By: Thomas S. Tripodianos Published: May 2020

The NY SHIELD Act - New York's Data Privacy Law

While we’ve all been adapting to working from somewhere other than our office during the pandemic, SHIELD has come into existence.  This is not something from the comic books.  NY SHIELD (Stop Hacks and Improve Electronic Data Security Act) took effect on March 21 and it contains important changes in New York’s data privacy law.  So as we are all rushing to implement remote work from home technology, lets pause (no pun intended) and take a look at some of the liability concerns under the act.

The NY SHIELD Act (General Business Law §§899-AA and 899-BB) applies to businesses (small businesses are not exempt) that collect personal information regarding people living in the state, even when the business does not have offices there. The definition of protected “personal information” includes both “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person” and biometric information.  Businesses have a duty to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, the disposal of data.”

Some businesses may already be in compliance with SHIELD because of other prior federal or state data security requirements.  However, many may not be in compliance, which means they must implement a three-part written data security program with both reasonable administrative and technical safeguards, as set out in the law, as well as reasonable physical safeguards, with examples provided in the statute.

The threshold for small businesses1 is whether a security program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and scope of the business activities, and the sensitivity of the personal information the small business collects from or about customers.”

The statute calls out the five types of access-related information disclosures that are punishable under the law: (1) an account or card number, if that alone is sufficient to access an account; (2) if a password or similar security device is needed to access the account, then an account or card number in conjunction with the password or security code; (3) biometric information; (4) a user name or e-mail which, in conjunction with a password or security code, permits access to a financial account; and (5) HIPPA-related information.  If such information is revealed companies must provide notice to New Yorkers “immediately following discovery.”

If you think that as a contractor, you don’t collect this type of information think again.  Here are some examples:

  • When jobsites reopen do you plan on logging people coming to the site and taking their temperature?
  • Do you collect personal information from your employees as part of the onboarding process?
  • Do you have your customer’s security access codes to get access to a site?
  • Did you sign any confidentiality agreements with your customers?
  • Do you use any technology to enhance worker safety or track site access?

If information relating to more than 500 New Yorkers was revealed, the law requires businesses to notify state officials within 10 days. If officials are not notified, the New York Attorney General can sue for injunctive relief and actual costs or losses incurred, including consequential damages. Finally, if the violation was knowing or reckless, the court also can award a civil fine of $5,000, or $20 per instance of failure to notify, whichever is greater, up to a ceiling of $250,000.  There is no private right of action.

The statute also contains an inadvertent disclosure exemption.  To qualify, a business must “reasonably” determine that all of the following applies:

  • that the exposure was “inadvertent,”
  • disclosed by someone who was “authorized to access private information,” and
  • that the exposure is “not likely” to result in any of the following: (a) misuse of the information, (b) financial harm, or (c) emotional harm to affected individuals.

The business must document its determination in writing and maintain that documentation for five years. If the breach involved more than 500 New York residents, the business must provide its determination to the New York Attorney General within ten days of it being made.  Choose wisely though, because incorrectly invoking the inadvertent disclosure exemption could negatively affect later litigation and increase a business’ liability stemming from the breach.

Under current New York public policy, as a matter of law, insurance coverage for civil penalties for “knowing or reckless” violation of the SHIELD Act may not be available but there may be coverage for responding to the investigation or defending against an action seeking penalties.  There are currently pending appeals on this issue which we continue to monitor.

To make sure you are in compliance you should not only contact competent legal counsel but also your IT professional and insurance broker.

1 Small business is defined as (i) a person or business with fewer than 50 employees; (ii) less than $3 million in gross revenue for the last three fiscal years, or (iii) less than $5 million in year-end total assets.


© Welby, Brady & Greenblatt, LLP.
All Rights Reserved. By visiting this site, you agree to our Terms of Service. For more information please read our Privacy Policy Attorney Advertising