NY Shield Act

This law, passed in 2019, applies to all companies in New York State or ones outside that have NYS resident data.

This new law boosts the protection of consumer and employees’ private information and holds companies that do business within the state accountable for protecting this data. This law is meant to compliment existing federal and state protections which are already in existence, however, this New York law has a broader impact simply due to the size of the state and the number of employees and residents. 

The SHIELD Act expands the definitions of a breach and private information and requires businesses to have specific controls in place for breach prevention, detection, and response

The NYS SHIELD Act has expanded definitions such as:

• Expands the definition of a breach
  • Previously a breach was defined as the unauthorized acquisition of private information. Now it is defined as unauthorized access to private information.
  • “Access” now includes viewing, downloading, or copying private information.
• Expands the definition of private information to include personal information.
• Expands businesses the law applies to
  • Previously the law applied only to entities conducting business in New York, now the law applies to any entity with private information about New York residents.
• Requires “Reasonable Safeguards”
  • Businesses that own or license personal information of New York State residents are now required to implement “reasonable safeguards” preventing a breach of that information.
• Expands exemptions
  • Businesses are not required to notify of a breach if it occurred inadvertently by a person authorized to access the private information, and if the exposure does not result in financial or emotional harm to the individuals whose data was breached.
  • Businesses are not required to notify of a breach under this Act if they have notified of the same breach under a different breach notification regulation, such as the New York Division of Financial Services (NYDFS) Cybersecurity Regulation, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or others.
  • Small businesses may tailor their information security programs based on their size, the nature of their business and the sensitivity of their private information.
• Expands violation action period
  • The NY State Attorney general can bring an action against a company within three years of the violation (whereas previously it was two years).

 Businesses must take "Reasonable Safeguards"

Safeguards include:

• Assigning and designating one or more employees to implement a security program
• Establishing and implementing a security training program
• Testing and monitoring key controls on a regular basis
• Disposing of private information after a reasonable time frame

Some key elements with relevance to HR stakeholders include the following:

• Designating an employee or employees to coordinate the data security program.
• Training and managing employees in security program practices and procedures.
• Assessing internal and external risks and implementing controls to reduce those risks.
• Vetting service providers and binding them contractually to safeguard private information.
• Securely destroying private information within a reasonable amount of time after it is no longer needed for business purposes.