New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD)

In this guide:

Core tenets of the SHIELD Act

In March 2020, New York State implemented the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to proactively enhance the data security and privacy protections outlined in the Information Security Breach and Notification Act (ISBNA), the first legislation of its kind to protect consumers in the state from improper business data management practices while holding organizations accountable in the event of a breach.

The primary objective of the SHIELD Act is to safeguard sensitive personal information held by businesses and organizations and strengthen cybersecurity measures first established in New York’s Information and Security Breach and Notification Act (ISBNA). Thus, the key provisions of the SHIELD Act include:

  • Broadened Definition of Personal Information: The act broadens the definition of “personal information” to include not only traditional identifiers like Social Security numbers and driver’s license numbers but also email addresses, biometric data, and account numbers.
  • Data Security Requirements: The SHIELD Act mandates that businesses selling to New York residents implement reasonable safeguards to protect personal data from unauthorized access, disclosure, or use.
  • Data Breach Notification: In the event of a data breach, businesses and organizations are required to notify affected individuals and the New York Attorney General’s office. This notification must occur as soon as possible and includes details about the breach, the type of information exposed, and the steps taken to mitigate the breach.
  • Third-Party Service Providers: The act also holds third-party service providers accountable for protecting the personal information they process on behalf of businesses. Service providers must maintain reasonable security measures to safeguard this data as well.

The SHIELD Act is active and strictly enforced, as shown by recent settlements with several major companies. Noncompliance simply isn’t an option today despite the delays in enforcement due to the COVID-19 pandemic. Now, the SHIELD Act and additional laws are in full effect around the country to protect consumer data.

Source: New York State Attorney General

Maintain compliance

If your business is unsure about your ability to comply with the mandates outlined in the SHIELD Act, it can result in significant, costly consequences. One organization has already been fined $600,000 USD. What would that do to your bottom line?

Instead, it’s better to take data privacy seriously and get proactive about making the organizational changes necessary to maintain compliance. Especially if your business sells to customers across the US or abroad, there are likely even more stringent legal guidelines to follow already in place today. Businesses that fail to implement reasonable data security measures can face fines, while those that fail to notify individuals and authorities about data breaches can also incur penalties.

Not all businesses must comply with the SHIELD Act, however, as the following are exempt from some of the act’s provisions:

  • Small businesses with fewer than 50 employees
  • Non-profit organizations
  • Government entities

These organizations are still required to take measures to protect personal information, but are not held to the same standards as larger for-profit entities. Especially if private information was acquired and used in “good faith” then there are exemptions to avoid unnecessary fines for organizations who experience an unfortunate event.

The responsibility is on businesses and organizations to enhance data security and privacy protections for New York residents. Security measures must be put in place proactively, with an action plan in place to secure personal data. Businesses who take this seriously will not only build trust with consumers, but will be ahead of the data privacy legislation rolling out across the country. Additional regulations are coming soon, so it’s better to get ahead of the curve than fall behind and become a prime target for cybercriminals.

To stay a step ahead of the competition and the latest legislation, the following are the optimal business recommendations:

  1. Data Security Program: Implement a data security program that includes the necessary safeguards to protect personal information. This program should be tailored to the size and complexity of the business, taking into account the sensitivity of the data it handles.
  2. Risk Assessment: Conduct regular risk assessments to identify and address potential vulnerabilities in data security. This proactive approach helps you stay ahead of potential threats.
  3. Employee Training: Train employees on data security best practices to minimize the risk of data breaches resulting from human error or negligence. Employee awareness is a critical component of data protection.
  4. Data Breach Response Plan: Develop a comprehensive data breach response plan that outlines the steps to take in the event of a breach. Timely and effective response can mitigate damage and help maintain trust with customers.

How Privacy Bee helps you

Regaining your data privacy should be a top priority for both consumers and businesses. In today’s digital landscape, relying solely on reactive cybersecurity measures will leave you exposed to identity theft and large-scale data breaches. What’s needed to effectively close the protection gap is a data management service.

Privacy Bee, with your approval, actively works to limit the exposure of your personal information and that of your family. From a business standpoint, this extends to your employees and customers who trust your organization to safeguard their personal data. Our exhaustive data monitoring service covers the vast expanse of the internet, including the elusive dark web, to significantly reduce the attack surface that cybercriminals can exploit. By enlisting a professional service to monitor all the places where sensitive data is currently exposed, automatically manage deletion requests, and craft persuasive messages for business compliance, you can have peace of mind knowing that the important people in your life (and your business!) are protected.

The proliferation of Data Brokers and People Search Sites has accelerated the surveillance industry, which now boasts a billion-dollar-plus valuation. These entities profit from handling (and mishandling) private data, transferring it to obscure and uncontrollable parties. The consequences of having your confidential information exposed online are far-reaching and pose substantial risk in the hands of a cybercriminal. A single incident of identity theft can disrupt months of your life, destroying productivity and peace of mind.

It’s essential for businesses to remember that 100% of companies involved in a data breach had cybersecurity measures in place. Today, cybersecurity is common practice, and threat actors have adapted accordingly. With access to new technology, cybercriminals can more effectively scale and customize their attacks than ever before. Instead of waiting for an attack to occur, it’s best to take the necessary steps to remove personal information preemptively.

At Privacy Bee, we firmly believe that data privacy is a fundamental human right. We are committed to assisting individuals and businesses that share this belief and want to regain the ability to navigate the internet without fear of financial ruin.

Privacy Bee protects users against:

  • Identity theft
  • Data breaches
  • Telemarketer calls
  • Cyberstalking
  • Swatting
  • Doxxing
  • Blackmail
  • Spam

Whether you’re an individual looking to proactively protect yourself and your family, or a business looking to guard employees and customers alike, Privacy Bee is here to give you back control of your private data.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: