New York Cybersecurity Requirements and the SHIELD Act
By John Bandler
New York State’s 2019 law, the SHIELD Act strengthens data breach reporting requirements and requires “reasonable security”. Here is a brief summary of what the law is and what it means for businesses that are within New York, or hold personal information of New York residents.
The NYS SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”) was signed into law on July 25, 2019 by Governor Cuomo. It amends the New York State General Business Law (GBL) Article 39-F, Section 899-aa (titled: Notification; person without valid authorization has acquired private information), and creates Section 899-bb (Data security protections).
The SHIELD Act amendment of the GBL 899-aa notification requirements went into effect on October 23, 2019. This strengthened the data breach reporting requirements, closed loopholes, and provided important definitions of “personal information”, “private information”, and “ breach of the security of the system”. A breached organization must report to multiple New York state agencies (state attorney general, state department of state, and state police). Reporting requirements of other states might apply also.
The SHIELD Act imposed the new data security requirements of GBL 899-bb, which went into effect on March 21, 2020. This essentially requires “reasonable” cybersecurity and information security. This includes reasonable administrative, technical, and physical safeguards, and provides examples of what these safeguards (also known as “controls”) might be.
If your organization does not have a cybersecurity policy or program, or is not familiar with any of these safeguards, it is time to get started with improving your cybersecurity. The new law is but one of many reasons to do this. The term “reasonable” may seem vague but it is a well used term in the legal system, recognizing that many factors go into good decision making.
The law (at first) seems to provide special treatment to small businesses, with a special definition and sub-section devoted to them, and with criteria to consider when evaluating what is “reasonable”. I suggest that this shows some legislative intent to minimize the burden on these smaller organizations, and recognizes that small businesses cannot do the same things large ones do regarding information technology and security. But in practice, every business, whether small, medium, or large, needs to evaluate many factors, assess risk, and try determine what is reasonable for them. Factors will always include business size, but also include threats, potential harms, data possessed, information technology systems, and more.
Organizations that are already regulated and subject to cybersecurity requirements (such as the financial sector and health sector) are deemed to be in compliance with the SHIELD Act if they are fully compliant with that regulation. The statute calls such an organization a “compliant regulated entity”. Since the SHIELD Act’s cybersecurity requirements are relatively basic, such organizations may choose to affirmatively demonstrate compliance with it separately.
It is also worth mentioning that New York has a more complex cybersecurity requirement specific to the financial sector, Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (also known as Rule 500, within the New York Codes, Rules and Regulations). This regulation is issued and enforced by the New York State Department of Financial Services (DFS).
Every organization should continually improve their cybersecurity program to ensure protection from cybercrime plus legal complicance.
Cybersecurity regulations and laws are increasing. Organizations need to comply, but importantly need to protect themselves, their customers, and employees from cybercrime threats. Government should work to streamline reporting, recognize the reporting burdens of the fifty states, and ensure enforcement of these laws is fair and promotes accurate investigation and reporting of incidents.
This is a brief summary with simplifications, and tries to bring complex subject matter to the reader in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help with improving cybersecurity, creating or improving your policies, complying with the SHIELD Act or other laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity. Individuals need help with cybersecurity too.
Helpful short articles and pages related to this include:
- Policies, Procedures, and Governance of an Organization
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act (this article)
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- My services page
- My books
- More articles
- New York’s new SHIELD Act full text is available at https://www.nysenate.gov/legislation/bills/2019/s5575
- SHIELD Act provisions are found within the General Business Law (GBL) sections 899-aa and 899-bb, available at https://www.nysenate.gov/legislation/laws/GBS/899-AA and https://www.nysenate.gov/legislation/laws/GBS/899-BB
- New York State Department of Financial Services (DFS) issued 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies, found at https://www.law.cornell.edu/regulations/new-york/title-23/chapter-I/part-500
This article is hosted at https://johnbandler.com/new-york-cybersecurity-requirements-and-the-shield-act. Copyright John Bandler all rights reserved.
A version of this article is available on Medium.com at https://medium.com/@johnbandler/new-york-cybersecurity-requirements-and-the-shield-act-2c3527c10244 (though it may not be updated as frequently).
Originally posted 1/14/2020. Last updated 12/26/2021.