What is the NY SHIELD Act?

On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) came into force. This act establishes protections of customer data to ensure the integrity, confidentiality and the security of private information held by New York citizens, and mandates organizations with the provision of a Data Breach Notice in the event of a data breach that exposes their personal information.

The SHIELD Act Requirements apply to any organization or person (including public bodies, non-profits, sole proprietorships, and others) who license or own computerized data containing personal information about New York State residents. Meaning the SHIELD Act can affect businesses of any scale, located anywhere in the world.

Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and/or the NYDFS Cybersecurity Regulation (23 NYCRR 500), or any other federal or New York State cybersecurity legislation are excluded.

In the case of a data breach, compliant Controlled Entities are not required to notify affected individuals. 

Small businesses are exempt from the regulation as well, but must scale their data protection requirements depending on their complexity and size, their business activities’ essence and scope, and the sensitivity and importance of the data they collect.

Any individual or company that meets one of the following conditions is described as a small business under the SHIELD Act:

  • The company has fewer than fifty employees
  • In each of the previous three fiscal years, the average annual income was less than three million dollars
  • Year-end net assets of less than $5 million, established according to generally accepted accounting principles (GAAP)

The Act covers “private information” of New York residents. The following are examples of private information:

  • Username or e-mail address, along with a password or security questions and answers, that allows access to an online account
  • Personal information (For example, information about a person that can be used to identify that natural person because of a number, name, a unique identifier or personal mark) consists of any information in combination with any some or all of the data elements that follow, either when the data element or the variation of personal information including the data element is not encrypted, or when the data element is encrypted: or
    • credit/debit card number, account number, when combined with any necessary  access code, password, security code or other information, allows access to any users account(or may gain access to a person’s bank account without the need for additional identifying details)
    • driver’s license number or non-driver identification card number
    • Social Security number
    • biometric information

What are the requirements for complying with the SHIELD Act?

The Act’s privacy law requires an agency that owns or licenses computerized data that contains the private information of New York residents to:

  • Develop, enforce, and maintain an appropriate data security program to protect the integrity, security and confidentiality of private information, which include data disposal
  • In the case of a data breach exposing New York residents’ personal details, send them a Data Breach Notice

A data security program containing at least the following, must be implemented by organizations to be in compliance with the SHIELD Act:

  • Reasonable administrative measures: assigning a number of employees to oversee the protection program, defining potentially external and internal risks, evaluating the adequacy of existing protections to monitor the identified risks; employee management and training in the security program activities and procedures
  • Reasonable technological safeguards: evaluating cybersecurity risks in software and network design, assessing risks in data processing, storage and transmission, identifying, preventing and responding to cyber attacks or device failures, checking the efficacy of key controls, processes, and procedures on a regular basis
  • Reasonable physical safeguards: assessing the risks of data storage and disposal, detecting, preventing, and reacting to intrusions, preventing unauthorized access to or use of private information during or after processing, transportation, destruction, or disposal

Why should you be compliant with the SHIELD Act?

The compromise of sensitive data is a “lose-lose” situation for all involved parties. Fraud,  identity theft, monetary theft, , public humiliation and other harms can befall customers and even employees whose data has been hacked, compromised or stolen by cybercriminals.

Customers may feel betrayed or frustrated. The employee whose actions resulted in the breach is embarrassed – they may even lose their job. Businesses that are found to be negligent in their attempts to protect consumer data could face severe penalties as well as market retaliation.

Furthermore, although social attitudes toward the right to privacy differ by community, people instinctively recognize when their boundaries are being violated. Nobody enjoys being followed or feeling stalked. 

The NY SHIELD Act takes into consideration that when it comes to properly handling confidential data, trust, security, loyalty, brand value, human rights and freedoms are all on the line. Companies can reap significant benefits by consistently protecting their consumers’ data and privacy, showing their loyalty, and the consumer protection confidence by adhering to this act.

Under the NY SHIELD Act, the Attorney General of New York has the authority to file enforcement actions and seek injunctions. The Act’s privacy safeguards do not include a private right of action.

The Attorney General may seek a $5,000 penalty per violation of the Act’s security requirements.

The SHIELD Act expanded the maximum civil penalty that the Attorney General may pursue. Failure to comply with the Act’s requirements such as not sending a breach notice, has resulted in a penalty increase from $10 to $20 per breach. This fine may be as much as $250,000. Furthermore, sanctions cannot be given six years following the discovery of the violation unless the company took action to conceal the breach.

How to achieve compliance?

With the necessary resources and expertise, compliance with the SHIELD Act can be achieved from within a New York organization. The NIST cybersecurity framework (a selected data security and privacy program aligned to satisfy the security and privacy requirements of the act) is highly recommended because it goes above and beyond compliance requirements while still providing a high level of cybersecurity defense for today’s modern enterprise.

If a company lacks the necessary expertise to meet security standards on its own, it can outsource to a Managed Security Service Provider, or MSSP. MSSPs are a subset of Managed Service Providers (also known as IT firms) that specialize in providing cybersecurity services to small businesses. The SHIELD Act’s specifications can be confidently outsourced to this form of provider.  

The first step toward NY SHIELD compliance entails a gap analysis or assessment on the network. Gap analysis refers to the process of determining how close or far an IT system is to being in compliance.

The remediation plan will then be built on the basis of the gap analysis. The remediation plan lays out the measures that must be taken to comply with the NY SHIELD Act’s requirements. These measures may either be completed by the MSSP or within the organization. The MSSP will enforce the security controls needed to be compliant by following the step-by-step plan.

The Centraleyes risk assessment platform allows organizations and MSSPs to manage their security and risk assessments with visual dashboards and customized reports. MSSPs also have the ability to manage multiple customers under one multi-tenant dashboard, and make sure they are on top of each portfolio.

The NIST Cybersecurity Framework (NIST CSF) has been integrated into the Centraleyes platform to assist organizations in implementing a data privacy program to comply with the NY SHIELD Act and protect the data privacy of New York residents.

The Centraleyes platform, together with the integrated NIST CSF questionnaire embedded into it, saves time and resources during the gap analysis stage, generates more accurate, measurable data, generates automated remediation action items for controls that have not yet been implemented, and provides peace of mind when working toward NY SHIELD compliance.

Using the Centraleyes platform for your NY SHIELD Act requirements is a game changer, specifically streamlining your privacy and security management in a user friendly interface in a timely and cost-effective manner.

Read more:

Start implementing NY SHIELD Act in your organization for free

Related Content


What is the Virginia Consumer Data Protection Act? Gov. Ralph Northam, a Democrat from Virginia, signed…

Personal Information Privacy Law (PIPL) of China

What is PIPL? Personal Information Privacy Law (PIPL) is the new Chinese data privacy law that…

Nevada Privacy Law

What is the Nevada privacy law? The Nevada Revised Statutes on Security and Privacy of Personal…
Skip to content