Breach Notification | private information | SHIELD Act

By Susie Kenerson, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.

The Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (Senate Bill 5575) was signed into law on July 25, 2019.  The Act amends Article 39-F of New York’s general business law, which includes data breach notification requirements for businesses and adds a new mandate for businesses to have programs for data protection and security of their information systems.

Article 39-F is now titled Notification of Unauthorized Acquisition of Private Information; Data Security Protections and includes Section 899-aa and the new Section 899-bb.


Businesses who must abide by data breach notification requirements broadens significantly with the SHIELD Act.  Article 39-F currently governs only businesses conducting business in New York state.  However, the SHIELD Act extends the requirements to any businesses who own or license computerized data which includes private information of New York residents, including businesses operating outside the state.  In addition, these same businesses are now required to have programs for data protection and security of their information systems.

The amendments to data breach notification requirements are effective October 23, 2019.

The new data security protection requirements are effective March 21, 2020.


Significant requirements brought by the SHIELD Act are:

  • The definition of “private information” is broadened to include:
    • financial account numbers when such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
    • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or
    • a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
  • The definition of “breach of the security of the system” has been expanded to include “unauthorized access to” computerized data. This adds to the current definition which only consists of an “unauthorized acquisition”.
  • Considerations added for determining if a breach occurred, including whether “the information was viewed, communicated with, used or altered” by an unauthorized person.
  • Additional information that must be included in consumer notifications and regulatory reporting to the Attorney General, Department of State and Division of State Police.
  • Specific means for providing consumer notification through “substitute notice” electronically, when allowed.
  • If it is determined that a breach incident will not result in misuse of information or harm to individuals, businesses must maintain written records for at least 5 years. In addition, the written determination must be sent to the Attorney General for incidents involving more than 500 New York residents.
  • Entities governed by specific state and federal regulations, may provide consumer notification following those state or federal regulations, but must still report to the Attorney General, Department of State, Division of State Police and credit reporting agencies, pursuant the data breach notification requirements.
  • Covered entities governed by HIPAA or HITECH who experience a data breach under the guidelines of those regulations, but outside the definition of “private information” of this Act, must still provide regulatory reporting to the Attorney General.

Protection of Private Information

Businesses that own or license computerized data which includes private information of New York residents are required to have a specific program for data protection and security of their information systems.

Businesses will be deemed compliant with the SHIELD Act if they implement and maintain specific administrative, technical and physical safeguards appropriate to the business based on size, type of business activities, and sensitivity of private information held by the business.  Such measures include:

  • Designate an employee(s) to coordinate the program
  • Risk assessment
  • Employee training on the program and its procedures
  • Vendor management
  • Prevent, detect and respond to attacks to or failures of information systems and intrusions
  • Ongoing monitoring and testing of systems and procedures
  • Protection of private information from unauthorized access from the point of collection to the point of disposal
  • Disposing of private information when it is no longer needed, so that it can no longer be read or reconstructed

Entities are deemed compliant if they follow data security requirements of Title V of the Gramm-Leach-Bliley Act, HIPAA, HITECH, 23 NYCRR 500, or other regulated federal or New York state department, division commission or agency.


The Attorney General may bring an action for violations.  The court may issue an injunction to prevent a business against violations.  In addition, damages may be awarded for consumer losses and costs involved for failure to provide consumer notification as required.

Penalties for knowingly or recklessly violating the notification requirements begin at $5,000 or up to $20.00 per failed notification, and can amount up to $250,000.  This fine has increased from $10.00 per instance or $150,000 maximum amount.

In addition, non-compliance with the new data protection and security requirements will be considered deceptive acts and practices, with civil penalties up to $5,000 per violation.

Additional Information

Businesses conducting business in and outside of New York who maintain private information of New York residents must take note of the updated requirements for data breach notification that become effective October 23, 2019 and must ensure they are compliant with the data and security protections by March 21, 2020.

Contact CSR