GovernanceGovernance & Resilience — New York SHIELD Act security requirements take effect
New York’s SHIELD Act security requirements took effect on 21 March 2020, obligating businesses holding NY resident data to maintain a written program with administrative, technical, and physical safeguards aligned to NIST and ISO baselines.
Verified for technical accuracy — Kodi C.
The SHIELD Act’s data security requirements became effective on , expanding New York’s breach law to cover any business holding NY resident data, regardless of physical location. Covered organizations must implement a “reasonable” written information security program that blends administrative, technical, and physical safeguards, with allowances for small businesses but no exemptions for online-only operators.
Validated sources
- NY Attorney General release confirming the effective date and enforcement posture for the SHIELD Act security program requirements.
- SHIELD Act text (S5575B) detailing required safeguards, definitions of private information, and small business considerations.
- NYDFS 2021-12 circular reinforcing cyber program expectations for regulated entities, which aligns with SHIELD Act standards.
Control mappings
- NIST Cybersecurity Framework PR.AC, PR.DS, PR.IP: Supports access control, data protection, and policy controls that satisfy SHIELD’s administrative and technical safeguards.
- ISO/IEC 27001:2022 Annex A.5 & A.8: Mandates governance, roles, risk assessment, and operational security controls consistent with SHIELD program documentation.
- CIS Controls v8 2.1, 3.4, 6.7: Inventory data, enforce data classification and protection, and maintain audit logging to evidence “reasonable” safeguards.
Implementation checklist
- Create or update the written information security program to describe risk assessments, asset inventories, encryption standards, and incident response procedures.
- Document administrative safeguards: security training cadence, vendor due diligence, and designated security personnel with authority to enforce controls.
- Deploy technical safeguards: multi-factor authentication for remote and privileged access, encryption in transit and at rest for private information, and vulnerability management.
- Enforce physical safeguards: facility access controls, secure disposal of paper and electronic media, and visitor management.
- Test incident response and breach notification playbooks against SHIELD timelines and evidence requirements; retain artifacts to show compliance during investigations.
Evidence to collect
- Annual risk assessment reports, data-flow diagrams, and remediation plans that map directly to SHIELD’s safeguard categories.
- Training rosters, completion certificates, and awareness materials showing workforce coverage and frequency.
- Vendor security reviews, contracts with data protection clauses, and monitoring of subcontractor performance for services touching NY resident data.
- Logs demonstrating encryption enforcement, MFA adoption rates, and privileged access reviews, retained for at least one audit cycle.
Assurance notes
- Maintain records of annual risk assessments and remediation tracking to show continuous improvement to the Attorney General if an incident occurs.
- Small businesses should document the rationale for scaled controls while demonstrating that safeguards remain “reasonable” for their size and sensitivity of data handled.
- Plan tabletop exercises that simulate a SHIELD-reportable breach to validate notification timing, evidence gathering, and regulator communications.
Expanded Private Information Definition
SHIELD significantly expands the definition of private information beyond traditional PII. Biometric information including fingerprints, retina scans, and facial geometry now triggers SHIELD obligations. Organizations using biometric authentication or time-tracking systems must inventory these data flows.
Username and password combinations that could permit account access constitute private information under SHIELD. Password databases, authentication logs, and help desk systems storing credentials require protection and breach notification if compromised.
Financial account information without security codes still qualifies as private information under certain circumstances. The expanded definition captures data previously excluded from breach notification requirements under the older law.
Small Business Flexibility
SHIELD provides scaled requirements for small businesses, defined as those with fewer than 50 employees, less than $3 million in gross revenue, or less than $5 million in total assets. These organizations must implement safeguards appropriate to their size and nature of data handled rather than enterprise-scale programs.
Small business safeguards should still address the three categories—administrative, technical, and physical—but may be implemented proportionally. A ten-person company need not maintain the same security operations center as a Fortune 500 enterprise, but must show reasonable protections.
Documentation remains important for small businesses. When an incident occurs, the Attorney General will evaluate whether safeguards were reasonable for the organization's circumstances. Written policies and evidence of setup support this evaluation even for smaller organizations.
Enforcement environment
The New York Attorney General has enforcement authority under SHIELD with civil penalties up to $5,000 per violation for knowing and reckless violations. The AG has showed active enforcement posture through settlements with companies experiencing breaches where inadequate safeguards contributed to the incident.
SHIELD does not create a private right of action—individuals cannot sue organizations directly for SHIELD violations. However, inadequate safeguards may support negligence claims in breach-related litigation, and AG enforcement creates reputational and financial risk independent of private lawsuits.
If you are affected, anticipate increased enforcement attention as the AG office develops SHIELD expertise. Early settlements establish precedents for reasonable safeguards, and organizations with clearly deficient programs face heightened risk of significant penalties.
Continue in the Governance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Board Oversight Governance Blueprint
Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.
-
Third-Party Governance Control Blueprint
Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.
-
Public-Sector Governance Alignment Playbook
Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…
Coverage intelligence
- Published
- Coverage pillar
- Governance
- Source credibility
- 88/100 — high confidence
- Topics
- Data protection · Breach notification · Security controls
- Sources cited
- 3 sources (nysenate.gov, ag.ny.gov, dfs.ny.gov)
- Reading time
- 5 min
Cited sources
- Stop Hacks and Improve Electronic Data Security (SHIELD) Act — New York State Senate
- Attorney General James announces data security requirements take effect under SHIELD Act — New York Attorney General
- DFS Cybersecurity Requirements for Financial Services Companies - Circular Letter No. 9 (2021-12) — New York State Department of Financial Services
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.