New York's Stop Hacks and Improve Electronic Data Security Act — universally known as the SHIELD Act — substantially expanded the data security obligations of businesses holding New York residents' private information when its data security requirements took effect March 21, 2020 (the breach-notification provisions having taken effect October 23, 2019; the Act was signed July 25, 2019). For NYC businesses and any organization that touches New York consumer data, the SHIELD Act represents the most immediate and operationally significant state data security obligation outside of the sector-specific NY DFS Cybersecurity Regulation.
Unlike many state privacy laws that have high revenue or data volume thresholds, the SHIELD Act applies to virtually any business that owns or licenses private information about New York residents — regardless of where the business is located or how small it is.
How the SHIELD Act Differs From Prior New York Law
Before the SHIELD Act, New York's data protection framework consisted primarily of General Business Law Section 899-aa, which addressed breach notification obligations but did not require businesses to implement specific security programs. The SHIELD Act made two fundamental changes:
- Proactive security requirement: For the first time, New York law affirmatively requires covered businesses to implement a data security program, not just respond to breaches after they occur.
- Expanded definition of private information: The SHIELD Act broadened the categories of data whose breach triggers notification obligations, adding biometric information, username/password combinations, and account numbers with security codes even without a name.
Who Is Covered
The SHIELD Act applies to any person or business that owns or licenses computerized data that includes private information of a resident of New York. The geographic reach is broad: a business headquartered in California, Texas, or internationally that maintains a database containing New York residents' private information is subject to the SHIELD Act's requirements.
There is no revenue threshold and no minimum number of New York residents to trigger coverage. If you hold even a single New York resident's private information, you are technically covered — though enforcement realistically focuses on businesses with meaningful volumes of New York consumer data.
What Constitutes "Private Information" Under SHIELD
The SHIELD Act's definition of private information is broader than many businesses realize. It includes any information that, in combination with a New York resident's name (or identifying number), would be sensitive:
- Social Security number
- Driver's license number or non-driver ID card number
- Account number, credit or debit card number combined with any required security code or password
- Financial account numbers combined with access credentials
- Biometric information
- Username or email address combined with a password or security question answer
- Medical information or health insurance information
Notably, the last category of username/email with password is particularly broad — it captures standard user account credentials, meaning virtually any consumer-facing application holds SHIELD-covered data.
The Reasonable Security Program Requirement
The SHIELD Act requires covered businesses to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including disposal of data. Businesses may satisfy this requirement by complying with any of several recognized frameworks: the NY DFS Cybersecurity Regulation, GLBA Safeguards Rule, HIPAA Security Rule, or by implementing a program containing three categories of safeguards:
Administrative Safeguards
- Designate one or more employees to coordinate the security program
- Identify reasonably foreseeable internal and external risks
- Assess sufficiency of existing safeguards
- Train and manage employees in security program practices
- Select and retain service providers capable of maintaining appropriate safeguards
- Adjust the security program in light of business changes or circumstances
Technical Safeguards
- Assess network and software design risks
- Assess information processing, transmission, and storage risks
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of controls
Physical Safeguards
- Assess risks of information storage and disposal
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after collection, transportation, and disposal
- Dispose of private information within a reasonable time after it is no longer needed
Breach Notification Requirements
When a covered business experiences a breach of private information, the SHIELD Act requires notification to affected New York residents in the most expedient time possible and without unreasonable delay. As amended effective December 21, 2024, the statute requires that this notification be made within 30 days of discovery, subject only to the legitimate needs of law enforcement (N.Y. Gen. Bus. Law § 899-aa(2)) — a hard statutory deadline set by the Legislature, not an Attorney General interpretation.
Notification must also be provided to the New York Attorney General, the Department of State, and the Division of State Police whenever any New York resident is notified of a breach — there is no minimum resident count — and to consumer reporting agencies when more than 5,000 New York residents are notified at one time. Substitute notification (email, website notice, or statewide media) is permitted when the cost of notification would exceed $250,000 or the affected class to be notified exceeds 500,000.
Small Business Considerations
The SHIELD Act includes a tailored compliance path for small businesses. A small business — defined as one with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets — satisfies the security program requirement by implementing a security program that contains reasonable administrative, technical, and physical safeguards appropriate for the size and complexity of the business.
Attorney General Enforcement
The New York Attorney General has exclusive enforcement authority under the SHIELD Act and may pursue civil penalties of up to $5,000 per violation for failing to maintain reasonable data-security safeguards (N.Y. GBL § 899-bb, enforced via §§ 349 and 350-d). For breach-notification failures that are knowing or reckless, courts may impose the greater of $5,000 or up to $20 per instance of failed notification, with the per-instance amount capped at $250,000 (N.Y. GBL § 899-aa(6)). The AG has been active in enforcement, particularly following breaches that affect large numbers of New York residents.
For NYC businesses building out their data security programs, a virtual CISO engagement is an efficient way to establish the administrative, technical, and physical safeguards the SHIELD Act requires without the overhead of a full-time hire. Contact Fortress MSSP to discuss your organization's SHIELD Act compliance posture.