What Businesses Need to Do to Follow New York’s SHIELD Law

With no unifying federal law that aims to protect data security, individual states—including our home state of New York—have had to take it upon themselves to create such privacy laws.

Here in the Empire State, that law is the SHIELD Act.

Let’s take a few moments to go over what the SHIELD Act is, and what it requires New York state businesses (and those with operations within the state) to do. While we touched on this a little after the act first passed, a little review never hurts.

What is the Stop Hacks and Improve Electronic Data Security Act?

The SHIELD Act builds upon the protections that New York had already codified in its data breach notification laws. Since March of 2020, the SHIELD Act has been putting more pressure on any company—whether or not it has a presence in the state—to do a better job of protecting it.

Let’s summarize what the SHIELD Act accomplishes a little more specifically:

The SHIELD Act Qualifies the Terms “Private Information” and “Breach” to Include More Situations

First of all, the SHIELD Act approaches how its terms are defined a bit differently that most previous laws have in the past. The big difference is that the SHIELD Act gets a lot more specific with its definition of private information. Now, according to the law, “private information” can mean either:

• 1. “Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:

• social security number;
• driver’s license number or non-driver identification card number;
• account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
• account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
• biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR

• 2. a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.”

This is a pretty (read: very) significant list, and you’re effectively guaranteed to have handled some of this data in some aspect of your operations.

The term breach has also been reexamined and updated to better account for the reality of data breaches today. Before the SHIELD Act passed, data needed to be stolen before a company needed to inform their contacts of the security incident. This has been updated to include all instances where data has been accessed by someone without the authorization to do so.

Data Security Requirements Have Become Stricter

The SHIELD Act also makes it very clear that security is to be prioritized, in that it requires any person or business that owns or licenses data on a New York resident to have a prepared and developed security strategy in place to protect that data. If a business is required by other guidelines and regulations to do so—as is the case with the Health Information Portability and Accountability Act and healthcare providers, for example—these guidelines qualify.

Without identifying any single safeguard as a requirement, the SHIELD Act also provides examples of different physical, administrative, and technical safeguards that a business should implement to help protect their data.

The SHIELD Act Applies to Far More Businesses

Before this act was passed, all privacy laws were limited only to those businesses that conducted actual business in the state of New York. This is no longer the case, as the SHIELD Act applies to any business that possesses or licenses data on a New York state resident—a business could be located and operate exclusively in Oregon, but if they had a New Yorker’s data, the SHIELD Act applies to it.

Considering how much of an economic player New York is, this means that a lot of businesses need to maintain these high standards. Make sure you keep an eye on this blog, because we’ll soon be following it up with some general practices to doing so!

We’re Here to Help You Ensure Compliance to the New York SHIELD Act!

Make sure you keep an eye out for our next blog on the SHIELD Act, where we’ll talk a bit more about what can and should be done to stay on the right side of the law. In the meantime, you can always talk to us about it, too. Give us a call at 607.433.2200 to discuss what you need.