New york shield act citation

The SHIELD Act, signed into law on July 25, 2019, by Governor Andrew Cuomo, amends New York’s 2005 Information Security Breach and Notification Act. The SHIELD Act significantly strengthens New York’s data-security laws by:

• expanding the types of private information for which companies must provide consumer notice in the event of a breach
• requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information

What types of security breaches are covered by this law?

Under the 2005 law, a security breach is defined as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of private information. The SHIELD Act expands the definition of a security breach to any "access" to computerized data that compromises the confidentiality, security, or integrity of private data.

What does private information consist of?

Under the 2005 law, private information was any personal information concerning a natural person in combination with any one or more of the following data elements in combination any required security code:

• Social Security number
• driver’s license number
• account number

The SHIELD Act expands the law to include biometric information, username or email address, and password credentials.

What safeguards are included in the SHIELD Act?

The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards. The act lists some safeguards, but is not meant to be an exhaustive list.

Reasonable administrative safeguards include:

• designating one or more employees to coordinate the security program
• identifying reasonably foreseeable internal and external risks
• assessing the sufficiency of safeguards in place to control the identified risks
• training and managing employees in the security program's practices and procedures
• selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract
• adjusting the security program in light of business changes or new circumstances

Reasonable technical safeguards include:

• assessing risks in network and software design
• assessing risks in information processing, transmission and storage
• detecting, preventing, and responding to attacks or system failures
• regularly testing and monitoring the effectiveness of key controls, systems, and procedures

Reasonable physical safeguards include:

• assessing risks of information storage and disposal
• detecting, preventing, and responding to intrusions
• protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of information
• disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

What are the obligations of businesses when a breach occurs?

The law requires that the person or business notify the affected consumers after discovering a breach in the security of its computer data system that affects private information. The disclosure must be made in the most expedient time possible, consistent with legitimate needs of law enforcement agencies. While the law requires notice to the Office of the New York State Attorney General (OAG), the New York Department of State, and the New York State Police of the timing, content, and distribution of the notices and approximate number of affected persons, submission of a breach form through the OAG's data-breach-reporting portal is sufficient, as the information is automatically sent to all three credit reporting entities listed below.