Late last month, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). In doing so, it has become the latest state to impose additional data security and breach notification obligations on businesses handling private data. The breach notification amendments take effect on October 23, 2019, while the data security requirements take effect on March 21, 2020.

Expanded Breach Notification Requirements

The SHIELD Act revises various definitions and increases the scope of the state’s breach notification statute. The law expands the definition of “private information” to include:

  • Financial account information that can be used to access an individual’s financial account without a security code, access code, or password.
  • Biometric information used to authenticate or ascertain an individual’s identity.
  • A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

The SHIELD Act also expands the definition of “breach of the security of the system” to include any unauthorized “access” to computerized data that compromises the security, confidentiality, or integrity of private information. Unauthorized “acquisition” of such data is no longer the sole trigger for breach notification obligations – a distinction that only a handful but growing number of states make.

In addition, the SHIELD Act expands the jurisdiction of the breach notification statute, making it applicable to any person or business that maintains private information of New York residents, regardless of whether that person or business conducts business in New York. There are, however, several exceptions to this jurisdictional reach. For example, the law adopts a risk-of-harm inquiry, where a business need not provide notification if “the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” Moreover, businesses subject to certain breach notification requirements, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the New York Division of Financial Services Cybersecurity Regulation (NYDFS Cybersecurity Regulation), do not need to make additional notifications to affected New York residents, though such businesses still need to notify the New York attorney general and state regulators in accordance with the statute.

Data Security Requirements

In addition to expanding the state’s breach notification requirements, the SHIELD Act imposes additional data security obligations on businesses that own or license private information of New York residents. Such businesses are required to implement various administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of private information. The SHIELD Act lists various examples of such safeguards, including designating one or more employees to coordinate the security program, conducting risk assessments, training and managing employees, selecting vendors capable of maintaining appropriate safeguards and requiring such safeguards contractually, adjusting the security program based on business changes or new circumstances, and disposing private information within a reasonable amount of time after it is no longer needed for business purposes.

“Small businesses” are permitted to tailor their security programs based on their size, the nature of their activities, and the sensitivity of the personal information. The SHIELD Act defines a small business as any person or business with (a) fewer than 50 employees, (b) less than $3 million in gross annual revenue in each of the last three fiscal years, or (c) less than $5 million in year-end total assets. Here too, the SHIELD Act allows businesses to leverage their other regulatory obligations: Companies subject to, and in compliance with, other legal and regulatory regimes such as GLBA, HIPAA, and the NYDFS Cybersecurity Regulation are considered in compliance with this part of the SHIELD Act.


There is no private right of action under the SHIELD Act. Nonetheless, covered businesses are subject to attorney general enforcement with civil penalties for knowing and reckless violations of the breach notification obligations of up to $20 per instance with a cap of $250,000. Violations of the reasonable safeguard requirements may carry penalties of up to $5,000 per violation. The SHIELD Act also lengthens the statute of limitations from two years to three years.

Conclusion and Takeaways

The SHIELD Act greatly increases the jurisdictional reach of New York’s breach notification statute, which now applies to entities that do not do business in the state, as long as they maintain private information of New York residents. It also expands various key definitions. Businesses across the country that maintain private information on New York residents will want to consider reviewing their security programs and incident response plans to determine if any changes are needed to comply with the SHIELD Act.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office where he is co-chair of the firm’s Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators.

Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Privacy & Cybersecurity, Government Contracts, and Litigation groups. Her practice covers a wide range of counseling and litigation engagements, including cybersecurity compliance reviews, risk assessments, incident response, law enforcement cooperation, regulatory investigations, data breach class actions, trade secrets litigation, and health care disputes.

Kate is a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/US, CIPP/G) and has been named a “Rising Star” by both Law360 (2018) and the American Bar Association’s Science & Technology Section (2016).



Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.