NY SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) is New York State’s primary data protection legislation. The SHIELD Act amends the state’s 2005 Information Security Breach and Notification Act and was signed into law by Governor Andrew Cuomo on July 25, 2019.
Specifically, the SHIELD Act adds to the types of private information for which companies have to provide notice to consumers in the event of a breach while requiring companies to put into place safeguards to protect the confidentiality, security, and integrity of consumers’ private information.
It also expands the 2005 Information Security Breach and Notification Act to include usernames, email addresses, and password credentials as well as biometric information. New York’s 2005 law already defined Social Security numbers, driver’s license numbers, and account numbers as private information.
Likewise, the SHIELD Act defines a security breach as any access to digitized data that compromises the confidentiality, security, or integrity of private data. This goes beyond the previous law which defined a breach as the unauthorized acquisition of digitized data that led to the same compromise of private data.
The NY SHIELD Act is broadly analogous to the California Privacy Rights Act (CPRA), insofar as it amends a prior piece of data security legislation. It’s also often referred to as New York’s version of broad state laws designed to protect residents’ personal information through enforced compliance that includes appropriate safeguards.
Such state laws include:
- the Virginia Consumer Data Protection Act (VCDPA)
- the Colorado Privacy Act (CPA)
- the Utah Consumer Privacy Act (UCPA),
- the Connecticut Data Privacy Act (CTDPA)
More privacy law resources
- California Privacy Rights Act (CPRA)
- California Consumer Privacy Act (CCPA)
- Utah Consumer Privacy Act (UCPA)
- Health Insurance Portability and Accountability Act (HIPAA)
What is the cyber privacy law in NY?
The most comprehensive cyber privacy law in NY State is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. It was signed into law by Governor Andrew Cuomo on July 25, 2019 to amend the 2005 Information Security Breach and Notification Act. The law became enforceable in March 2020.
Which organizations must comply with the NY SHIELD Act?
Any organization that operates in New York State or collects information from residents of New York has to comply with the NY SHIELD Act. Such an organization need not be based in New York or even the United States. This means that every employer with employees in New York must comply since “private information” includes an individual’s name and Social Security number—details that employers have to collect and store by law.
Who do SHIELD laws protect?
SHIELD (Stop Hacks and Improve Electronic Data Security) laws protect New York residents.
Does the NY SHIELD Act apply to nonprofits?
Yes, the NY SHIELD Act applies to nonprofit organizations. Any organization that handles New York residents’ private information is required to comply with the Act, whether it’s run on a for-profit basis or not.
Can you sue for invasion of privacy in New York?
Yes, you can sue for invasion of privacy in New York. There are strict conditions under which this is possible, though. “Invasion of privacy” is only codified under New York law in connection with the unauthorized use of a person’s name or face for commercial purposes
Is online harassment a crime in New York?
Yes, online harassment is a crime in New York. Instances of online harassment are punishable by a fine (of up to $500) or even prison time (of up to 1 year). Online harassment is considered a Class A misdemeanor in New York State.