Is Your Business Ready for the SHIELD Act?


In 2019, New York State Governor Andrew Cuomo, signed the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act. The Act will go into effect on March 21, 2020.

The SHIELD Act is a required guideline set by NYS to further protect the identity and security of NYS individuals’ private information, whether your company resides in NYS or does any business with New York residents.

“Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data."

Private information includes social security numbers, driver's license numbers, account numbers, credit/debit card numbers, fingerprints, retina images (ex: face ID for smartphones), usernames/emails/passwords, and more. The goal of this act is to help further protect against identity theft.

To reach guidelines stated in the SHIELD Act, NYS requires every business to have reasonable security measures in place.  Businesses will be in compliance with the SHIELD Act if the proper security measures are set in place by March 21st. Security measures as defined by this new law are:

  1. Designates one or more employees to coordinate the security program
  2. Identifies reasonably foreseeable internal and external risks
  3. Assesses the sufficiency of safeguards in place to control the identified risks
  4. Trains and manages employees in the security program practices and procedures
  5. Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
  6. Adjusts the security program in light of business changes or new circumstances

Your business will also be in compliance if you currently meet the requirements of:

  1. Title V of the Federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809)
  2. Regulations implementing the health insurance portability and accountability act of 1996 (45 C.F.R. Parts 160 and 164)
  3. Part Five Hundred of Title Twenty-Three of the official compilation of codes, rules and regulations of the state of New York (Cybersecurity Requirements for Financial Services Companies)
  4. Any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the Federal or New York state courts.

Any breach in security is now required to be reported directly to the New York State resident whose information allegedly was stolen. Failure to comply with the SHIELD Act will result in a fine from the New York State attorney general.

Read the official SHIELD Act text here.

ACC is dedicated to assisting our clients with their compliance requirements, including initial steps as well as ongoing efforts while needs change.

Contact us here to start a discussion and request a compliance audit.