Legal Blog

Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT)

By N. Fulya Kazbay

New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT) which was signed on July 25, 2019 by Governor Cuomo.

The SHIELD Act amends New York’s existing data breach notification statue to impose additional requirements on businesses that hold private information of New York residents. Section 3 of the SHIELD Act broadens the definition of private information to include i) biometric information such as fingerprints, voiceprints, retina or iris images, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain an individual’s identity, ii) a username or email address in combination with a password or security question and answer that would permit online account access, and iii) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password. The SHIELD Act also expands the circumstances that trigger breach notification obligations and requires businesses to implement reasonable administrative, technical, and physical safeguards to protect private information. Being “reasonable” is defined both as a general standard and with a list of specific measures that the businesses should comply.

Specific reasonable administrative safeguards include designating one or more employees to coordinate the security program of the business, identifying reasonably foreseeable internal and external risks, training employees to coordinate the security program, selecting service providers capable of maintaining appropriate safeguards by contract, and adjusting the security program in light of business changes while reasonable technical safeguards include, among others, regularly testing and monitoring the effectiveness of key controls, systems,and procedures, and detects, prevents and responds to attacks or system failures. Disposing of private information within a reasonable time after it is no longer needed for business purposes and protecting private information against unauthorized access are counted among reasonable physical safeguards.

Regulated entities complied with another cybersecurity legal regime i.e. Gramm-Leach-Bliley Act, HIPAA or New York Department of Financial Services’ Cybersecurity Regulation are deemed compliant with the SHIELD Act’s reasonableness standard.

The SHIELD Act does not authorize a private right of action, but the attorney general may bring an action for the violations of the law and civil penalties may be imposed by the court. Further, any business that holds private information of New York residents is required to comply, not only companies doing business in New York.

The SHIELD Act provisions on information security will take effect on March 21, 2020, while the other provisions will take effect on October 23, 2019.

If you have any questions about the SHIELD Act, please contact Fulya Kazbay at or 212.545.1900.

ABOUT N. FULYA KAZBAY | 212.545.1900

Fulya Kazbay is an attorney based in New York with over 15 years of experience representing companies and entrepreneurs in cross-border transactions including acquisitions and joint ventures, corporate and privacy & data security. She is a member of the Firm’s International Law, Business Law and Transactions, and Privacy and Data Protection practice groups, and a member of The Society of Turkish American Architects Engineers and Scientists, The American Turkish Society, and European American Chamber of Commerce, and a past member of New York City Bar Association Information Technology and Cyber Law Committee (2014-2017). She can be reached at +1 212 545 1900 or






Offit Kurman is one of the fastest-growing full-service law firms in the United States. With over 200 attorneys in 14 offices that stretch from New York to North Carolina, we represent privately-held companies and families of wealth throughout their business life cycles. Our mission is to provide our clients with “The Better Way” to grow their organizations, protect their businesses’ and families’ wealth, and resolve their most challenging legal conflicts. In addition to our quality of attorneys and breadth of legal services, Offit Kurman is distinguished by our unique operational structure, which encourages collaboration rather than internal competition. The same approach that makes our firm attractive to legal practitioners gives clients unlimited access to experienced counsel in every area of the law. Trust, Knowledge, Confidence—in a partner, that’s perfect.

Find out why Offit Kurman is The Better Way to protect your business, your assets and your family by connecting via our Blog, Facebook, Twitter, Instagram, YouTube, and LinkedIn pages. You can also sign up to receive LawMatters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.