New York SHIELD Act: Cybersecurity Obligations for Businesses
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, signed into law in July 2019 and effective March 21, 2020, imposes data security program requirements and expanded breach notification obligations on any business that holds private information about New York residents — regardless of whether that business is incorporated or physically located in the state. The Act amended New York General Business Law §§ 899-aa and 899-bb, broadening both the definition of covered data and the pool of covered entities. Understanding the SHIELD Act's structure is essential for any organization that processes, stores, or transmits personal information tied to New York residents.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Compliance Checklist
- Reference Table
- References
Definition and Scope
The SHIELD Act operates under New York General Business Law § 899-bb and applies to any "person or business" that owns or licenses computerized data that includes the "private information" of New York residents. The geographic reach is extraterritorial: a company headquartered in California, Texas, or any other jurisdiction is subject to the Act if it maintains data on individuals whose state of residence is New York.
"Private information" under the Act encompasses two categories:
- Social Security numbers, driver's license or non-driver identification card numbers, account numbers combined with access codes or passwords, biometric information, and username/email address combined with a password or security question-and-answer — when not encrypted.
- Any information that, in combination, can be used to identify an individual and that would be reasonably expected to cause harm if disclosed.
The SHIELD Act expanded the prior definition under § 899-aa by adding biometric information and usernames/email-and-password combinations to the category of protected data. This expansion directly responds to credential-stuffing attacks that dominated enforcement attention in the years preceding the statute's passage.
Scope limitations: The Act governs obligations related to New York residents' data. It does not govern federal data security obligations under HIPAA, the Gramm-Leach-Bliley Act, or the Payment Card Industry Data Security Standard (PCI DSS), although compliance with those frameworks may satisfy certain SHIELD Act requirements (see Classification Boundaries). For the broader regulatory context governing cybersecurity in the state, see Regulatory Context for New York Cybersecurity. Obligations specific to financial entities regulated by the New York Department of Financial Services are addressed separately under 23 NYCRR 500.
Core Mechanics or Structure
The SHIELD Act creates two parallel obligation structures:
1. Reasonable Data Security Program
Any business that owns or licenses private information of New York residents must implement and maintain a data security program containing "reasonable" administrative, technical, and physical safeguards. New York General Business Law § 899-bb(2) specifies the following components:
Administrative safeguards:
- Designation of one or more employees to coordinate the security program
- Risk assessment covering internal threats from employee error and external threats
- Training and supervision of employees in security practices
- Screening of service providers who handle private information
- Adjustment of the security program in response to business changes
Technical safeguards:
- Risk assessment of network and software design
- Assessment of information processing, transmission, and storage risks
- Detection and response procedures for attacks or system failures
- Regular testing and monitoring of system controls
Physical safeguards:
- Assessment of risks related to storage and disposal of information
- Intrusion detection and response for physical access
- Disposal of private information within a reasonable time after it is no longer needed, using destruction methods that render data unreadable
2. Amended Breach Notification Requirements
The SHIELD Act also amended § 899-aa to expand the breach notification trigger. Prior to the Act, notification was required only when a breach was reasonably believed to have occurred. The amended statute requires notification when a business "reasonably believes" private information was accessed or acquired by an unauthorized person — a forward-looking standard that captures near-miss events with higher probability of harm.
Notification must be made to affected New York residents "in the most expedient time possible and without unreasonable delay." Businesses with more than 500 affected New York residents must also notify the New York Attorney General, the Department of State, and the Division of State Police.
Causal Relationships or Drivers
The SHIELD Act's passage was driven by a documented acceleration in large-scale data breaches affecting New York residents. The New York Attorney General's office conducted enforcement actions under the prior § 899-aa framework — including actions against health insurers and retail platforms — that revealed the inadequacy of the prior law's narrow geographic trigger (which previously applied only to businesses "doing business" in New York) and its limited scope of covered data types.
Legislative sponsors cited the 2017 Equifax breach, which exposed Social Security numbers and financial data for approximately 147 million individuals (Equifax Settlement, FTC), as evidence that existing state law failed to compel proactive security investment. The addition of biometric data and credential pairs to covered categories was a direct legislative response to biometric data collection by employers and the rise of credential-based attacks.
The SHIELD Act aligns New York's notification standard with California's data breach law (California Civil Code § 1798.29) and reflects a broader national trend tracked by the National Conference of State Legislatures, which notes that all 50 states maintain some form of breach notification statute.
For the enforcement landscape and Attorney General actions related to this statute, New York OAG Cybersecurity Enforcement provides detailed reference coverage. The broader threat environment that shapes these legislative responses is documented at New York Cybersecurity Threat Landscape.
Classification Boundaries
The SHIELD Act creates a safe harbor for entities that are already subject to and comply with enumerated federal or state security frameworks. Compliance with any of the following satisfies the "reasonable data security program" standard under § 899-bb(2)(c):
| Framework | Governing Body | Qualifying Standard |
|---|---|---|
| HIPAA Security Rule | HHS Office for Civil Rights | 45 CFR §§ 164.302–164.318 |
| Gramm-Leach-Bliley Act Safeguards Rule | FTC / Federal Financial Regulators | 16 CFR Part 314 |
| NYDFS Cybersecurity Regulation | NY Dept. of Financial Services | 23 NYCRR Part 500 |
| PCI DSS | PCI Security Standards Council | DSS v4.0 |
| NIST Cybersecurity Framework | NIST | CSF v1.1 / v2.0 |
Entities within the safe harbor are not exempt from breach notification requirements — they must still comply with § 899-aa notification standards when a qualifying breach occurs.
Small business exemption: The Act defines a "small business" as any entity with fewer than 50 employees, less than $3 million in gross revenues in each of the 3 preceding fiscal years, or less than $5 million in year-end total assets. Small businesses satisfy the reasonable security standard if the security program is "reasonable" for the size and complexity of the business — a lower threshold than larger enterprises face, but not a full exemption. For dedicated coverage of this topic, see New York Small Business Cybersecurity.
Tradeoffs and Tensions
Flexibility versus predictability: The "reasonableness" standard gives businesses flexibility to calibrate security programs to their size and data risk, but it creates enforcement uncertainty. The Act does not specify minimum control counts, encryption algorithms, or audit frequencies. Organizations that rely on the reasonableness standard without benchmarking against a named framework (NIST CSF, ISO 27001) may find their programs challenged during an Attorney General investigation.
Extraterritorial reach versus compliance capacity: Requiring any business globally that holds New York resident data to comply imposes compliance costs on entities with limited New York nexus. A sole proprietorship based in Nevada that has 3 New York customers technically falls under the Act's security program requirement. The enforcement reality is that the Attorney General's office has focused on larger breaches, but the statutory obligation is not limited by business size or revenue (except for the modified "reasonableness" standard for small businesses).
Safe harbor reliance versus SHIELD-specific gaps: Entities that rely on GLBA or HIPAA compliance for safe harbor protection may still have data categories outside those frameworks (e.g., a healthcare provider that also collects biometric employee data unrelated to patient care) that carry SHIELD Act obligations not addressed by HIPAA alone.
The interplay between the SHIELD Act and sector-specific rules like NYDFS Cybersecurity Regulation 23 NYCRR 500 creates a layered compliance environment that affected entities must map carefully to avoid gaps.
Common Misconceptions
Misconception 1: The SHIELD Act only applies to New York-based businesses.
Correction: Section 899-bb applies to any person or business that "owns or licenses computerized data that includes private information of a resident of New York." Physical location of the business is irrelevant. The trigger is the residency of the data subject.
Misconception 2: Encryption eliminates SHIELD Act obligations.
Correction: Encryption of data-at-rest and data-in-transit removes certain data elements from the "private information" definition under § 899-aa, which may limit breach notification obligations when encrypted data is the only exposure. However, the data security program requirement under § 899-bb applies regardless of whether stored data is encrypted, because the organization still holds private information.
Misconception 3: Small businesses are exempt from the SHIELD Act.
Correction: The Act creates a modified compliance standard for small businesses, not an exemption. Small businesses must still maintain a reasonable data security program, appropriately scaled. The small business definition uses three independent qualifying thresholds — meeting any one threshold qualifies the entity for the modified standard.
Misconception 4: The SHIELD Act replaced prior New York breach notification law.
Correction: The Act amended — not replaced — § 899-aa. The prior notification obligations remain in place, expanded to cover a broader set of data types and a broader geographic trigger for covered entities.
Misconception 5: SHIELD Act compliance and NYDFS 23 NYCRR 500 compliance are equivalent.
Correction: NYDFS 23 NYCRR 500 is a sector-specific regulation applying to covered financial entities licensed under New York Banking Law, Insurance Law, or Financial Services Law. SHIELD Act compliance does not satisfy 23 NYCRR 500 requirements, and vice versa, although overlap exists. Full coverage of the regulated entity landscape is available on the New York Security Authority index.
Checklist or Steps (Non-Advisory)
The following sequence reflects the structural compliance phases implied by New York General Business Law § 899-bb. This is a reference framework, not legal counsel.
Phase 1: Data Inventory and Classification
- [ ] Identify all categories of private information (as defined under § 899-aa) held by the organization
- [ ] Map data flows: collection, storage, processing, transmission, and disposal points
- [ ] Identify all third-party service providers that access or handle private information of New York residents
Phase 2: Risk Assessment
- [ ] Conduct internal threat assessment (employee error, insider threat, access control gaps)
- [ ] Conduct external threat assessment (network vulnerabilities, software risks, physical access risks)
- [ ] Document assessment methodology and findings
Phase 3: Program Design
- [ ] Designate a security coordinator or program owner
- [ ] Establish administrative safeguards (policies, training programs, vendor screening protocols)
- [ ] Implement technical safeguards (access controls, encryption, monitoring, incident detection)
- [ ] Implement physical safeguards (access restrictions, secure disposal procedures)
Phase 4: Vendor Management
- [ ] Review contracts with service providers that handle private information for security obligations
- [ ] Confirm service providers implement appropriate safeguards aligned with the organization's program
Phase 5: Breach Response Readiness
- [ ] Establish a breach detection and assessment process
- [ ] Define notification timelines and responsible parties for § 899-aa compliance
- [ ] Maintain notification templates for affected individuals and the required state agencies (Attorney General, Department of State, Division of State Police for breaches exceeding 500 affected residents)
Phase 6: Program Review and Adjustment
- [ ] Schedule periodic review of the security program
- [ ] Trigger re-assessment upon material changes to business operations, data types, or threat environment
- [ ] Document program adjustments
Reference Table or Matrix
SHIELD Act Core Obligations by Entity Type
| Entity Category | Data Security Program Required | Breach Notification Required | Modified "Reasonableness" Standard | Safe Harbor Available |
|---|---|---|---|---|
| Large enterprise (>50 employees, >$3M revenue) | Yes | Yes | No | Yes (if compliant with enumerated frameworks) |
| Small business (meets any qualifying threshold) | Yes | Yes | Yes | Yes |
| Healthcare entity (HIPAA-covered) | Yes | Yes | No (HIPAA safe harbor applies to security program) | Yes (HIPAA) |
| NYDFS-covered financial entity | Yes | Yes | No | Yes (23 NYCRR 500) |
| Out-of-state entity holding NY resident data | Yes | Yes | If qualifies as small business | Yes |
| Nonprofit organization | Yes | Yes | If qualifies as small business | Yes |
Breach Notification Thresholds Under § 899-aa
| Affected NY Residents | Required Notifications |
|---|---|
| 1–499 | Affected individuals |
| 500 or more | Affected individuals + NY Attorney General + NY Department of State + NY Division of State Police |
| 5,000 or more | Above, plus notification to consumer reporting agencies |
Data Categories: Pre-SHIELD Act vs. Post-SHIELD Act
| Data Category | Covered Before 2019 | Added by SHIELD Act |
|---|---|---|
| Social Security number | Yes | — |
| Driver's license / ID number | Yes | — |
| Financial account + access code | Yes | — |
| Biometric information | No | Yes |
| Username + password / security Q&A | No | Yes |
References
- New York General Business Law § 899-aa and § 899-bb — New York State Legislature
- New York Attorney General — Data Security and Privacy
- FTC Equifax Data Breach Settlement
- NIST Cybersecurity Framework v2.0 — NIST
- NYDFS Cybersecurity Regulation 23 NYCRR Part 500
- HHS HIPAA Security Rule — 45 CFR §§ 164.302–164.318
- FTC Gramm-Leach-Bliley Safeguards Rule — 16 CFR Part 314
- National Conference of State Legislatures — Security Breach Notification Laws
- PCI Security Standards Council — PCI DSS v4.0
- California Civil Code § 1798.29 — California Legislative Information