New York SHIELD Act Raises Bar for Data Privacy and Security

A little shy of a year since the State of New York signed the Stop Hacks and Improved Electronic Data Security (SHIELD) Act. This act emphasizes the companies to ensure safeguarding the New York residents’ data.

This legislation is one of several laws passed in the USA at the State level to protect people from companies increasingly exposed to threats and are continually lacking protection. Many people are now working from home, and in such situations, the harm done by breaches shoots up as well. Fortunately, the SHIELD law represents a drastic improvement in the position for businesses that have so long disregarded their customers’ protection and privacy.


On 25 July 2019, the SHIELD Act, which was adopted and entered into force on 21 March 2020, was signed as a law. The new law mandates the introduction of a “cybersecurity program” by companies that manage private information for every New York home that aims to negate the data violation breaches.

The act amends New York’s general business law and state technology law, setting the standard to protect personal information and notifying a security breach whenever it takes place.

Here are some fundamental changes that one can expect and witness:

  1. The definition of “private information” now extends in conjunction with the password or security questions and answers while blending in the information such as biometric information and user name/email address.
  2. Broadening the “data infringement” definition that now includes “access or acquisition of unauthorized data.” Before this amendment came into practice, it was confined to “acquiring” data that established a higher burden of evidence for data infringement. An event where cybercriminals have access to data may be deemed a privacy infringement by this change, even though there is no proof that the attackers have accessed or infiltrated more profound into the data.
  3. This act widens the period within which the New York Attorney General may bring an action in response to a violation of the SHIELDS Act between two to three years from the date of the notice of the breach or on the day on which the attorney general becomes aware of the offense – with whatever occurring first to be considered.
  4. The penalties on such breaches are up by a maximum of $250,000 for failure to notify affected people that the data breach is above $5,000 or $20 per incident.

The Impact: Who are the ones getting affected?


Any person or company that owns or licenses computerized data and contains private information about New York residents will be subject to the new law. This includes biometric information, unsecured health information, financial account numbers, and email addresses linked to passwords or questions/answers about security.

The law applies to all New York companies and companies outside New York, using private information about New York residents.

Data Breach Notification Requirements

Companies must notify New York residents of the possibility of compromise in their own data violation, which is a part of the SHIELD Act. The notice must be made “as expeditiously as possible and without reasonable delay.” The new law requires notification when private information has only been “accessed,” even if there is no evidence of non-authorized parties’ “acquisition” of the data. The number of violations requiring notification can be significantly increased.

If the data breach incident involves the critical user information of over 500 New Yorkers, the violated corporation must send reports to the Attorney General of New York within ten business days post identifying the breach.

Security and Data Privacy Requirements

The SHIELD Act requires companies to develop, implement, and maintain adequate safeguards to protect the safety, confidentiality, and personal data integrity involving New York residents.

The administrative, technical, and physical safeguards needs are the three crucial safety measures requirements.

Administrative Safeguards

  • Appoint one or more workers for cybersecurity system management.
  • It is choosing the service providers that can effectively maintain suitable safety protocols while ensuring protection through contracts.
  • Adapt the protection system to take into account changes in activity or new circumstances.
  • Evaluating internal and external security risks and assessing the existing safety measures’ effectiveness can help identify potential hazards.

Ensure providing necessary training and equip the right team with the planned activities and procedures to demonstrate carrying out effective security programs.


Technical Safeguards 

  • I am evaluating network and software development risks.
  • Ensuring the effectiveness of essential controls, systems, and procedures are regularly tested and monitored.
  • Risk assessment in the processing, transferring and storing the information.
  • Identifying, preventing, and responding to failures or attacks.

Physical Safeguards

  • We are assessing the storage and material disposal risks promptly.
  • We are ensuring sharp detection, avoidance, and response to possible intrusions.
  • Safeguard against unauthorized access or use during or after collection, transportation, and decimation or data disposal by private individuals.
  • Organizing private information for business purposes within a reasonable period and removing the electronic media ensures that the information in it is not read or reconstructed.

Relief for Small Businesses

For the past three years, the SHIELD Act helps relieve some small enterprises having lesser than 50 staff employed and fewer than 3 million dollars in gross annual income, or less than $5 million in a total yearly asset. Based on the business size, complexity, and sensitivity of the data they use, they are required to implement “reasonably” administrative, technical and physical security standards. Enterprises above such limits shall meet with all conditions set out under the new legislation and can benefit massively under this act.

How can ExpandForce create a Difference?

Try knowing more about the SHIELD Act from our security experts team as they help you understand everything in detail. Also, you can swiftly make changes in your security environment to leverage ExpandForce expertise. Get on a call with us to know more: (954) 271-5970 Or, email us:

Share This Post

4400 N. Federal Highway, Suite 210
Boca Raton, FL 33431

(954) 271-5970

Privacy & Cookies Policy