log in
All Articles | Back

Member Articles

New York on Verge of Passing Landmark Data Security Legislation 

by Mary Hildebrand, Kathleen McGee

Published: June, 2019

Submission: July, 2019


What You Need To Know:

  • If signed into law, New York’s SHIELD Act will broaden the definition of protected information to include biometric data, email addresses, and corresponding passwords or security questions and answers.
  • Unauthorized access, and not just unauthorized acquisition, to protected information would trigger breach notification requirements.
  • Entities complying with other federal or New York state data security regulations would meet the Act’sde factoreasonableness standard.

Bill Amends Existing Law to Expand Consumer Rights and Enhance Cybersecurity

On June 17, 2019, the New York Legislature approved a substantial revision of New York state’s data security and breach notification requirements under the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The bill now awaits Governor Cuomo’s signature and, if signed, will substantially impact efforts by public and private organizations to contend with breach incidents and comply with data security requirements across industries.

The SHIELD Act (the “Act”) would apply to any person or entity that processes the personal information of a New York state resident, even if such person or entity is located outside of the state. Given the size, population, and extensive business and financial influence of New York state, the Act will have national impact. With the Act, New York joins a growing list of activist states that are enacting new laws to address privacy and cybersecurity concerns.

Data Breach Implications

The Act would amend New York’s data breach law (GBL §899-AA and §899-bb) in several key areas. Specifically, the Act broadens the definition of “private information” to include biometric data, account numbers, username/email address with password or security question and answer, and unsecured “protected health information” under HIPAA. The SHIELD Act expands the definition of “data breach” to include unauthorizedaccessto private information instead of the current standard of unauthorizedacquisition. Additionally, as referenced above, the Act applies outside of its geographic boundaries. Taken together, these amendments raise the bar for companies that experience data breaches involving New York state residents by expanding their notification obligations.

There’s also some good news for business. The Act provides that inadvertent disclosures by individuals authorized to access the private information do not trigger notification requirements if the exposure will not likely result in misuse or in financial or emotional harm to the affected individuals. This “harm threshold” may operate to exempt very minor breaches from the Act.


The Act notably applies a reasonableness standard for evaluating data security standards, and carves out asde factoreasonable those entities that can demonstrate compliance with selected federal and state data security frameworks, including GLBA and HIPAA as well as other New York state data security regulations, such as the Department of Financial Services Cybersecurity Regulation. If, for example, a company meets the notification requirements of those frameworks, no further notification would be required under the Act, with the caveat that entities would still have to provide notice to New York authorities. As approved by the Legislature, the Act includes an interesting placeholder for future federal and New York state data security regulations, likely in anticipation of ongoing legislation at all levels. In a nod to small business, the Act defines “reasonable” data security in light of the size of the covered entity, and provides a suggested but not mandated road map for implementing safeguards.









WSG Member: Please login to add your comment.


WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020