Overview
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a state-level data security law that strengthens consumer data protection and breach notification requirements for businesses handling data of New York residents. Enacted in 2019, the law became fully enforceable on March 21, 2020.
Unlike broad consumer privacy laws like Californiaβs CPRA or Coloradoβs CPA, the SHIELD Act primarily focuses on data security obligations and breach prevention measures.
Who Must Comply?
The SHIELD Act applies to any business that collects, processes, or stores the private data of New York residents, regardless of whether they operate in New York.
π No revenue or data processing thresholds β Unlike most state privacy laws, the SHIELD Act applies to all companies handling New York residentsβ data, including small businesses.
Exemptions:
The law does not apply to:
π« Government agencies
π« Entities compliant with industry-specific security standards (e.g., HIPAA or GLBA)
Key Consumer Protections Under SHIELD
β Expanded Definition of Private Information β The law defines private information broadly, including:
- Social Security numbers
- Driverβs license numbers
- Credit and debit card numbers
- Biometric data (fingerprints, retina scans, voiceprints)
- Email addresses with passwords/security questions
β Mandatory Breach Notification β Companies must notify affected individuals and state authorities if private information is exposed in a data breach.
β Reasonable Data Security Program β Businesses must implement data security safeguards, including:
- Administrative safeguards (employee training, risk assessments)
- Technical safeguards (firewalls, encryption, access controls)
- Physical safeguards (secure disposal of records, restricted access to sensitive data)
Business Compliance Requirements
β Breach Notification Rules β If a company suffers a data breach, it must:
π Notify New York consumers whose data was exposed
π Inform the New York Attorney General, the State Police, and the Department of State
π Notify credit reporting agencies if 5,000+ residents are affected
β No Consumer Opt-Out Rights β Unlike CPRA or GDPR, the SHIELD Act does not provide consumers with opt-out rights or data access rights.
β No Universal Opt-Out Requirement β Businesses do not need to recognize Global Privacy Control (GPC) signals.
Real-World Enforcement Cases
The New York Attorney General enforces the SHIELD Act, with penalties of up to $250,000 per violation.
π Recent Enforcement Actions:
- EyeMed Vision Care (2022) β Fined $4.5 million for failing to secure email accounts that exposed customer data.
- T-Mobile (2022) β Investigated after a data breach affecting 53 million U.S. residents, including millions of New Yorkers.
π Comparison with Other State Privacy Laws
The New York SHIELD Act differs from traditional consumer privacy laws:
β
Stronger Data Security Rules β Requires reasonable safeguards for businesses handling private information.
β
Strict Breach Notification Obligations β Companies must notify affected individuals and state authorities.
β
No Consumer Opt-Out Rights β Unlike California (CPRA) and Colorado (CPA), consumers cannot opt out of data collection.
Future of SHIELD Act Regulation
π Increased enforcement actions against companies failing to implement strong security.
π Potential amendments to include broader consumer privacy rights.
π Possible alignment with a federal data security law if enacted.
The SHIELD Act is one of the strongest U.S. data security laws, focusing on preventing breaches and protecting consumer data rather than consumer opt-out rights.
