Is the SHIELD Act on Your Compliance Radar?  


With so much happening in the world of privacy and security, chief information security officers (CISOs) and chief data officers (CDOs) may be inclined to pay scant attention to yet another data security mandate, but it would be a mistake. 

Get ready (if you haven’t already) for the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect on March 21 in the state of New York. This law is designed to fortify data protection and ensure the security of consumers’ personal information. It means that all companies—regardless of where they are based—doing business with even a single New York-based customer or employing workers in the state must comply with its rules.

This is kind of a big deal. First of all we’re talking about New York state—home of New York City, arguably the center of the universe for commerce. It’s a hub for the global financial services industry, from brokerage and arbitrage to insurance and consumer lending. Many organizations conduct business with a financial services firm either based in New York or have a sizable physical or virtual presence there. And it doesn’t end with financial services. Dozens of the world’s largest and most influential corporations are based in New York, not to mention countless public sector entities and hundreds of thousands of small businesses.

New York State is also home to about 20 million people. Any organization that does business with any New Yorker or employ one must understand and comply with this law.  

Part of a National Trend

The New York SHIELD Act is not groundbreaking like the Global Data Protection Regulation (GDPR), which has had a momentous impact on data privacy guidelines and business practices around the world, or even like the California Consumer Privacy Act (CCPA), which came into force at the beginning of the year.

What it does is to codify specific requirements that companies need to meet to protect private information of New York state residents and exposes non-compliant entities to the enforcement action of the State Attorney General, who sponsored the bill. Companies that do not comply with the security requirements shall be liable to civil penalties up to $5,000  for each violation, without penalty caps.  

This is part of a national trend where in the absence of  a GDPR equivalent at the U.S. federal government level (highly unlikely for the foreseeable future, given the country’s currently fractured political structure), states are leading in the protection of privacy and security of their residents’ data. 

Nearly 10 U.S. states have enacted similar data privacy and protection guidelines for anyone doing business with their citizens or businesses, regardless of point of origin. The impact is likely to grow as more states legislate in this direction. The combination of New York and California alone represents nearly 20% of the nation’s population and the guidelines they have developed may act as a roadmap for the rest of the states to follow. 

Evolving Compliance Environment

With the New York SHIELD Act, reasonable security is not only a best practice, it’s also a legal obligation and companies could be considered negligent for not implementing a security program that includes the safeguards required by the law. 

Also, the days when states described requirements under their data protection laws generically as reasonable security measures are now gone. The New York SHIELD Act lists specific guidelines for what constitutes a compliant cybersecurity program. The guidelines include administrative security, technical security, and physical security, and provide specific safeguards that companies are expected to adopt.

First, business leaders and board members have to do their basic blocking and tackling. They must be aware that the law exists, that their organization more than likely is affected by it, and that violations carry financial and operational impact. 

Then companies need to assess gaps between their own security program and the safeguards required by this law. Is the security program adequately staffed? Are employees properly trained? Are risks assessed and documented? Could their vendors present a risk to their data? Furthermore, is there adequate prevention and detection of attacks? How is the program monitored and adapted to new regulatory changes?

They should not assume that being aware of the law’s requirements is the sole domain of the CISO. Just as financial mandates like Sarbanes Oxley are not only concerns for the CFO, but also for the CEO, C-suite executives and boards must be aware of the framework required by New York SHIELD Act, at least at a high level. 

Another important new reality is that the New York law and other state laws have suitably armed regulators in the State Attorney General. These mandates have teeth, and companies must prepare to respond to inquiry and enforcement in the event of breaches or security violations.

Bottom line: The New York SHIELD Act shows that, even in the absence of a federal data protection law, states are stepping up their game for security and privacy protection of their residents’ information. 

It’s time for organizations to undertake sober, serious and strategic evaluations of how they protect personal data, and how evolving technologies and new laws are likely to make compliance more challenging.

Paola Zeni is assistant general counsel and senior director of global privacy at Palo Alto Networks.

End Points

  • The SHIELD Act went into effect on March 21 in the state of New York.
  • Since the state is a center of commerce, complying with the law is a requirement for most organizations.
  • The emergence of similar laws signals the increased complexity of the data protection environment.