New York has emerged as one of a handful of states leading the way in requiring organizations to implement robust data security controls to protect its’ residents most sensitive data. The trends indicate a clear departure from simply recommending best practices to mandating data security compliance via regulation. This is evident with the recent passage of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). 


Key Dates on Data Security Measures 

July 25, 2019 – SHIELD Act signed into law.

Oct. 23, 2019 – Revised data breach notification requirements in effect.

March 21, 2020 – Those subject to the SHIELD Act are required to adopt specific data security controls.


Who Must Comply with Data Protection Requirements?

Every employer with employees in New York must comply with the SHIELD Act. In addition, it expands its territorial application to businesses that do not have a New York presence but maintain the private information of New York residents. "Private information" is defined to include data elements such as social security numbers, driver's license numbers, payment card numbers, financial account numbers, biometric information, and username or e-mail address with a password that permits access to an online account.*

There are certain exemptions. Some companies that are already subject to other data security regulation, such as the Gramm-Leach Bliley Act, HIPAA or New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies may be deemed compliant with the SHIELD Act. Organizations should consult with legal counsel to determine whether or not their organization meets these compliance requirements and whether or not this exemption may apply.


While New York is leading the charge on data compliance with the SHIELD Act, other states will soon follow suit. Stay up-to-date on the latest in cyber security with the Cyber Insight Series.

Learn More

What Safeguards are Required in Data Security Programs?

Organizations will be required to focus on three key areas in developing their data security program**

Administrative Safeguards

  • Designate one or more employees to coordinate the security program;
  • Identify reasonably foreseeable internal and external risks;
  • Assess the sufficiency of safeguards in place to control the identified risks;
  • Train and manage employees in the security program practices and procedures;
  • Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
  • Adjust the security program in light of business changes or new circumstances.

Technical Safeguards

  • Assess risks in network and software design;
  • Assess risks in information processing, transmission and storage;
  • Detect, prevent, and respond to attacks or system failures; and
  • Regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical Safeguards

  • Assess risks of information storage and disposal;
  • Detect, prevent, and respond to intrusions;
  • Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
  • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The SHIELD Act also expands the definition of "breach." It now defines "breach of the security of the system" to include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access.

Penalties for Data Security Non-Compliance

The New York Attorney General will oversee enforcement and can impose a civil penalty of up to $5,000 per data security violation, with no cap on the total penalty. There can be several data “violations”, leading to multiple and unlimited $5,000 fines. In addition, a company may be fined up to $250,000 for failing to comply with the Attorney General’s notification requirements when a breach occurs.

* The Regulation (23 NYCRR 500.01(f)) defines Nonpublic Information to include data/information such as: Business-related information of a Covered Entity; information concerning an individual (e.g. name, number, personal mark, social security number, drivers’ license number or non-driver identification card number, financial accounts information, etc.)