What Is the New York State SHIELD Act?

Doing business in NY State? Are you aware of the NY State SHIELD act? What are the impacts on Rhode Island businesses?

What Is the New York State SHIELD Act?

Cyberattacks cases continue to rise each day. Each subsequent attack has become more sophisticated costing businesses millions. With recent and past incidents in mind, the need to protect personal information has been heightened. To set cybersecurity standards for businesses, New York recently joined the list of states to impose their security guidelines for businesses.

The New York Shield Act is similar to a 2010 Massachusetts Law that requires businesses that collect, store, or use personal data about a Massachusetts resident to have a written information security program (WISP). Similar requirements have been enacted in Rhode Island (June 2015) and other states, including Arkansas, Nevada, Oregon, and North Carolina in recent years. Just like the New York SHIELD Act, WISP requirements were designed to prevent and respond to data security incidents and impacted organizations across the country.

Is your business located in NY or have data about NY residents — as mentioned in the following paragraph? Is your business compliant with the New York State Shield Act?

Check out our latest video to learn about the SHIELD Act:


On March 21, 2020, the cybersecurity provision, Stop Hacks and Improve Electronic Data Security Act, commonly known as the SHIELD Act, went into effect. Signed into law in July 2019, the SHIELD Act requires businesses or persons owning or licensing computerized data that includes a New York resident’s private information to create, implement, and maintain reasonable cybersecurity controls to protect the integrity and confidentiality of the private information.

What Does Private Information Entail?

Private information could be:

  • A username or an email address in combination with a password or a security question and answer that gives access to an account
  • Personal information, which because of a number, name, unique mark, or any other identifier, can be used to identify such a person. This data may include their social security number, debit or credit card number, driver’s license number, and financial account number in combination with an access code, username, password, or security code that would give access to a person’s financial account

Are There Any Compliance Exceptions for Small Businesses? Before the SHIELD Act, there were no exceptions for small businesses regarding the data breach notification rule. Companies that experience a data breach that affects New York residents’ private information are required by law to notify all affected persons. The SHIELD Act’s data security obligation defines a small business as an organization that:

  1. Has less than fifty employees.
  2. Has less than three million US dollars annual revenue in each of the past three fiscal years.
  3. Has less than five million dollars in total year-end assets, calculated following generally accepted accounting principles.

A small business is only deemed compliant with the Acts’ security requirements if it implements a cybersecurity program that includes reasonable technical, administrative, and physical safeguards. For each precaution, the act outlines procedures or actions a business should consider implementing.

Reasonably Administrative Safeguards:

  • Designating employees to coordinate the organization’s security program.
  • Identifying reasonable and foreseeable external and internal cybersecurity risks.
  • Assessing the adequacy of the security controls in place to minimize the identified risks.
  • Managing and training employees in cybersecurity policies and procedures.
  • Selecting and contracting service providers who are capable of maintaining appropriate safeguards.
  • Updating and adjusting the security program to meet your changing business circumstances.

Reasonable Technical Safeguards:

  • Evaluating risks in system and software design.
  • Assessing risks in data processing, transmission, and storage.
  • Detecting, responding to, or preventing network attacks and failures.
  • Regularly tracking and testing the efficiency of crucial security controls, procedures, or systems.

Reasonable Physical Safeguards:

  • Assessing the risks of information storage and disposal.
  • Detecting, responding to, and preventing system intrusions.
  • Safeguarding against unauthorized access or use of private data during the collection, transportation, or disposal of the information.
  • Disposal of private information within a reasonable time frame once it’s no longer needed for business purposes.
  • Erasing electronic data in a way that it cannot be reconstructed or read.

Businesses are also required to be compliant with the SHIELD Act security requirements if the enterprises are subject to the following data other security regulations;

  1. The Health Insurance Portability and Accountability Act (HIPAA).
  2. The Health Information Technology for Economic and Clinical Health Act (HITECH).
  3. The Cybersecurity Requirements for Financial Services established by New York’s Department of Financial Services.
  4. Other data security regulations and laws.

What’s The Cost of Non-Compliance? Businesses that are non-compliant with the SHIELD Act are liable for the civil penalty of up to 5,000 dollars per violation.

To avoid these penalties, your company should implement and maintain acceptable cybersecurity practices.

Looking To Partner With a Reliable NY SHIELD Act Compliance Partner In Rhode Island?

Do you have any questions regarding the SHIELD Act, or are you thinking of compliance? At Technology Advisory Group, we offer years of expertise and experience in providing compliance solutions to Rhode Island and New England businesses.

Consult with us today or call us on (401) 228-6400 to get familiar with the SHIELD Act compliance and ultimately become compliant.

Schedule Your Cloud Services Consultation

Ready to make a move to the cloud?  TAG is ready to help with any or all cloud services from a private cloud, public cloud, or Microsoft 365 services.