720-891-1663

Return to the list of client alerts 

 

New York Shield Law Will Soon Go Into Effect

The SHIELD Act (NY SB 5575B) does several things and goes into effect in two phases.  The first phase, expanded breach notification, goes into effect on October 23, 2019.  The data security requirements go into effect on March 21, 2020, but there is a lot of work to do to comply.  The law broadens the definition of private information, expands the definition of a breach, expands the territorial scope and imposes data security requirements.

The data security requirements are very specific and similar to what NY financial institutions already have to do.

  • Designate one or more employees responsible for the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risks
  • Train and manage employees in the security program practices and procedures
  • Select service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjust the security program in light of business changes or new circumstances
  • Implement reasonable technical safeguards such as
    • Assesses risks in network and software design
    • Assesses risks in information processing, transmission and storage
    • Detects, prevents and responds to attacks or system failures
    • Regularly tests and monitors the effectiveness of key controls, systems and procedures
  • Implement reasonable physical safeguards such as
    • Assesses risks of information storage and disposal
    • Detects, prevents and responds to intrusions
    • Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
    • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Small businesses (less than 50 people) are exempt as are businesses that must comply with HIPAA, GLBA or NY DFS 500.

This is a lot of work.  Source: Jones Day.

Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy