Data Privacy in New York: Understanding the SHIELD Act

Recently, cybersecurity lawyer Amy Goldsmith and her colleagues at Tarter Krinsky & Drogin have been getting emails that appear to be from a company they use for deposition support, asking them to click to pay an invoice. “It is an extremely professional-looking invoice,” she says. “It looks completely real.” Of course, Goldsmith knows better. Scams like these are why she’s always telling people: “Don’t click. Don’t click.”

“I can’t emphasize that enough. These scams are so sophisticated, and they have a sense of urgency,” she says. “We have to train people not to click on it, even if the email address looks real. You have to do a formal check. Pick up the phone and call the person you know; don’t call the number on the email. Yes, it’s old-fashioned, and it slows everything down, but if you click and then malware is in your entire system, you’re in trouble.”

Legal Compliance with the NY SHIELD ACT

Goldsmith, who has been on the forefront of helping companies comply with New York state’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act since it was signed in 2019, says the law helped improve data security for the average New Yorker.

“The New York SHIELD Act was designed to create more protection for consumers,” Goldsmith says. “The frequency of hacking would indicate that it hasn’t necessarily worked, but you don’t hear about the companies that are doing a good job. Anyone anywhere in the world that has the private information of a New Yorker is subject to SHIELD. They must put into place safeguards to protect everyone’s information, and that’s how it should be.”

What Does the SHIELD Act Require?

Specifically, the law strengthens requirements around systems to prevent and respond to cyber-attacks and around notification to the state and affected individuals in the event of a data breach, explains attorney Kenneth Rashbaum of Barton LLP, who also advises organizations and major corporations on compliance with SHIELD.

“One of the things that changed considerably—and this is good for consumers—is that the definition of a data breach is no longer limited to what is called ‘exfiltration of data,’ which means physically taking the data out of somebody’s system,” Rashbaum says. “It was expanded now to include access to data—because a lot of damage can be done just by looking at personal data, like social security and account numbers.”

The law also expands the types of information protected to include biometric information such as voice, fingerprints or facial scans. And businesses with more than 50 employees and $3 million in annual gross revenue are required to have a data security program that includes tech safeguards and a process for identifying risks and preventing and responding to attacks. Smaller businesses also need to have “reasonable safeguards.”

Data Protection Enforcement and Gray Areas

“The [New York state attorney general] has been quite aggressive in the privacy arena,” says Rashbaum. “She’s already brought actions against companies that did not notify affected individuals or her office within the time period.” Fines have ranged from $50,000 to $600,000.

One gray area in the law that has surprised Rashbaum is an exemption that says notification of a data breach is not required in the case of an “inadvertent disclosure” if the business can “reasonably determine” that exposure will not result in harm.

“If an authorized user essentially hits the wrong button and sends information to the wrong places, but didn’t do it with malicious intent, you don’t need to notify anybody if it’s under a certain number of people affected. It’s almost a ‘get out of jail free’ card,” he says. “So when I’ve drafted breach response policies and procedures for my clients, I’ve had to address this provision and indicate who will make these decisions.”

Appropriate Safeguards for Corporations and Natural Persons

In the same way that Goldsmith advises large corporate clients to keep their cyber insurance policies and incident response plans off the internet and on paper or in thumb drives—so they’re not giving hackers a playbook—she suggests individuals store information on a private server instead of online. That’s not only to protect your own private information. If you’re in charge of anyone else’s information or finances, you, too, are subject to SHIELD.

“New York’s law applies to both businesses and persons, which is very different from a lot of other states,” Goldsmith says. “Let’s say you’re in charge of your elderly parent’s finances, and you have all of their private information. How are you going to have the proper [administrative safeguards, physical safeguards, and technical safeguards]? One very secure way to keep that information is to have your own private server box. They’re very cheap, and it a safe way of complying with SHIELD and completely obliterating any hacking.”

She realizes most people won’t go to that extreme, but says everyone should at least review all the websites and mobile apps into which they’ve put their private information and delete and disable any they’re not using.

“Just take a rainy Saturday and do it,” Goldsmith says. “Change passwords frequently, use a password manager, and make sure that you don’t click.”

Find Experienced Legal Help

Visit the Super Lawyers directory to find an attorney who practices data privacy law in your area. For more information about this area, including how attorneys can help with external risk assessment and response, see our overview of technology law.