Protection of Private Information in New York: SHIELD Act of New York

In this digital world, there’s one thing that we cannot live without – the Internet. As we are aware, the Internet became an even more important part of our lives during the Covid-19 Pandemic. Negatives go hand-and-hand with the benefits of the Internet. As we are aware, hackers are actively attempting to steal confidential information for nefarious purposes. Thus, the New York State government through the SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act implemented, in March of 2020, a law that strives to protect the private information of every New Yorker and make aware when private information is compromised. For an article on how to protect the private information of your company, please see: How to Protect your Confidential Information.

Definition of Private Information under New York’s SHIELD Act

The SHIELD Act defines private information as a:

(1) social security number;
(2) driver’s license number or non-driver identification card number
(3) account number, credit or debit card number in combination with any required security code;
(4) account number, credit card number or debit card number which may be used to access financial information without an additional security code;
(5) biometric information;
(6) a user name or e-mail address in combination with a password or security question; and
(7) any unsecured protected health information.


The above definition, excludes, private information that was made publicly available in accordance with the laws of New York. Thus, data held in most public databases are not protected by the law.


Protection of Private Information in New York

Under the SHIELD Act any person or business that gathers or keeps private information of New York residents are required to develop, implement and maintain reasonable safeguards to protect this information. A person or business is deemed in compliance with the SHIELD Act’s requirement of reasonable safeguards to protect private information if the said person or business has the following data security programs in place:

Reasonable administrative safeguards – such as (i) designating an employee to coordinate the security program, (ii) identifying reasonably foreseeable internal and external risks, (iii) assessing the sufficiency of safeguards in place to control the identified risks, (iv) training employees in the security program practices and procedures, (v) selecting service providers capable of maintaining appropriate safeguards, and (vi) adjusting the security program in light of business changes or new circumstances.

Reasonable technical safeguards – such as (i) assessing risks in network and software design, (ii) assessing risks in information processing, transmission, and storage, (iii) detecting, preventing, and responding to attacks or system failures, and (iv) regularly testing and monitoring the effectiveness of key controls, systems and procedures.

Reasonable physical safeguards – such as (i) assessing risks of information storage and disposal, (ii) detecting, preventing, and responding to intrusions, (iii) protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information, and (iv) disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

General Business Law, § 899-bb

Additionally, compliance with related federal and New York State laws related to the storing and dissemination of private information, in many cases, is deemed under the SHIELD Act as “reasonable safeguards” to protect private information. For example, in most cases, banks and other financial institutions are required to implement more strenuous protections under federal law. Compliance with these more strenuous regulations shall, in most cases, satisfy the SHELD Act.

Failure to Protect Private Information in New York

The New York Attorney General may file an injunction to stop any person or business from improperly disclosing private information of New York residents. Under New York’s General Business Law § 350-d, a person or business who failed to protect private information may be held liable up to USD 5,000.00 per violation.

These requirements for the protection of private information in New York are, in many cases, cumbersome. However, numerous professionals are available that can assist in guaranteeing that you do not run afoul of the SHIELD Act and related laws.

If you want more information about the Stop Hacks and Improve Electronic Data Security Act and want to make sure that you or your business has a data security program compliant with this SHIELD Act please: Schedule a Call with a New York Lawyer.

Similar Posts:

Leave a Reply