NY SHIELD Act Compliance Readiness Calculator
Evaluate your organization's compliance readiness with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act by scoring your current security program across administrative, technical, and physical safeguard categories.
Organization Profile
Administrative Safeguards (35% weight)
Technical Safeguards (40% weight)
Physical Safeguards (25% weight)
Formula
Category Scores (each normalized to 0–100):
- Administrative Score = (Sum of 5 admin ratings / 15) × 100
- Technical Score = (Sum of 6 technical ratings / 18) × 100
- Physical Score = (Sum of 4 physical ratings / 12) × 100
Overall Compliance Score = (Administrative × 0.35) + (Technical × 0.40) + (Physical × 0.25)
Compliance Gap Score = min(100, (100 − Overall Score) × Risk Score × Industry Multiplier / 4)
where Risk Score: <500 records=1, 500–9,999=2, 10,000–499,999=3, ≥500,000=4
Industry Multiplier: Healthcare/Finance=1.20, Technology/Retail=1.10, Other=1.00
Remediation Effort = round((100 − Overall Score) × 0.5 × log₁₀(employees) / log₁₀(50)) person-days
Estimated Annual Cost = (Remediation Days × $1,500) + (NY Records × $0.10) + Base Program Cost
Base Program Cost: $5,000 (small business <50 employees) | $15,000 (covered business)
Assumptions & References
- Based on the NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), signed into law July 25, 2019, effective March 21, 2020 (N.Y. Gen. Bus. Law § 899-bb).
- The Act requires businesses holding private information of NY residents to implement a reasonable data security program with administrative, technical, and physical safeguards.
- Technical safeguards are weighted highest (40%) reflecting the Act's emphasis on encryption, access controls, and monitoring as primary breach prevention mechanisms.
- Small business exemption applies to organizations with <50 employees, <$3M average gross revenue (3-year), or <$5M total assets; they must implement "reasonable" safeguards proportionate to size.
- Breach notification must be made to affected NY residents "in the most expedient time possible" and to the NY AG if >500 residents affected (N.Y. Gen. Bus. Law § 899-aa).
- Civil penalties for failure to notify: up to $20 per failed notification, max $250,000; for failure to maintain reasonable security: up to $5,000 per violation (AG enforcement).
- Consultant daily rate of $1,500 is a blended market estimate for information security professionals (2024 U.S. market rates).
- Per-record data governance cost of $0.10 is based on industry benchmarks for data inventory, classification, and retention management overhead.
- Rating scale (0–3) aligns with NIST SP 800-53 maturity tiers: 0=Not Implemented, 1=Partial, 2=Risk Informed, 3=Adaptive/Optimized.
- This calculator provides an educational estimate only and does not constitute legal advice. Consult qualified legal counsel for formal compliance assessment.