What is the NY SHIELD Act?
The NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), effective March 2020, expands data breach notification requirements and mandates reasonable security safeguards for businesses handling New York residents’ private information. It applies to any person or business that owns or licenses computerized data including private information of NY residents — with no size threshold.
For technology companies, the SHIELD Act is significant because it applies regardless of where the business is located. If you hold private information of New York residents, you must implement reasonable safeguards and comply with expanded breach notification requirements.
Who Must Comply
The SHIELD Act’s reach is broad — any business holding NY residents’ private information must comply, regardless of location or size:
- Any business — that owns or licenses computerized data including private information of a New York resident
- No location requirement — applies regardless of where the business is physically located
- No size threshold — applies to businesses of all sizes (though small businesses have a safe harbor)
Three Safeguard Categories
The SHIELD Act requires businesses to implement “reasonable” safeguards across three categories. The standard is proportional to the size and complexity of the business and the nature of the data held.
| Safeguard Category | Requirements | Focus |
|---|---|---|
| Administrative | Designate coordinator, identify risks, train employees, select service providers, adjust program | Organizational management and oversight of data security |
| Technical | Assess network/software risks, assess data processing/transmission/storage risks, detect/prevent/respond to attacks, test/monitor controls | Technology-based protections for private information |
| Physical | Assess risks of information storage/disposal, detect/prevent/respond to intrusions, protect against unauthorized access during/after data collection, dispose of private information | Physical protection of information and systems |
Administrative Safeguards
Administrative safeguards address the organizational practices for protecting private information.
| Requirement | Description |
|---|---|
| Designate Coordinator | Designate one or more employees to coordinate the data security program |
| Identify Risks | Identify reasonably foreseeable internal and external risks to the security of private information |
| Train Employees | Train and manage employees in security program practices and procedures |
| Select Service Providers | Select service providers capable of maintaining appropriate safeguards and require safeguards by contract |
| Adjust Program | Adjust the data security program in light of business changes or new circumstances |
Technical Safeguards
Technical safeguards address the technology-based protections for private information.
| Requirement | Description |
|---|---|
| Network and Software Risks | Assess risks in network and software design |
| Data Processing Risks | Assess risks in information processing, transmission, and storage |
| Attack Detection and Response | Detect, prevent, and respond to attacks or system failures |
| Testing and Monitoring | Regularly test and monitor the effectiveness of key controls, systems, and procedures |
Physical Safeguards
Physical safeguards address the physical protection of information and the systems that process it.
| Requirement | Description |
|---|---|
| Storage and Disposal Risks | Assess risks of information storage and disposal |
| Intrusion Detection | Detect, prevent, and respond to intrusions |
| Unauthorized Access Protection | Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction of the information |
| Disposal of Private Information | Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes |
Small Business Safe Harbor
The SHIELD Act provides a safe harbor for small businesses. A business qualifies if it meets any one of the following criteria:
- Fewer than 50 employees
- Less than $3 million in gross annual revenue for each of the last three fiscal years
- Less than $5 million in year-end total assets
Qualifying small businesses may implement a security program that is appropriate for their size and complexity, rather than meeting every element of the full safeguards standard.
Readiness Assessment Checklist
Before engaging in a SHIELD Act readiness assessment, evaluate where your organization stands against these readiness questions:
- Has a data inventory of NY residents’ private information been completed?
- Is a designated security coordinator in place?
- Has a risk assessment of internal and external threats been conducted?
- Is an employee training program documented with completion records?
- Do service provider contracts require appropriate safeguards?
- Are incident response and breach notification procedures documented and tested?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our readiness process to understand how we help technology companies prepare for NY SHIELD Act compliance.