Overview of The New York SHIELD Act – Data & Privacy Laws

Overview of The New York SHIELD Act - Data & Privacy  Laws

New York is one of the more recent states to follow in the footsteps of California of revamping their data breach and privacy laws amidst the rise in cyber attacks. By now all 50 states have some level of security breach notification laws, but not all states have taken clear steps to protect their residents digital privacy.

The SHIELD Act, Stop Hacks and Improve Electronic Data Security Act, which was signed in by New York’s Governor on July 25, 2019. While the data breach aspect of the law went into effect last October, the data privacy portion only became effective as of March 21, 2020.

According to the New York State Senate “New York’s data breach notification law needs to be updated keep pace with current technology. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.”[1]

The SHIELD Act serves a few key purposes, but the primary goal is to expand both the definitions of “Private Information”, “Breach”, “Territorial Scope” and various Data Security Requirements. [2]

  • PRIVATE INFORMATION – The new definition now includes both bio-metric information and expanded versions of PII such as unique username / password combinations or even password / security question combinations.
  • BREACH – The new definition now includes unauthorized access of all digital data with the capacity to compromise the security, confidentiality or integrity of the private information or system. Before the expanded definition was introduced, a breach was known simply as unauthorized acquisition of computerized data.
  • TERRITORIAL SCOPE – The scope has been expanded to cover all New York residents and business that own or license private information. Prior the law only extended to those conducting business in New York.
  • DATA SECURITY REQUIREMENTS – The biggest takeaway from this portion of the act was the requirement for safeguards to be put in place to protect private information as well as perform various risk assessment and information governance best practices.

All in all the SHIELD act is a step in the right direction when it comes to large scale data privacy laws that we hope will cause more states to follow now more than ever.


[1] Senate Bill S5575B (May 7, 2019), www.nysenate.gov/legislation/bills/2019/s5575

[2] New York Passes SHIELD Act Amending Data Breach Notification Law (August 2019), www.jonesday.com/en/insights/2019/08/new-york-passes-shield-act

[3] New York SHIELD Act FAQs (March 11, 2020), www.natlawreview.com/article/new-york-shield-act-faqs