if more than 5,000 New York state residents are affected by a breach.
- Train employees on security practices and procedures.
- Review and update security programs when business circumstances change.
- Prepare to protect additional categories of private information (medical and health insurance data) starting March 21, 2025.
