New York Cybersecurity Requirements and the SHIELD Act

By John Bandler

The SHIELD Act is New York State’s 2019 law which strengthened data breach reporting requirements and newly required reasonable cybersecurity. Here is a brief summary of what the law is and what it means for businesses that are within New York, or hold personal information of New York residents.

SHIELD Act basics

The NYS SHIELD Act stands for “Stop Hacks and Improve Electronic Data Security Act”. It was signed into law on July 25, 2019 by Governor Cuomo and it did two things to the New York State General Business Law (GBL) Article 39-F:

  • Strengthen the data breach reporting requirements of GBL Section 899-aa (titled: Notification; person without valid authorization has acquired private information), and
  • Create a new cybersecurity requirement with new Section 899-bb (Data security protections).

The SHIELD Act amendment of the GBL 899-aa notification requirements went into effect on October 23, 2019. This strengthened the data breach reporting requirements, closed loopholes, and provided important definitions of “personal information”, “private information”, and “ breach of the security of the system”. A breached organization must report to multiple New York state agencies (state attorney general, state department of state, and state police). Reporting requirements of other states might apply also.

The SHIELD Act created the new data security requirements of GBL 899-bb, which went into effect on March 21, 2020. This essentially requires organizations to have “reasonable” cybersecurity and information security. This includes reasonable administrative, technical, and physical safeguards, and the statute also provides examples of what these safeguards (also known as “controls”) might be.

Impact for organizations

Good cybersecurity always makes good business sense, and traditional legal principles may impose certain duties. But the new law imposes clearer duties on organizations to protect themselves and consumer data, and be able to demonstrate compliance with the law.

Organizations that do not have a cybersecurity policy or program (e.g., a written information security program, WISP) or who are not familiar with the safeguards enumerated in the statute should get started with improving cybersecurity. The new law is but one of many reasons to do this.

The statutory use of the word “reasonable” may seem vague and unhelpful, but it is a well used term in the legal system, recognizing that many factors go into good decision making, and then into judging that decision making (with the benefit of hindsight).

Small businesses sort of (but not really) get a carve-out

The law at first seems to provide special treatment to small businesses, with a special definition and sub-section devoted to them, and with criteria to consider when evaluating what is “reasonable”.

I suggest that this shows some legislative intent to minimize the burden on these smaller organizations, and recognizes that small businesses cannot do the same things large ones do regarding information technology and security.

But in practice, every business, whether small, medium, or large, needs to evaluate many factors, assess risk, and try determine what is reasonable for them. Factors will always include business size, and also include threats, potential harms, data possessed, information technology systems, and more. Put differently, size is always a factor when evaluating reasonable cybersecurity precautions.

Regulated sectors and the SHIELD Act

Organizations that are already regulated and subject to cybersecurity requirements (such as the financial sector and health sector) are deemed to be in compliance with the SHIELD Act if they are fully compliant with that regulation. The statute calls such an organization a “compliant regulated entity”.

My thought is that the SHIELD Act’s cybersecurity requirements are relatively basic, and organizations can choose to affirmatively demonstrate compliance with it independently.

  • In other words, organizations can choose to say "We happily comply with the SHIELD Act, just as we happily comply with XYZ laws and regulations for our sector. These are important rules that protect consumers, and our customers."
  • Because it would be awkward for an organization so say "We choose to ignore the SHIELD Act, since we are already complying with XYZ laws and regulations for our sector."

It is also worth mentioning that New York has a more complex cybersecurity requirement specific to the financial sector, Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (also known as Rule 500, within the New York Codes, Rules and Regulations). This regulation is issued and enforced by the New York State Department of Financial Services (DFS).

Data breach reporting requirements under GBL Section 899-aa

Recap: GBL §899-aa is titled "Notification; person without valid authorization has acquired private information".

I will spare you the details and the definitions for now, especially since every data breach reporting statute uses different language.

But organizations need to look at what information they are holding, and in the event of a cybercrime or other cyber event, look at whether that information relates to a person and could be used to commit identity theft. And get more detailed as to whether that is consumer information, "private information", personal information, personal identifying information, etc.

Then organizations need to investigate the cybercrime, and what happened, and whether that personal or private information was accessed.

Then organizations need to apply the facts to the law, and if required by law report to the New York state government and to affected individuals.

Of course, even if the law does not strictly require reporting, organizations could still choose to report.

Cybersecurity requirements under Section 899-bb

Recap: GBL §899-bb is titled "Data security protections"

It is general, and has a "reasonable security requirement" to include "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information". This would include "reasonable" administrative, technical, and physical safeguards (also known as controls) and provides some suggestive examples.

Remember, the examples are suggestive, and they are basic requirements.

I explain these safeguards (controls) in my introduction to cybersecurity article.

Other legal requirements will apply

There are other legal requirements for cybersecurity and privacy that organizations should be aware of.

Bandlers Three Platforms to Connect simple

For starters, consider negligence law, contract law (including with clients, customers, suppliers, vendors, insurance companies), and other federal or state requirements. Each organization needs to analyze its legal duties and what laws apply. So just because the SHIELD Act applies, doesn't mean that's it.

Think of all these legal requirements as "external rules" to the organization, and I talk about them more in other articles linked to below.

These external rules are an important platform in my Three Platforms to Connect for Compliance.

Many of these legal requirements also coincide with good business practices to protect the organization, secure it, and protect consumer data and customers and clients.

Other considerationsBandlers Four Platforms to Connect (inline)

Legal compliance is important but no organization exists just to comply.

Organizations exist to accomplish a mission and business objectives, which means providing valuable products or services to customers and clients, and earning revenue. Thus we need to think about the important fourth platform of Business Needs and Mission.

For all of this, we want to manage our information assets well because that protects us and allows us to use them efficiently, which is good for business and those we serve.

Conclusion

Every organization should continually improve their cybersecurity program to ensure protection from cybercrime, and to demonstrate legal compliance.

Cybersecurity regulations and laws are increasing. Organizations need to comply, but importantly need to protect themselves, their customers, and employees from cybercrime threats.

Government should work to streamline reporting, recognize the reporting burdens of the fifty states, and ensure enforcement of these laws is fair and promotes accurate investigation and reporting of incidents.

This is a brief summary with simplifications, and tries to bring complex subject matter to the reader in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization, no matter the size, needs help with improving cybersecurity, creating or improving your policies, complying with the SHIELD Act or other laws and regulations, contact me.

Additional reading

This article is hosted at https://johnbandler.com/new-york-cybersecurity-requirements-and-the-shield-act.  Copyright John Bandler all rights reserved.

A version of this article is available on Medium.com at https://johnbandler.medium.com/new-york-cybersecurity-requirements-and-the-shield-act-2c3527c10244 (though it may not be updated as frequently).

Originally posted 1/14/2020. Last updated 12/08/2023.