NY SHIELD Act: More protection for NY consumers, higher bar for companies that serve them

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The law boosts the protection of consumers’ private information, and holds accountable any company that does business within the state. Although there are federal and state protections of varying strictness already in existence, the New York law will have a broader impact simply due to the size of the state. Here’s what you need to know.

What’s new?

  • The SHIELD law expands data security and breach notification requirements to cover any business that collects private data of New York residents, not just companies that conduct business in the state.
  • It also changes the definition of a security breach. Previously, for a breach to trigger a consumer notification, private information would have had to be actively acquired by an unauthorized party. Now, a notification must be sent to any consumer whose data was simply accessed by an unauthorized party. And that means far more potential incidents and breaches will be covered.
  • It protects a larger set of personal information. New York’s SHIELD law will protect the following information: biometric information resulting from facial recognition software or other means, email addresses and their passwords (as well as security questions and answers), Social Security numbers, driver’s license or non-drive ID card numbers and any account number including debit and credit card information with or without security or access codes. This results in more data elements requiring notification if breached.
  • Businesses must comply within 240 days of when Governor Cuomo signed the law, or March 21, 2020.

Who should pay attention?

On the business side, every company that has any customers in New York—whether the company is based in another state or another country. Virtually any medium- and enterprise-size company with even one New York customer needs to implement this new policy.

On the consumer side, every New York consumer. But it could affect consumers in other states, too. Here’s how: a large company would not be likely to implement separate types of privacy plans for customers in 50 different states. If a company doing business in New York has to meet the SHIELD Act’s requirements, it will simply apply all these new requirements to its consumers in New Hampshire, Oregon and everywhere else.

What should you do now?

The full law identifies a significant number of steps a business needs to take. We highlight three important ones.

  • Implement reasonable safeguards to protect sensitive data, like identifying reasonably foreseeable risks to data security, choosing vendors that can maintain appropriate safeguards and preventing unauthorized access to private information.
  • Designate at least one person to coordinate the security program, conducting risk assessments and implementing safeguards to protect against risks. This designated person is responsible for reporting any breaches to the New York State Attorney General’s office, as well as to any other oversight agencies.
  • Regularly assess risks in software, hardware, systems, information transfer and more.

What happens if your company doesn’t comply?

The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000. And New York means business when it comes to data security: by August 2019, the Attorney General’s office has levied fines of more than $600 million related to data breaches, based on existing statutes. It has also announced multiple high-profile breach investigations.

Contact us

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Robert Donovan

Managing Director, PwC US

Jay Cline

US Privacy Leader, Principal, PwC US

Follow us