Back
Home
Insights
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Just the Basics

04/22/2020

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Just the Basics

New York’s “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act went into effect on March 21, 2020. This modification to New York’s existing data security law requires any person or business that controls or processes electronic records containing “private information” of New York residents – regardless of whether business is conducted in New York – to adopt reasonable safeguards to protect the security, integrity, and confidentiality of that information.

What information must be protected?

Private information is defined as personal information plus one or more of a defined set of data elements when the data element is not encrypted, either alone or in combination with personal information, or when the encryption key has also been compromised. Data elements include:

Social Security number
Driver’s license number or non-driver ID number
Financial account information: credit, debit, or account number (if that information could be used to access a financial account without additional identifying information, security code, access code, or password)
Biometric information

Private information also includes a username or email address in combination with a password or security question and answer that would allow access to an online account. Excluded is information that is lawfully publicly available through federal, state, or local government records.

Penalties for non-compliance

The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000.

SHIELD Act security program requirements

According to the act, security programs must include…

Reasonable administrative safeguards
- Assign designated security program coordinator(s)
- Identify “reasonably foreseeable” internal and external risks
- Assess current safeguards to control identified risks
- Train and manage employees in the security program’s practices and procedures
- Select service providers who are capable of maintaining appropriate safeguards, and require those safeguards as part of the contract
- Adjust the security program in light of business changes or new circumstances
Reasonable technical safeguards
- Assess risks in network and software design, and in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of key controls
Reasonable physical safeguards
- Assess risks in storage and disposal of information
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of private information within a reasonable timeframe and in a manner appropriate for electronic media

OUR PEOPLE

Get in touch with our specialists

View All Specialists

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

View Full Bio

Contact Bhavesh

Close

Contact

Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

First Name

Last Name

Job Function

Job Level

Enter Job Level

Email address

Country

State

Company name

Industry

Enter Industry

Topic

Comment

Yes, opt me into Marketing from CohnReznick.

By completing the form, I will be subscribed to receive CohnReznick emails with insights and information on upcoming events. I understand that I will always have the option to unsubscribe from communications.

By your submission of information in this form, you are consenting to our collection, use, processing and storage of your information in accordance with the CohnReznick Privacy Policy.

Related services

_{This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.}

All Industries

Consumer & Industrial

Financial Sponsors & Services

Healthcare

Life Sciences

Private Clients

Public Sector

Real Estate

Renewable Energy

Technology & Media

All Services

Accounting & Assurance

Accounting Advisory

Business Performance

Digital

Risk

Sustainability Advisory

Tax

Transactions

All Insights

Topics

Events

Subscribe

About CohnReznick

About us

Corporate Responsibility

News

Offices

People

Careers at CohnReznick

Career Opportunities

Experienced Career Opportunities

Careers at CohnReznick

Internships

Life at CohnReznick

Why CohnReznick?