The New York Stop Hacks and Improve Electronic Data Security Act (or SHIELD Act) was signed into law in July 2019. The SHIELD Act is a bilateral attempt at protecting the data privacy of New York residents and expands on existing breach notification requirements while introducing additional safeguards. The first component, the breach notification law, went into effect on October 23, 2019 and builds upon previous breach requirements. The cyber security mandate, the second segment of the SHIELD Act, goes into effect on March 21st. This mandate attempts to create a business culture of cyber security and increases the number of precautions any business with New York customers needs to take in order to safely maintain personal and private customer information, regardless of physical office location. With more people working remotely during the COVID-19 outbreak, security vulnerabilities are on the rise. It’s more important than ever to ensure your business complies with this cyber security mandate.
How is a breach now defined?
Prior to the SHIELD Act, a breach was defined as “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business” [NYS Internet Security and Privacy Act]. Now, a breach is defined as unauthorized acquisition or access to personal information. This means that purposeful, unauthorized access of the personal information for any NYS resident can constitute as a data breach and must be reported. Breaches must be reported promptly to the NYS Attorney General, Department of State, and NYS Police. Consumer reporting agencies must also be notified if over 5000 people are impacted by the security incident.
What information is protected?
Personal information: Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
Private information: Personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
- Social security number
- Driver’s license number or non-driver identification card number
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual’s financial account
- Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual’s financial account without additional identifying information, security code, access code, or password
- Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as fingerprint, voice print, or retina or iris image, or other unique physical representation or digital representation which are used to authenticate or ascertain the individual’s identity
- A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account
Private information does not include publicly available information.
Could my business already be compliant?
Yes. If your business complies with any of the regulations below, you should also fall into compliance with the NY SHIELD Act:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Gramm-Leach-Bliley Act (GLBA)
- NY DFS Cyber Security Regulation (23 NYCRR 500)
How can my business follow the cyber security mandate?
While step-by-step instructions to compliance have not been released, there are a number of measures your business can put in place to develop a cyber security program that follows the security safeguards established by the SHIELD Act. These reasonable security controls fall into three categories:

Administrative Safeguards
- Designate employees to coordinate the cyber security program
- Identify internal and external risks
- Assess existing safeguards
- Train employees on security best practices and procedures
- Contractually ensure third party service providers maintain appropriate security safeguards
- Frequently adjust the security program to adapt to business changes
Technical Safeguards
- Assess risks associated with your network, software, and information processing/transmission/storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of cyber security processes and procedures
- Encryption validation for both data at rest and data in transit
Physical Safeguards
- Assess information storage and disposal risks
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to private information
- Proper disposal of private information
A risk assessment is a comprehensive way to address many of these safeguards and a key step in the ADKtechs assess, address, maintain methodology. A risk assessment can identify what types of information your business collects and who has access to it, inventory which devices may be putting you in danger (i.e. aging hardware such as Windows 7), analyze existing and potential risks to your business, and help you develop reasonable security controls in alignment with the NY SHIELD Act. Contact us for a risk assessment today!
Do I need a risk assessment?
A risk assessment is a comprehensive way to address many of these safeguards and a key step in the ADKtechs assess, address, maintain methodology. A risk assessment can identify what types of information your business collects and who has access to it, inventory which devices may be putting you in danger (i.e. aging hardware such as Windows 7), analyze existing and potential risks to your business, and help you develop reasonable security controls in alignment with the NY SHIELD Act. Contact us for a risk assessment today!