New York’s SHIELD Act — Stop Hacks and Improve Electronic Data Security — expanded the state’s data breach notification requirements and created affirmative security obligations for every business that holds private information about New York residents. It applies regardless of where your business is incorporated or headquartered. If you have customers, employees, or any data subjects in New York, the law covers you. Even if you’re a five-person company in Olean.
We are Acme Business. We help businesses across Western New York and Northern Pennsylvania understand and meet their SHIELD Act obligations as part of our compliance support services. Here’s what the law actually requires, in language that doesn’t require a law degree.
Who the SHIELD Act Applies To
The SHIELD Act covers any person or business that owns or licenses computerized data which includes “private information” about New York residents. Private information is broadly defined to include: Social Security numbers, financial account numbers, biometric data, usernames and passwords, and health information. If you hold any of this about any New York resident — including your own employees — you are covered.
There is no small business exemption from coverage, though the law acknowledges that what constitutes “reasonable safeguards” scales with the size and complexity of the organization. The obligation exists. The question is proportionate, good-faith compliance.
What ‘Reasonable Safeguards’ Means in Practice
The SHIELD Act requires covered businesses to implement and maintain a data security program with reasonable administrative, technical, and physical safeguards. Here’s what each category actually requires:
Administrative safeguards: Designate someone responsible for your security program. Identify reasonably foreseeable internal and external risks to private information. Assess whether existing safeguards are adequate. Train employees on security practices. Vet service providers to confirm they maintain appropriate safeguards.
Technical safeguards: Assess risks in how you design and operate your network and software. Assess risks in how you process, transmit, and store information. Detect, prevent, and respond to attacks or system failures. Regularly test and monitor the effectiveness of your technical controls.
Physical safeguards: Assess risks of information storage and disposal. Detect, prevent, and respond to intrusions. Protect against unauthorized access to private information during collection, transport, and disposal. Dispose of private information securely when it’s no longer needed.
Breach Notification Requirements
The SHIELD Act expanded New York’s breach notification law in two significant ways: it broadened the definition of private information to cover more categories of data, and it added notification obligations for out-of-state businesses holding data about New York residents. In the event of a qualifying breach, affected New York residents must be notified “in the most expedient time possible,” and the NY Attorney General, Department of State, and other applicable agencies must be notified. Unreasonable delays in notification are treated as independent violations.
Penalties for Non-Compliance
Failure to implement reasonable safeguards — or to provide required breach notifications — can result in civil penalties of up to $5,000 per violation. Per record. For a breach affecting even a few hundred customers, that exposure can become significant quickly. The Attorney General may also seek injunctive relief compelling the implementation of a security program.
The Good News: Managed IT Gets You Most of the Way There
Here’s the practical reality for most businesses in our region: if you’re running a properly configured managed IT environment with current cybersecurity tools, you’re likely meeting a large proportion of the SHIELD Act’s technical safeguard requirements already. SentinelOne on every endpoint, a properly configured SonicWall firewall with logging, Microsoft 365 with MFA enforced, and tested backup — these are precisely the technical controls the law is looking for.
The most common gaps are in the administrative and documentation layers: a written security program, documented risk assessments, vendor agreements with security provisions, employee training records, and an incident response plan. These aren’t technically complex, but they require intentional attention. We help clients close both the technical and documentation gaps as part of our compliance support services.
Reach out to learn more about how we can help you at: Contact Us.
