[co-author: Maureen Milmoe]

New York's SHIELD Act, which became effective on March 21, 2020, requires persons and organizations that own or license electronic data that includes New York resident’s private information to maintain reasonable administrative, technical and physical data security safeguards. The New York Attorney General (NYAG), is authorized to enforce the SHIELD Act by enjoining violations and obtaining civil penalties.

A flurry of recent activity indicates the NYAG office intends to rigorously enforce the SHIELD Act. Understanding the recent enforcement actions issued by the NYAG is critical for organizations because maintaining data security safeguards will continue to be a focus for the NYAG’s office going forward.

In the past year alone, the NYAG has sent warning letters and secured monetary settlements and consent agreements from organizations that failed to comply with the SHIELD Act. The following agreements indicate an increase in violations and penalties under the SHIELD Act levied by the NYAG in 2022.

• In June, the NYAG announced a settlement with Wegmans, a national supermarket chain, for violating the SHIELD Act in failing to protect customers' personal information. Wegmans agreed to pay a $400,000 penalty and to adopt additional security measures under the settlement. Additional security measures include maintaining an information security program and inventory of all cloud assets, establishing password policies for customers, and updating data collection and retention practices.
• Also in June, the NYAG announced a multi-state settlement with Carnival Cruise Line for violating the SHIELD Act in a data breach. The breach compromised Carnival employees’ email accounts and personal information. Carnival agreed to pay around $44,000 in penalties and to strengthen its email security and data breach response practices. Consistent with past data breach settlements, Carnival is undergoing an independent information security assessment.
• In February, the NYAG announced a settlement with EyeMed Vision Care LLC (EyeMed), for violating the SHIELD Act in failing to implement email privacy safeguards resulting in a mass data breach and phishing incident. EyeMed agreed to pay a $600,000 penalty, adopt a written security program and improve security measures. The settlement included requirements for password complexity and multifactor authentication, improved information encryption and appointing an employee responsible for maintaining internal security measures.

By adopting the lessons learned from recent enforcement actions, organizations can prevent cybersecurity risk by implementing the practices listed above as part of their compliance regime.