New York Cybersecurity Requirements and the SHIELD Act

By John Bandler

The SHIELD Act is New York State’s 2019 law which strengthened data breach reporting requirements and newly required reasonable cybersecurity. Here is a brief summary of what the law is and what it means for businesses that are within New York, or hold personal information of New York residents.

SHIELD Act basics

The NYS SHIELD Act stands for “Stop Hacks and Improve Electronic Data Security Act”. It was signed into law on July 25, 2019 by Governor Cuomo and it did two things to the New York State General Business Law (GBL) Article 39-F:

  • Strengthen the data breach reporting requirements of GBL Section 899-aa (titled: Notification; person without valid authorization has acquired private information), and
  • Create a new cybersecurity requirement with new Section 899-bb (Data security protections).

The SHIELD Act amendment of the GBL 899-aa notification requirements went into effect on October 23, 2019. This strengthened the data breach reporting requirements, closed loopholes, and provided important definitions of “personal information”, “private information”, and “ breach of the security of the system”. A breached organization must report to multiple New York state agencies (state attorney general, state department of state, and state police). Reporting requirements of other states might apply also.

The SHIELD Act created the new data security requirements of GBL 899-bb, which went into effect on March 21, 2020. This essentially requires organizations to have “reasonable” cybersecurity and information security. This includes reasonable administrative, technical, and physical safeguards, and the statute also provides examples of what these safeguards (also known as “controls”) might be.

Impact for organizations

Good cybersecurity always makes good business sense, and traditional legal principles may impose certain duties. But the new law imposes clearer duties on organizations to protect themselves and consumer data, and be able to demonstrate compliance with the law.

Organizations that do not have a cybersecurity policy or program (e.g., a written information security program, WISP) or who are not familiar with the safeguards enumerated in the statute should get started with improving cybersecurity. The new law is but one of many reasons to do this.

The statutory use of the word “reasonable” may seem vague and unhelpful, but it is a well used term in the legal system, recognizing that many factors go into good decision making, and then into judging that decision making (with the benefit of hindsight).

Small businesses get a carve-out, right?

The law at first seems to provide special treatment to small businesses, with a special definition and sub-section devoted to them, and with criteria to consider when evaluating what is “reasonable”.

I suggest that this shows some legislative intent to minimize the burden on these smaller organizations, and recognizes that small businesses cannot do the same things large ones do regarding information technology and security.

But in practice, every business, whether small, medium, or large, needs to evaluate many factors, assess risk, and try determine what is reasonable for them. Factors will always include business size, but also include threats, potential harms, data possessed, information technology systems, and more. Put differently, size is always a factor when evaluating reasonable cybersecurity precautions.

Regulated sectors

Organizations that are already regulated and subject to cybersecurity requirements (such as the financial sector and health sector) are deemed to be in compliance with the SHIELD Act if they are fully compliant with that regulation. The statute calls such an organization a “compliant regulated entity”.

My thought is that the SHIELD Act’s cybersecurity requirements are relatively basic, and organizations can choose to affirmatively demonstrate compliance with it independently.

It is also worth mentioning that New York has a more complex cybersecurity requirement specific to the financial sector, Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (also known as Rule 500, within the New York Codes, Rules and Regulations). This regulation is issued and enforced by the New York State Department of Financial Services (DFS).

Conclusion

Every organization should continually improve their cybersecurity program to ensure protection from cybercrime, and to demonstrate legal compliance.

Cybersecurity regulations and laws are increasing. Organizations need to comply, but importantly need to protect themselves, their customers, and employees from cybercrime threats.

Government should work to streamline reporting, recognize the reporting burdens of the fifty states, and ensure enforcement of these laws is fair and promotes accurate investigation and reporting of incidents.

This is a brief summary with simplifications, and tries to bring complex subject matter to the reader in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help with improving cybersecurity, creating or improving your policies, complying with the SHIELD Act or other laws and regulations, contact me.

Additional reading

This article is hosted at https://johnbandler.com/new-york-cybersecurity-requirements-and-the-shield-act.  Copyright John Bandler all rights reserved.

A version of this article is available on Medium.com at https://johnbandler.medium.com/new-york-cybersecurity-requirements-and-the-shield-act-2c3527c10244 (though it may not be updated as frequently).

Originally posted 1/14/2020. Last updated 04/10/2022.