Skip to content

New York Shield Act

Your Guide to Cybersecurity and Compliance in NY

Cyber Compliance in New York

New York State is requiring businesses to adopt more stringent data security safeguards for customers’ personal information. What impact will the new SHIELD Act have on local businesses?

Mountain Lake PBS

Cybersecurity in NY | Interview (Excerpt)

Devi Momot - CEO, Twinstate Technologies: What this law looks to do is to make employers and custodians of personal information more secure and accountable. Most everything is digital now, companies hold information on us -- about our birthdays, our social security numbers, biometric information, answers to security passcode questions, and all those types of information are considered to be private and unique to an individual and therefore the custodian of that information should keep it private and secure.

Jacqueline Kelleher - Attorney, Stafford Owens: This Act applies to all businesses but there are different standards. So, if you are a business with less than 50 employees, or less than $3 million in annual revenue, or less than $5 million in assets then you are considered a small business and have to take reasonable steps to protect your business.

So, my company we have less than 15 employees, so we're going to meet that test but our standard for privacy is going to be much higher than the 

local pizza shop. You have to do what's reasonable for the type of business you have and the type of information you have.

But companies that don't meet that test -- they will have to meet a broad range of pretty stringent standards and those companies probably have some steps they need to take to get into compliance. 

Watch the full interview with Mountain Lake PBS:

NY SHIELD Compliance at-a-Glance

Three Levels of SHIELD Compliance:

  • Meet all three levels of safeguards to meet "reasonable" security 
  • 1. Technical safeguards include getting a risk assessment
  • 2. Physical safeguards include network threat monitoring and data protection
  • 3. Administrative safeguards include delivering cybersecurity awareness training
  • Any business that collects or possess private information about New York residents must comply with SHIELD
  • State Attorney general can deliver fines up to $250,000 for SHIELD violations

NY SHIELD Compliance Assessment

Find out what you need to do to become compliant with the New York SHIELD Act.
New York SHIELD vs California CCPA

Why So Much Fuss Over SHIELD?

The last year was a significant year for cybersecurity legislation. It saw over 330 bills and regulations pertaining to cybersecurity introduced in at least 36 states. You may have heard about some of these new rules, such as the California Consumer Privacy Act (CCPA), but the SHIELD act stands out as unique. The SHIELD Act, like CCPA, requires companies to adopt security programs to reduce risks of a data breach. However, SHIELD, unlike CCPA, defines the specific steps a business must take to meet a “reasonable security” standard.



SHIELD is also unique in that it broadens the definition of a “breach” to include not just theft of digital information but also the unauthorized access of such data. E.g., an employee who finds and opens documents on your network without valid authorization. In the event of unauthorized access of data under SHIELD, a consumer notification must be sent, whereas, before SHIELD, a notification would only be triggered if consumer data was acquired by an unauthorized person(s).



Get NY SHIELD Compliant

How To Be SHIELD Act Compliant

The SHIELD Act has three categories of safeguards you must comply with to meet the “reasonable security” standard: Technical Safeguards, Physical Safeguards, and Administrative Safeguards. Fortunately, there is overlap on the safeguards, if you implement the right solution to satisfy certain technical safeguards that same solution will satisfy certain physical and administrative safeguards as well. 
The technical safeguards prescribed by New York State include conducting a risk assessment, implementing data policies and encryption, internal and external threat monitoring to detect attacks on your system, continuous monitoring of your system, and disaster recovery and data retention solutions.
The physical safeguards prescribed by New York State include conducting a risk assessment, network threat monitoring, data protection and encryption, and data destruction. 

The administrative safeguards prescribed by New York State include naming a CISO, proactive threat monitoring, conducting a risk assessment, delivering security awareness training, and incident response planning. It’s important to have a consultative partner when planning to meet these requirements so that organizations don’t spend more than necessary to achieve compliance. 

The tools needed to reach compliance are complex and vary in their feature sets, but working with a trusted partner can help you select tools that maximize the utility of your compliance investment. For instance, Twinstate Technologies can help businesses choose a single threat monitoring solution that satisfies four different safeguards across the technical, physical, and administrative categories.

Partner with Twinstate

Tough on Data Security

NY SHIELD Penalities are increased 66%

The state of New York has a history of being tough on data security. Before the SHIELD Act was signed into law, the State Attorney General has issued fines totaling over $600M related to data breaches. Under the new legislation, penalties are increased by 66%. The Attorney General can levy fines up to $250,000 for violations by a business.

Small Business vs Large Business

Who is Required to Comply With NY SHIELD?

The SHIELD act has no borders. It does not matter if your business headquarters are in Albany, NY or Atlanta, GA – if you collect or possess private information about New York residents, then you must comply with the SHIELD Act.

New York State is imposing compliance obligations on any employer that has an employee in the state of New York. Employers without employees in New York may still be subject to compliance. Certain information collected during online hiring processes may trigger coverage.

Large or small, any business in or doing business with the state of New York is required by the state to comply. Compliance is not optional. However, compliance requirements are different for companies defined as small and companies defined as large. How does the SHIELD Act define a “small” and “large” business?

NY SHIELD Classifies Small vs Large Business

Small Business Defined Under SHIELD

The state of New York classifies a business as small if it has under 50 employees; or has less than $3M of gross revenue in each of the last three years; or has under $5M in total year-end assets when calculated in accordance with GAAP. New York state considers a business as large if it doesn’t meet any of the criteria of a small business.


The New York State SHIELD Act or “Stop Hacks and Improve Electronic Data Security Act” boosts the protection of New York state resident’s private information. However, for businesses, the legislation adds critical new requirements to protect private information and holds accountable any company that does business in the state or holds information about residents of the state. Compliance can be tricky, but a trusted partner can help you meet your goals.

Ready to Schedule your SHIELD Assessment?

Schedule a quick call