New York SHIELD Act Raises Bar for Data Privacy and Security

A little shy of a year since the State of New York signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This act emphasizes on the companies to ensure safeguarding the New York residents’ data.

This legislation is one of several laws passed in the USA at the State level to protect people from companies that are increasingly exposed to threats and are continually lacking protection. A lot of people are now working from home, and in such situations, the harm done by breaches shoots up as well. Fortunately, the SHIELD law represents a drastic improvement in the position for businesses who have so long disregarded the protection and privacy of their customers.


On 25 July 2019, the SHIELD Act, which was adopted and entered into force on 21 March 2020, was signed as a law. The new law mandates the introduction of a “cybersecurity program” by companies that manage private information for every New York home that aims to negate the data violation breaches.

The act amends New York’s general business law and state technology law, setting the standard to protect personal information and notifying a security breach whenever it takes place.

Here are some fundamental changes that one can expect and witness:

  1. The definition of “private information” now extends in conjunction with the password or security questions and answers while blending in the information such as biometric information and user name/email address.
  2. Broadening the “data infringement” definition that now includes “access or acquisition of unauthorized data.” Before this amendment came into practice, it was confined to “acquiring” data that established a higher burden of evidence for the infringement of data. An event where cybercriminals have access to data may be deemed a privacy infringement by this change, even though there is no proof that the attackers have accessed or infiltrated deeper in the data.
  3. This act widens the period within which the New York Attorney General may bring an action in response to a violation of the SHIELDS Act between two to three years from the date of the notice of the breach or on the day on which the attorney general becomes aware of the offense – with whatever occurring first to be considered.
  4. Also, the penalties on such breaches are up by a maximum of $250,000 for failure to notify affected people that the data breach is above $5,000 or $20 per incident.

The Impact: Who are the ones getting affected?


Any person or company that owns or licenses computerized data and contains private information about the residents of New York will be subject to the new law. This includes biometric information, unsecured health information, financial account numbers, and email addresses linked to passwords or questions/answers about security.

The law applies to all New York companies and companies outside New York, using private information about New York residents.

Data Breach Notification Requirements

Companies must notify residents of New York of the possibility of compromise in their own data violation, which is a part of the SHIELD Act. The notice must be made “as expeditiously as possible and without reasonable delay.” The new law requires notification when private information has only been “accessed,” even if there is no evidence of non-authorized parties’ “acquisition” of the data. The number of violations requiring notification can be significantly increased.

If the data breach incident involves the critical user information of over 500 New Yorkers, the violated corporation must send reports to the Attorney General of New York within ten business days post identifying the breach.

Security and Data Privacy Requirements

The SHIELD Act requires companies to develop, implement, and maintain adequate safeguards to protect the safety, confidentiality, and personal data integrity involving New York residents.

The administrative, technical, and physical safeguards needs are the three crucial safety measures requirements.

Administrative Safeguards

  • Appoint one or more workers for cybersecurity system management.
  • It is choosing the service providers that can effectively maintain suitable safety protocols while ensuring the protection through contracts.
  • Adapt the protection system to take into account changes in activity or new circumstances.
  • Evaluating internal and external security risks and assessing the effectiveness of the existing safety measures can help identify potential hazards.

Ensure providing necessary training and equip the right team with the planned activities and procedures in place that demonstrate carrying out effective security programs.


Technical Safeguards 

  • I am evaluating network and software development risks.
  • Ensuring the effectiveness of essential controls, systems and procedures are regularly tested and monitored.
  • Risk assessment in the processing, transferring, and storing the information.
  • Identifying, preventing, and responding to the failures or attacks.

Physical Safeguards

  • We are assessing the storage and material disposal risks promptly.
  • We are ensuring sharp detection, avoidance, and response to the possible intrusions.
  • Safeguard against unauthorized access or use during or after collection, transportation, and decimation or disposal of data by private individuals.
  • Organizing private information for business purposes within a reasonable period and removing the electronic media to ensure that the information in it is not read or reconstructed.

Relief for Small Businesses

For the past three years, the SHIELD Act helps relieve some small enterprises having lesser than 50 staff employed and fewer than 3 million dollars in gross annual income, or less than $5 million in a total yearly asset. They are required, based on the business size, complexity, and sensitivity of the data they use, to implement “reasonably,” administrative, technical and physical security standards. Enterprises above such limits shall meet with all conditions set out under the new legislation and can benefit massively under this act.

How can ExpandForce create a Difference?

Try knowing more about the SHIELD Act from our team of security experts as they help you understand everything in detail. Also, you can swiftly make changes in your security environment to leverage ExpandForce expertise. Get on a call with us to know more: (954) 271-5970 Or, email us:

Share This Post

Privacy & Cookies Policy