New law extends the reach of New York’s breach notification and cybersecurity requirements to cover any person or entity with private information of a New York resident, regardless of whether the data holder conducts business in New York State.
Statute requires that companies with private information about New York residents—within 240 days—adopt data security safeguards that comply with the provisions of the SHIELD Act.
The new law broadens the scope of information covered under the New York breach notification law to include, among other things, biometric data.

On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which broadens the scope of existing New York breach notification and data protection laws that trigger notification to affected consumers. The New York Attorney General will enforce the SHIELD Act (S.5575B/A.5635), which extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of whether the breached company conducts business in New York State. This provision could significantly extend the reach of those companies that will be subject to New York reporting requirements. The law also broadens the definition of breach, expanding a data breach to any situation involving unauthorized “access” to confidential information regardless of whether such data is “acquired.” The SHIELD Act does not create a private cause of action; however, the New York Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The SHIELD Act also expands the time period within which the New York Attorney General may bring an action from two to three years. Penalties for violation of the data breach provisions can be imposed in the amount of the greater or $5,000 or up to $20 per instance of a failed notification, up to $250,000. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.

Companies Must Adopt Comprehensive Cybersecurity Programs

Companies that have private information about New York residents will need to adopt reasonable data security safeguards to protect confidentiality of data. Companies are exempt from this law if they can show that they are compliant with certain other cybersecurity legal requirements, including Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). The SHIELD Act greatly expands New York’s requirements on companies with data relating to New Yorkers to adopt comprehensive cybersecurity programs. The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:

  • designation and training of employees to coordinate cybersecurity compliance,
  • the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract,
  • risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage,
  • processes and physical safeguards to detect, prevent and respond to attacks or system failures,
  • monitoring and testing of the effectiveness of the cybersecurity program,
  • processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes, and
  • updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.

Expanded Definition of Confidential Data

The SHIELD Act also broadens the scope of information covered under the New York breach notification law to include:

  • biometric information, including fingerprints, voice prints or iris images,
  • email addresses with their corresponding passwords or security questions and answers, and
  • bank account or credit card numbers, regardless of the inclusion of the password or security code, if the numbers could be used to access accounts.

With the SHIELD Act, New York is joining the trend to increase cybersecurity, privacy and data protection laws. The law takes effect within 90 days, except that it provides 240 days for the establishment of a cybersecurity program. Companies that have not previously been subject to cybersecurity regulatory requirements will need to promptly evaluate the sufficiency of both their internal programs and the third-party service providers they use for compliance with the comprehensive cybersecurity requirements of the SHIELD Act. Those that already have cybersecurity programs will need to update their programs for New York’s new requirements.