The Stop Hacks and Improve Electronic Data Security Act (NY SHIELD) is a data privacy and security law of the U.S. state of New York. In practice, it requires more security and responsibility from companies when handling state residents' personal and private data.
In fact, NY SHIELD updates and expands legislation that already exists in the state. These are the breach notification law and the general business law. By the way, NY SHIELD's changes involving the breach notification law already took effect in October 2019 and those that concern the general business law will take effect in March 2020.
NY SHIELD is part of several data laws and regulations that have emerged in recent years. Some examples are the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR), and the Brazilian General Data Protection Law (LGPD).
“New York's data breach notification law needs to be updated to keep pace with current technology. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities”, states the assembly bill.
Which companies does NY SHIELD affect?
Basically, NY SHIELD affects any person or business that “owns or licenses computerized data which includes private information of a resident of New York”. That is, no matter where you are, if you own and use information from New York residents, you need to be aware of the law.
However, the law has specificities depending on the company's size or area. For example, businesses that already operate under other New York or federal laws, such as HIPAA and the Gramm-Leach-Bliley, can be considered compliant with the safeguard requirements section of the NY SHIELD.
In the case of small companies, the law states that security measures may be appropriate respecting the size, the nature of the business and the type of information collected and used.
According to NY SHIELD, small business means “any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles”.
Personal and private information according to NY SHIELD
NY SHIELD covers and defines 2 types of information. Personal information means “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person”.
On the other hand, private information means “either: (i) personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired”.
An example of private information: e-mail address in combination with a password.
NY SHIELD key points
At this point, it has become clear that the main points of NY SHIELD have to do with protecting data and information from New York residents. The main point, however, is that the consequences of this fall on companies.
When updating the way data security must be handled, NY SHIELD demands a change of mind, requiring companies to adapt to ensure more security and transparency in their processes.
The new law provides updated definitions for several terms, such as personal information, private information and breach of the system's security. In addition, it imposes new data security requirements.
In other words, companies also need to catch up, either by making changes to their policies and terms of service or by changing the way they handle information and data.
NY SHIELD non-compliance penalties
The law says that companies are responsible for data security and for notifying authorities and data owners about breaches.
In the event of a notification failure, "the court may impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per instance of failed notification, provided that the latter amount shall not exceed two hundred fifty thousand dollars".
NY SHIELD compliance tips
To be in compliance with NY SHIELD, companies need to reassess their infrastructure and processes. In practice, the company must implement an information security program covering different aspects.
NY SHIELD reflects a trend that should only become stronger over time. In recent years, several data privacy and security laws have been created, or updated. See as examples the CCPA in California and GDPR in Europe.
The emergence of new technologies and new types of data, without a doubt, is one of the main factors driving this trend. And this change is, in fact, necessary.
In this sense, despite interfering in the routine of companies so that they adapt, the NY SHIELD and other regulations must be seen as a gateway to a more secure and transparent relationship between companies and people. After all, data and information are today perhaps the most valuable asset in the cyber world.
NY SHIELD in full
If you want to check out the full NY SHIELD, click here.