Controls & Evidence
NY SHIELD Act readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Implement organizational measures to protect private information through personnel management, risk identification, and vendor oversight as required by N.Y. GBL § 899-bb(2)(b)(i).
Requirements
- Designate employee(s) to coordinate the data security program (§ 899-bb(2)(b)(i)(A))
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of private information (§ 899-bb(2)(b)(i)(B))
- Assess the sufficiency of safeguards in place to control the identified risks (§ 899-bb(2)(b)(i)(B))
- Train and manage employees in security program practices and procedures (§ 899-bb(2)(b)(i)(C))
- Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract (§ 899-bb(2)(b)(i)(E))
Evidence Examples
| Artifact | Owner | Frequency |
| Formal appointment letter or role description for designated security program coordinator(s) | Chief Information Security Officer | Annually reviewed |
| Internal and external risk register with risk scoring and mitigation status | Security Program Coordinator | Quarterly |
| Vendor security assessment reports and contractual safeguard addenda | Vendor Management Lead | Per vendor onboarding and annually |
| Employee security training completion records with attendance and comprehension verification | Human Resources Manager | Annually |
Deploy technology-based protections to assess risks in systems and data flows, detect threats, and verify control effectiveness as required by N.Y. GBL § 899-bb(2)(b)(ii).
Requirements
- Assess risks in network and software design (§ 899-bb(2)(b)(ii)(A))
- Assess risks in information processing, transmission, and storage (§ 899-bb(2)(b)(ii)(B))
- Detect, prevent, and respond to attacks or system failures (§ 899-bb(2)(b)(ii)(C))
- Regularly test and monitor the effectiveness of key controls, systems, and procedures (§ 899-bb(2)(b)(ii)(D))
Evidence Examples
| Artifact | Owner | Frequency |
| Network architecture diagrams with annotated security control placement and data flow paths | Network Security Engineer | Annually and after significant changes |
| Vulnerability scan and penetration test reports with remediation tracking | Information Security Manager | Quarterly scans, annual penetration tests |
| Intrusion detection/prevention system (IDS/IPS) alert logs and incident response records | Security Operations Center Lead | Ongoing with monthly review |
| Encryption implementation records for data in transit and at rest | Systems Administrator | Semi-annually reviewed |
Protect private information through physical access controls, intrusion detection, and secure handling throughout its lifecycle as required by N.Y. GBL § 899-bb(2)(b)(iii).
Requirements
- Assess risks of information storage and disposal (§ 899-bb(2)(b)(iii)(A))
- Detect, prevent, and respond to intrusions (§ 899-bb(2)(b)(iii)(B))
- Protect against unauthorized access to or use of private information during or after collection, transportation, and destruction (§ 899-bb(2)(b)(iii)(C))
- Dispose of private information within a reasonable time after it is no longer needed for business purposes (§ 899-bb(2)(b)(iii)(D))
Evidence Examples
| Artifact | Owner | Frequency |
| Physical access control logs for facilities housing private information (badge swipe, biometric) | Facilities Security Manager | Ongoing with monthly review |
| Physical intrusion detection system records and alarm response documentation | Facilities Security Manager | Ongoing |
| Secure media transportation procedures and chain-of-custody logs | Records Management Lead | Per transport event |
| Physical storage inventory documenting locations of private information and access restrictions | Information Security Manager | Semi-annually |
Notify affected New York residents, state agencies, and consumer reporting agencies of security breaches involving private information as required by N.Y. GBL § 899-aa.
Requirements
- Provide expedient notification to affected New York residents following discovery of a breach of private information (§ 899-aa(2))
- Notify the Attorney General, Department of Financial Services, and Division of State Police within a reasonable time (§ 899-aa(8))
- Use required notification methods: written notice, electronic notice, or telephone, with substitute notice available under specified conditions (§ 899-aa(5))
- Include required content in notifications: description of the incident, categories of information compromised, contact information for the notifying entity, and contact information for relevant government agencies (§ 899-aa(7))
- Notify consumer reporting agencies when a breach affects more than 5,000 New York residents (§ 899-aa(4))
Evidence Examples
| Artifact | Owner | Frequency |
| Breach notification templates pre-approved by legal counsel covering all required content elements | Privacy Counsel | Annually reviewed |
| State agency notification records with submission timestamps to AG, DFS, and DOS | Chief Privacy Officer | Per breach event |
| Incident response playbook with breach classification criteria and notification decision tree | Chief Information Security Officer | Annually reviewed |
| Consumer reporting agency notification records for breaches exceeding 5,000 affected residents | Chief Privacy Officer | Per qualifying breach event |
Identify and inventory all categories of private information held, determine organizational applicability, and document data flows involving New York resident data under N.Y. GBL § 899-aa(1).
Requirements
- Inventory all private information categories held, including the SHIELD Act's expanded definition covering biometric data, email addresses combined with passwords or security questions, and account numbers combined with security or access codes (§ 899-aa(1)(b))
- Determine applicability: the law covers any person or business that owns or licenses computerized data including the private information of a New York resident (§ 899-aa(1)(a))
- Document data flows that cross New York resident private information, including collection points, processing locations, storage systems, and third-party transfers
- Maintain current data inventory reflecting changes to information holdings, systems, and business processes
Evidence Examples
| Artifact | Owner | Frequency |
| Private information inventory mapping all data categories to the statutory definition with system locations | Data Governance Lead | Semi-annually |
| Data flow diagrams showing collection, processing, storage, and transfer of NY resident private information | Enterprise Architect | Annually and after significant system changes |
| Applicability assessment documenting organizational scope and jurisdictional analysis | Privacy Counsel | Annually |
Systematically identify, evaluate, and prioritize risks to the security, confidentiality, and integrity of private information as required by N.Y. GBL § 899-bb(2)(b).
Requirements
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of private information (§ 899-bb(2)(b))
- Document the risk assessment methodology, including criteria for risk identification, likelihood, and impact scoring
- Evaluate existing controls against identified risks to determine safeguard sufficiency (§ 899-bb(2)(b)(i)(B))
- Prioritize remediation of gaps where existing safeguards do not adequately address identified risks
Evidence Examples
| Artifact | Owner | Frequency |
| Risk assessment report documenting identified threats, vulnerabilities, likelihood, impact, and risk ratings | Information Security Manager | Annually |
| Risk assessment methodology document specifying the framework, scoring criteria, and assessment scope | Chief Information Security Officer | Annually reviewed |
| Gap remediation plan with prioritized action items, responsible parties, and target completion dates | Security Program Coordinator | Quarterly updates |
| Control effectiveness evaluation mapping existing safeguards to identified risks with sufficiency ratings | Information Security Manager | Annually |
Establish and maintain a security awareness training program for employees who handle private information as required by N.Y. GBL § 899-bb(2)(b)(i)(C).
Requirements
- Provide security awareness training for all employees who handle private information (§ 899-bb(2)(b)(i)(C))
- Train employees on company security policies and procedures applicable to their roles
- Train employees to identify and report security incidents, including phishing, social engineering, and unauthorized access
- Deliver ongoing training updates to address evolving threats and changes to security practices
Evidence Examples
| Artifact | Owner | Frequency |
| Training curriculum and materials covering security policies, threat recognition, and incident reporting | Security Program Coordinator | Annually updated |
| Employee training completion records with dates, topics covered, and comprehension verification results | Human Resources Manager | Per training event |
| Phishing simulation results and follow-up remediation training records | Information Security Manager | Quarterly |
| New hire security orientation completion records | Human Resources Manager | Per onboarding event |
Ensure timely and secure disposal of private information when it is no longer needed for business purposes as required by N.Y. GBL § 899-bb(2)(b)(iii)(D).
Requirements
- Dispose of private information within a reasonable time after it is no longer needed for business purposes (§ 899-bb(2)(b)(iii)(D))
- Use secure destruction methods appropriate to the media type, including shredding for paper records, degaussing for magnetic media, and cryptographic wiping or physical destruction for digital storage
- Verify vendor disposal practices when third parties are engaged for destruction services
- Maintain disposal logs documenting what was destroyed, the method used, the date of destruction, and responsible personnel
Evidence Examples
| Artifact | Owner | Frequency |
| Data retention and disposal policy specifying retention periods and authorized destruction methods by data type | Records Management Lead | Annually reviewed |
| Disposal event logs with date, method, media description, and attestation of destruction | Records Management Lead | Per disposal event |
| Third-party disposal vendor certificates of destruction | Vendor Management Lead | Per disposal event |
| Retention schedule mapping private information categories to retention periods and triggering events | Privacy Counsel | Annually reviewed |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.