Index
Consumer ProtectionNew York, USA

New York SHIELD Act (Data Security)

Summary

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act forces any business holding the private data of a New York resident to implement strict cybersecurity safeguards.

Rights & Rules

  • 01.
    Any person or business, even if they are not located in New York, MUST adopt reasonable administrative, technical, and physical safeguards to protect the data of New York residents.
  • 02.
    The definition of a 'data breach' is expanded: companies must notify you not just if a hacker *steals* your data, but even if an unauthorized person merely *accesses* or *views* it.
  • 03.
    The definition of 'private information' includes biometric data (fingerprints) and email addresses paired with passwords.

Penalties

  • 01.
    The NY Attorney General can seek civil penalties of $5,000 per violation for failing to implement security measures, and up to $250,000 for failing to properly notify residents of a breach.

Verified Citations

New York General Business Law Section 899-bb

Source
"Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information..."