New York SHIELD Incident Response Guidelines

What you need to know to prepare your organization for New York’s privacy law

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into full effect March 21, 2020, introducing several changes to the state’s previous privacy law. The SHIELD Act:

Expands the definition of “private information” covered under the state law
Broadens the circumstances that are considered a data breach
Outlines security safeguards that organizations must follow if they own or maintain data on New York residents

Failure to comply with the SHIELD Act can carry a fine of up to $250,000.

	Which Organizations are Subject to the NY SHIELD Act?	How is the SHIELD Act Enforced?
	Any organization that collects or maintains computerized private information on New York residents is subject to the SHIELD Act. This applies regardless of the organization’s location, in contrast to New York’s previous law, which only applied to organizations that conducted business in the state.	The New York Attorney General is responsible for enforcing the SHIELD Act and can issue civil penalties of up to $5,000 per violation and $20 per instance of failing to comply with breach notification requirements (not to exceed $250,000). There is no private right to action.

Automate New York regulations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Request Demo

New York only modifies compliance with the SHIELD Act for qualified small businesses and federally regulated organizations:

Small Businesses

Fewer than 50 employees;
Less than $3 million in gross annual revenue in each of the last three fiscal years; OR
Less than $5 million in year-end total assets (based on generally accepted accounting principles)

Must follow all data breach notification policies but can adjust the required safeguards to make them more appropriate for the size and scope of their business as well as the sensitivity of the data they collect.

Federally Regulated Organizations

Health Insurance Portability and Accountability Act (HIPAA);
Health Information Technology for Economic and Clinical Health Act (HITECH);
Gramm-Leach-Bliley Act; OR
New York Division of Financial Services Cybersecurity Regulation

No need to issue another breach notification to consumers beyond what’s already required, but organizations do need to notify applicable state agencies and consumer reporting agencies. The cybersecurity measures required under these regulations also qualify as compliant with safeguards required by the SHIELD Act.

What Does the SHIELD Act Require for Incident Response?

The SHIELD Act requires incident response in the form of a data breach notification when an unauthorized party accesses (views, communicates with, uses, or alters) or acquires private information. This represents two significant changes from the previous New York state law:

It lowers the breach notification threshold from unauthorized parties “acquiring” information to also include unauthorized parties “accessing” information
It expands the definition of what’s considered “private information”

What is “private information” under the SHIELD Act?

A username or email address in combination with a password or security question and answer that would grant access to an online account.

Personal information (any name, number, personal mark, or other identifier that can be used to identify a natural person) in combination with at least one of the following, when either the data is not encrypted or when the encryption key has also been accessed or acquired:

Social security number
Driver’s license number or non-driver identification card number
Account, credit card, or debit card number, in combination with any required security code, access code, or password that would grant access

Account, credit card, or debit card number, if the account can be accessed without any additional identifying information, security code, access code, or password
Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation used to authenticate or determine identity

The SHIELD Act notes two exceptions to issuing a data breach notification:

If the organization is already required to issue a notification under one of the designated federal regulations.
If the point of access was due to an inadvertent disclosure from someone with authorized access, and if the organization can reasonably determine that the instance is not likely to result in any misuse or financial or emotional harm to the affected individuals. Organizations must document this determination in writing and maintain that record for at least five years. If the disclosure included information on more than 500 New York residents, the organization must share the determination with the state attorney general within 10 days of completing it.

Issuing a Data Breach Notification in New York

Who to Notify

Affected individuals as well as the following officials regarding the timing, contents, and distribution of notices, including a copy of the template notice sent to consumers:

State attorney general
Department of state
Division of state police
Consumer reporting agencies (if the breach affected more than 5,000 New York residents)

Delivery Options

Written notice
Electronic notice, only in cases where individuals have expressly consented to receiving this type of notice and acceptance was not required as part of doing business (requires a log of all notifications)
Telephone notice (requires a log of all notifications)

Substitute Notice

If the cost of issuing a notification would exceed $250,000, if the incident affected more than 500,000 New York residents, or if the organization doesn’t have sufficient contact information.

Email notice, if email addresses are available and the breach did not compromise email address and password/security question (if it did, organizations must provide a clear and conspicuous notice online when the consumer is connected via an IP address or an online location they regularly use to access their account)
Conspicuous posting of the notice on the organization’s website, if it has one
Notice to major statewide media

Notice Contents

Contact information for the organization
Telephone numbers and websites for the relevant state and federal agencies that provide information regarding security breach response, identity theft prevention, and protection information
Description of the categories of information that were accessed or acquired by a person without valid authorization, including specifics about which elements of data were involved

What Types of Privacy Incidents Qualify as a Data Breach Under the SHIELD Act?

The SHIELD Act’s expanded definition of private information and change in breach qualifications from “acquisition” to “access” of that information lowers the threshold for what’s considered a data breach that requires notification. However, a variety of instances still exist that can trigger data breach notification requirements under the SHIELD Act. Common examples include:

Man in the Middle Attacks

When a hacker sits in the middle of digital communications and intercepts the information passing back and forth. Hackers typically gain access to execute this attack through unsecured public wifi networks.

Password Attacks

When an unauthorized party ascertains a user’s password and uses that information to access secure systems. Hackers can attain this password information through social engineering attacks, password databases, or even by guessing simple passwords.

Improperly Exposed Data

A company that improperly exposes personal data may have to issue a data breach notification. New York does offer protection for inadvertent disclosures, but only if organizations can “reasonably determine” the incident caused no harm to affected consumers.

Why Proactive Incident Response Matters in New York

The New York SHIELD Act requires organizations to proactively prepare for incident response measures as part of its security safeguards. However, doing so offers more than compliance benefits: It can also reduce the penalties associated with a breach and help organizations recover from incidents faster and maintain trust with customers.

Proactively preparing for incident response to achieve these benefits requires organizations to consistently track new regulations, including 23 NYCRR 500, develop response plans accordingly, assign responsibility for those plans, and regularly manage response plans as regulations change.