← Back to all briefings

Governance & Resilience · Credibility 88/100 · · 5 min read

Governance & Resilience Briefing — New York SHIELD Act security requirements take effect

New York’s SHIELD Act security requirements took effect on 21 March 2020, obligating businesses holding NY resident data to maintain a written program with administrative, technical, and physical safeguards aligned to NIST and ISO baselines.

Executive briefing: The SHIELD Act’s data security requirements became effective on , expanding New York’s breach law to cover any business holding NY resident data, regardless of physical location. Covered organizations must implement a “reasonable” written information security program that blends administrative, technical, and physical safeguards, with allowances for small businesses but no exemptions for online-only operators.

Validated sources

  • NY Attorney General release confirming the effective date and enforcement posture for the SHIELD Act security program requirements.
  • SHIELD Act text (S5575B) detailing required safeguards, definitions of private information, and small business considerations.
  • NYDFS 2021-12 circular reinforcing cyber program expectations for regulated entities, which aligns with SHIELD Act standards.

Control mappings

  • NIST Cybersecurity Framework PR.AC, PR.DS, PR.IP: Supports access control, data protection, and policy controls that satisfy SHIELD’s administrative and technical safeguards.
  • ISO/IEC 27001:2022 Annex A.5 & A.8: Mandates governance, roles, risk assessment, and operational security controls consistent with SHIELD program documentation.
  • CIS Controls v8 2.1, 3.4, 6.7: Inventory data, enforce data classification and protection, and maintain audit logging to evidence “reasonable” safeguards.

Implementation checklist

  • Create or update the written information security program to describe risk assessments, asset inventories, encryption standards, and incident response procedures.
  • Document administrative safeguards: security training cadence, vendor due diligence, and designated security personnel with authority to enforce controls.
  • Deploy technical safeguards: multi-factor authentication for remote and privileged access, encryption in transit and at rest for private information, and vulnerability management.
  • Enforce physical safeguards: facility access controls, secure disposal of paper and electronic media, and visitor management.
  • Test incident response and breach notification playbooks against SHIELD timelines and evidence requirements; retain artifacts to demonstrate compliance during investigations.

Evidence to collect

  • Annual risk assessment reports, data-flow diagrams, and remediation plans that map directly to SHIELD’s safeguard categories.
  • Training rosters, completion certificates, and awareness materials showing workforce coverage and frequency.
  • Vendor security reviews, contracts with data protection clauses, and monitoring of subcontractor performance for services touching NY resident data.
  • Logs demonstrating encryption enforcement, MFA adoption rates, and privileged access reviews, retained for at least one audit cycle.

Assurance notes

  • Maintain records of annual risk assessments and remediation tracking to show continuous improvement to the Attorney General if an incident occurs.
  • Small businesses should document the rationale for scaled controls while demonstrating that safeguards remain “reasonable” for their size and sensitivity of data handled.
  • Plan tabletop exercises that simulate a SHIELD-reportable breach to validate notification timing, evidence gathering, and regulator communications.
  • Data protection
  • Breach notification
  • Security controls
Back to curated briefings