Article Detail

News & Knowledge

New York SHIELD Act: Your Cybersecurity Obligations to New Yorkers' Data

April 21, 2020

By: Drew Sorrell & Ferran Arimon

As millions of employees around the country begin their second month working remotely, several government agencies have issued warnings regarding a spike in data security incidents and the increased risk of cyber-attacks such as phishing and ransomware attacks. Many state governments impose mandates on businesses regarding their cybersecurity protections, such as mandatory reporting to the state’s attorney general. In March, however, the New York Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect. The Act goes a step further than other states by requiring businesses to include specific protections in their data security programs.

The SHIELD Act will affect businesses across the country as it goes beyond conducting business in New York and implicates all businesses that hold the private information of any New York resident. These latest changes to cybersecurity protocol in New York may also be a catalyst for other states to implement similar regulation.

Under the SHIELD Act, New York’s attorney general may bring claims to seek restitution and recover uncapped civil penalties (up to $5,000 per violation) against companies that have failed to abide by the Act’s enhanced security requirements. However, the SHIELD Act does not create a private right of action. That said, it is expected that the plaintiff’s bar will point to the SHIELD Act as a relevant standard in bringing civil cases under other theories of liability, making the SHIELD Act more broadly relevant. The Act itself is a departure from other states’ laws regarding cybersecurity in that it provides context for what is considered “reasonable” cybersecurity.

The obligations of the SHIELD Act will apply to “[a]ny person or business which owns or licenses computerized data which includes private information of a New York resident.” The SHIELD Act requires such persons to maintain reasonable safeguards and provides several examples of safeguards that companies should adopt:

Administrative Safeguards

  • Designate individual(s) responsible for security programs;
  • Ongoing risk assessments that identify reasonably foreseeable internal and external risks coupled with an assessment of the sufficiency of safeguards in place to control those risks;
  • Employee training in security program practices and procedures;
  • Select capable service providers and require safeguards by contract; and
  • Adjust program(s) in light of business changes or new circumstances.

Physical Safeguards

  • Assess risks of information storage and disposal;
  • Detect, prevent, and respond to intrusions;
  • Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and
  • After private information is no longer needed for business purposes, disposal within a reasonable amount of time.

Technical Safeguards

  • Assess risks in network design, software design, information processing, transmission and storage;
  • Detect, prevent and respond to attacks or system failures; and
  • Regularly test and monitor the effectiveness of key controls, systems, and procedures.

The SHIELD Act has also somewhat expanded the classic definition of “private information” and states that private information includes both:

  1. Personal information with one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
    1. social security number, driver’s license number, or non-driver identification card number;
    2. account number, credit, or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
    3. account number, credit, or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
    4. biometric information including: a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate/ascertain the individual’s identity; OR
  2. A username or e-mail address in combination with a password or security question answer that would permit access to an online account.

It should be noted that notification of a breach to the attorney general of New York is triggered not only where personal information has been acquired, but also where it has been viewed by an unauthorized individual and is likely to cause harm to a consumer. The net result being that a breach is now effectively broader.

Exceptions to the SHIELD Act

Qualifying small businesses will still be required to report data breaches; however, the SHIELD Act recognizes that certain security measures may not be appropriate or “reasonable” for small businesses. For purposes of relief under the SHIELD Act, a small business is defined as any person or business with: i) fewer than 50 employees; ii) less than $3 million in gross revenue in the trailing 3 years; OR iii) less than $5 million in total assets at year end (in accordance with GAAP).

While qualifying small business must still maintain a cybersecurity program, the “reasonableness” of the program will look at factors such as the size of the small business’ activities, the complexity of the business’ activities, and the nature of the information the business collects about consumers.

We encourage you to look through the requirements of the SHIELD Act and assess whether your current cybersecurity program would be considered “reasonable.” Should you have any questions regarding the adequacy of your business’ cybersecurity measures, please feel free to reach out to Drew Sorrell or Ferran Arimon.

This article is informational only. You should consult an attorney before acting or failing to act. The law may change rapidly and no warranty is given. LOWNDES DISCLAIMS ALL IMPLIED WARRANTIES AND WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. ALL ARTICLES ARE PROVIDED AS IS AND WITH ALL FAULTS. Consult a Lowndes attorney if you wish to establish an attorney/client relationship.

Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.


Ferran Arimon focuses his legal practice on corporate and securities law, mergers and acquisitions and tax law.

A member of the firm’s Corporate Group, Ferran works with clients to structure financing transactions in compliance with federal and state securities laws and represents both public and private companies in mergers, acquisitions, capital raising, and corporate governance matters. Additionally, he counsels clients on a broad range of tax issues and business planning issues from entity selection and formation to dissolutions.

Meritas Law Firms Worldwide logo
Do Your Part Logo