The Empire State’s New Data Privacy Law

Dhara Shah

Senior Editor

Loyola University Chicago School of Law, JD 2020


Data privacy and more specifically, user privacy, has become the focus for many in the past year. Some may say that the European Union began this “trend” with the implementation of the General Data Protection Regulation (GDPR) with California soon following in their footsteps with the California Consumer Privacy Act (CCPA). However, seemingly more silently in New York, The Stop Hacks and Improve Electronic Data Security, or SHIELD Act has also been created in the interest of the protection of personal information. The SHIELD Act was enacted on July 25, 2019 as an amendment to the General Business Law and the State Technology Law to include breach notification requirements and stronger rules in place to enforce against businesses handling personal information. The SHIELD Act recently went into effect on March 21, 2020.

The SHIELD Act—Who Does It Apply To?

The SHIELD Act, in short, requires certain businesses or individuals that own the data of a New York resident to protect their private information. More specifically, the SHIELD Act applies to “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York”. Of note is that small business, defined as “any person or business with (i) fewer than 50 employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles,” its data security program will be likely deemed compliant as long as the small business has reasonable administrative, technical, and physical safeguards appropriate for its size and nature of its business. Additionally, a business may be deemed to be compliant with the SHIELD Act if it is subject to and compliant with “(i) regulations promulgated pursuant to Title V of the federal Gramm-Leach-Bliley Act; (ii) regulations implementing the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act; (iii) the 23 NYCRR 500 cybersecurity regulations; or (iv) ‘any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government…’”.

Private Information, Defined

We have heard many variations of what “private information” means—whether it be in the context of the GDPR, CCPA, or otherwise. With the SHIELD Act, “private information” entails: (1) information that would permit access to one’s account (e.g. username and passwords or email addresses and security question answers) or (2) a combination of personal information (e.g. name) with a non-encrypted data element (e.g. social security number, driver’s license number, credit card number, biometric information, etc.). This is not an exhaustive explanation, so please refer to the SHIELD Act to determine what data is included under “private information”.

SHIELD Act Basics

The SHIELD Act covers a variety of safeguards, some of which include the following. First, reasonable technical safeguards that allow one to asses risks in software design, information processing and storage, detect and prevent system attacks, as well as test and monitor the effectiveness of certain procedures. Second, reasonable physical safeguards that include the assessment of risks surrounding information storage and deletion, detection and prevention of intrusions, protections against unauthorized access, and disposal of private information within a reasonable time. Third, the SHIELD Act looks to reasonable administrative safeguards that include choosing certain employees to coordinate a security program, identifying risks, training employees to ensure competency of the security program, and constantly amending the security program to ensure maximum protection.

COVID-19’s Implications on Privacy

It is hard to view anything without the light of COVID-19 in these times—so what does COVID-19 mean for the SHIELD Act? New York, as of this article, has been hit worse than any other state by the pandemic, accordingly, data privacy—while important—is not at the forefront of most people’s minds. However, experts in the field have stated that now, more than ever, is it important to ensure companies are thinking about privacy and security compliance. There is no news as of this article that states the SHIELD Act will not proceed as planned, but rather experts are hoping companies take this time to ensure that their businesses are compliant with not only the SHIELD Act, but with any applicable data privacy law.

As more and more people work remotely, access cloud storage, and rely upon public Wi-Fi networks, it is critical to secure personal information. And if the concern of privacy is not enough incentive for a business to feel compelled to comply with the SHIELD Act, violations are seen as deceptive acts or practices and are subject to be enforced and ultimately could result in a fine of up to $5,000 per violation.