Doing Business in NY State? Here’s Why You Need to Know About the NY State SHIELD Act

New York State has implemented formal rules that regulate the data security of state residents. Any business or organization that deals with NY State residents’ private electronic data must be compliant with the NY State SHIELD Act. Does that apply to your organization? Read on for everything you need to know about maintaining compliance.

Everything You Need to Know About The NY State SHIELD Act & Why It Matters

The proper handling of confidential electronic data is a huge part of doing business anywhere these days. With more and more business transactions occurring online, protecting electronic customer data is critical. In fact, for businesses who do any business with New York State residents, there are now new rules and compliance regulations in place to ensure client electronic data is properly protected.

On March 21st, 2020, New York State implemented the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. The NY State SHIELD Act requires any person or business owning or licensing computerized data, including identifying any New York State resident information –  to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that data.

The most important part? The NY State Sheild Act applies to businesses and organizations dealing with NY State residents’ data even if their organization operates outside of NY State. This means if your company processes transactions or collects any data from customers residing in NY State, you’re required to get and stay compliant with the NY State SHIELD Act.

We know that many of our clients fall under the jurisdiction of these new regulations. So, we thought we would put together a brief guide explaining what the NY State Sheild Act is all about and how all businesses and organizations can stay compliant. Keep reading to understand everything you need to know about NY State SHIELD Act compliance.

What is the NY State SHIELD Act All About?

The NY State SHIELD Act is all about protecting consumer data by implementing reliable cybersecurity standards and strategies. The Sheild Act is designed to protect NY State residents’ private data through the implementation of reasonable administrative, technical, and physical safeguards. Let’s break down some of this jargon below.

What is considered private data?

Private data includes any confidential data that could identify a client. This might include:

  • Login credentials like usernames, email addresses, passwords, or security questions and answers permit access to online accounts.
  • Unencrypted personally-identifying information like names, account numbers, or any other kind of personal markers could be used to identify a client or customer.
  • Formal identification data like social security numbers, driver’s license numbers, or other markers from client forms of identification
  • Financial data like banking account numbers, credit or debit card numbers, security codes, access numbers, or login credentials for such financial accounts.
  • Biometric information is used for finger-print or face-scanning technologies.

What are some examples of reasonable administrative safeguards?

  • Designating one or more employees to plan and coordinate a cybersecurity and compliance effort.
  • Identifying potential data security & compliance risks, both internal and external, to the organization.
  • Assessing current safeguards and addressing areas of vulnerability to control identified risks.
  • Comprehensive data security & compliance training and management for employees.
  • Partnering with professional cybersecurity & compliance professionals to implement and maintain contractually required safeguards.
  • Continually adjusting cybersecurity & compliance strategies to reflect changes to business conditions and new circumstances.

What are some examples of reasonable technical safeguards?

  • Completing a comprehensive risk assessment for all network and software resources within an organization.
  • Completing a comprehensive risk assessment for all processes related to data processing, transmission, and storage within an organization.
  • The swift detection, prevention, and response to system failures and data breaches.
  • A commitment to regular and ongoing effectiveness-testing and monitoring of key cybersecurity controls, systems, and procedures.

What are some examples of reasonable physical safeguards?

  • Completing comprehensive risk assessments of data storage and disposal protocols within an organization.
  • Implementing a reliable system for detecting, preventing, and responding to network breaches.
  • Deliberately protecting against unauthorized access or misuse of client data during the collection, transmission, transportation, storage, or disposal of such data.
  • Creating a secure and compliant plan for disposing of private client data within a reasonable timeframe after it is no longer required for business purposes. This includes creating a plan for erasing electronic data in a way that prevents it from being read or reconstructed after the fact.

Let’s Talk Compliance: Standards for Staying Compliant with the NY State SHIELD Act

Now that we’ve discussed what the NY State SHIELD Act is all about let’s talk a little bit about what compliance looks like for different organizations. The real determinant here is the size of your business. The larger your organization, the more safeguards you’ll need to implement to maintain compliance.

For instance:

  • For a small business with less than 50 employees and less than 3 million dollars in annual revenue from each of the past 3 fiscal years, you need to implement the reasonable administrative, technical, and physical safeguards listed above to protect data.
  • For a larger business with over 50 employees and more than 3 million dollars annual revenue in each of the past 3 fiscal years, there are a few additional things you need to make sure of so you know you have the right security measures in place to protect larger amounts of private data for clients residing in NY State.

You can read the entire NY State SHIELD Act Senate Bill here for more detailed information about the requirements for different business types and sizes.

Why Compliance is So Important & Why Professional Consultation is Best Practice

In the meantime, you might be wondering about some initial, baseline strategies that will help you start taking NY State SHIELD Act compliance seriously. The fact is that compliance is essential, and the financial penalties for non-compliance are steep – up to $5000 per violation. That can be a devastating hit to your organization’s bottom line.

So, here are some initial tips and tricks to get serious about data security & compliance:

  • Stay in the know about existing threats to data security. This might include getting informed about common phishing or social engineering scams designed to capture and steal user data. The more you know about your enemy, the better you’ll be able to prepare compliance strategies.
  • Talk to your team about the importance of data security and compliance with the NY State SHIELD Act. By making things a team effort, you’ll increase your lines of awareness and defense.
  • Make cybersecurity planning and strategizing a deliberate effort. The more you get policies and regulations on paper, the easier it will be to monitor effectiveness and maintain compliance for the long haul.
  • Most importantly, partner with a reliable and strategic team of IT security & compliance professionals. When you partner with a team of experts that speak cybersecurity fluently, you’ll go a long way toward building security, compliance, and peace of mind for your organization. Be sure to choose an IT service provider familiar with the NY State SHIELD Act and thoroughly understand the rules and regulations.

Compliance and data security can seem like a daunting task. But when you break it down into more manageable tasks and goals, you can develop a system that helps you maintain compliance regularly and continually address vulnerability points. All in all, the NY State SHIELD Act is in place to protect consumer data, but it’s also in place to help you protect your organization’s continuity. The sooner you start working towards secure and compliant business processes, the sooner you can get back to the pressing business that matters.

Ready to get compliant with the NY State SHIELD Act? We’d love to help. Give us a call anytime at (817) 277-1001 or visit our website at to chat with a live agent and book an IT compliance consultation.