Copyright 2023 Ernest Goodman Law Firm - Los Angeles - New York.
All Rights Reserved.

9:00 AM - 5:00 PM

Our Opening Hours Mon. - Fri.


Call Us.




Understanding the New York SHIELD Act

Ethics Before Profits
Law Offices of Ernest Goodman > cybersecurity  > Understanding the New York SHIELD Act

Understanding the New York SHIELD Act

Hello, everyone!

Today, we will discuss the New York SHIELD Act. While the United States does not have a uniform cybersecurity law, several states, including New York, have enacted cybersecurity laws, with the New York SHIELD Act being one of them

In an age where data breaches and cyber threats pose significant risks to personal and corporate information, legislation aimed at bolstering data security measures is paramount. One such crucial piece of legislation is the New York SHIELD Act. Let’s delve into what the SHIELD Act entails and how it aims to enhance data protection for residents of New York.

What is the New York SHIELD Act?

The New York SHIELD Act, or the “Stop Hacks and Improve Electronic Data Security Act,” was enacted in July 2019 to modernize and strengthen data security requirements in New York State. The Act expands the scope of data security obligations for businesses handling private information and introduces stringent requirements to mitigate the risk of data breaches.

Key Provisions of the SHIELD Act:

  1. Expanded Definition of Private Information: The SHIELD Act broadens the definition of private information to include additional data elements such as usernames, email addresses, and biometric information, thereby expanding the scope of protected information.
  2. Enhanced Data Security Requirements: The Act mandates that businesses implement reasonable safeguards to protect private information from unauthorized access, use, or disclosure. These safeguards include encryption of sensitive data, risk assessments, and the implementation of data security programs.
  3. Breach Notification Requirements: In the event of a data breach, businesses are required to notify affected individuals and regulatory authorities in a timely manner. The Act establishes specific notification requirements and timelines for notifying individuals and the New York State Attorney General’s office.
  4. Penalties for Non-Compliance: The SHIELD Act imposes significant penalties on businesses that fail to comply with its provisions. Violations may result in civil penalties, ranging from $5,000 to $20,000 per violation, making adherence to data security requirements a critical priority for businesses operating in New York State.

Impact and Implications:

The implementation of the SHIELD Act has far-reaching implications for businesses operating in New York State. It places greater emphasis on proactive measures to safeguard private information, such as implementing robust data security protocols, conducting regular risk assessments, and ensuring compliance with breach notification requirements.

Furthermore, the SHIELD Act underscores the importance of prioritizing data security and fostering a culture of accountability and transparency in handling sensitive information. By elevating data protection standards, the Act aims to enhance consumer trust and confidence in the digital economy while mitigating the risks associated with data breaches and cyber threats.

Under the New York SHIELD Act, businesses are required to maintain cybersecurity documentation that includes:

  1. Written Information Security Program (WISP): A comprehensive written plan outlining the organization’s policies and procedures for protecting sensitive information and mitigating cybersecurity risks.
  2. Risk Assessment: Documentation of periodic risk assessments conducted to identify potential vulnerabilities and threats to the security of private information.
  3. Data Security Policies and Procedures: Written policies and procedures detailing how the organization safeguards private information, including access controls, encryption protocols, incident response plans, and employee training programs.
  4. Breach Response Plan: Documentation of procedures for responding to data breaches, including notification protocols for affected individuals, regulatory authorities, and other stakeholders.
  5. Vendor Management Documentation: Records of assessments conducted on third-party vendors and service providers to ensure compliance with data security requirements and contractual obligations.
  6. Training Records: Documentation of employee training programs on data security best practices and procedures for handling sensitive information.
  7. Incident Logs: Records of cybersecurity incidents, including attempted breaches, security vulnerabilities, and unauthorized access attempts, along with documentation of the organization’s response and remediation efforts.

These documentation requirements are essential for demonstrating compliance with the SHIELD Act and ensuring the effective implementation of data security measures to protect sensitive information from unauthorized access or disclosure.


The New York SHIELD Act represents a significant step forward in strengthening data security measures and protecting the privacy of individuals in New York State. By imposing enhanced requirements and penalties for non-compliance, the Act underscores the importance of proactive measures to safeguard sensitive information in an increasingly digital world.

As businesses adapt to the evolving data security landscape, compliance with the SHIELD Act is essential to mitigate the risk of data breaches, protect consumer privacy, and uphold the integrity of the digital ecosystem in New York State.

Note: This post is a general overview and does not constitute legal advice. For specific legal concerns, it’s always recommended to consult with a qualified attorney.





No Comments

Leave a Comment