NY SHIELD Act Compliance Checklist for Any Business with NY Data

What the SHIELD Act Actually Requires

The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, NY General Business Law §899-bb) took effect in March 2020 and applies to any person or business that owns or licenses computerized data including private information of a New York resident. The applicability is broad: there is no minimum business size, no industry restriction, and no New York presence requirement. A business in any state that holds personal information of even a single New York resident is in scope.

The Act has two operative pillars. The breach notification obligation requires notice to affected residents and the state Attorney General within a defined window after a breach. The data security obligation requires implementation of a data security program with reasonable administrative, technical, and physical safeguards. This guide focuses on the data security obligation, which applies continuously rather than only after a breach.

The defining feature of the SHIELD Act compared to other state data security laws is the explicit safeguard categories. Massachusetts 201 CMR 17 prescribes specific controls. The SHIELD Act requires reasonable safeguards across three categories without dictating specific implementations. This flexibility is both an opportunity and a liability: organizations can tailor implementation to their context, but they bear the burden of demonstrating that what they implemented was reasonable.

What "Private Information" Covers

The SHIELD Act protects "private information," a defined term that is broader than the federal definition under similar laws. Private information includes:

Social Security number

Driver's license number or non-driver identification card number

Account number, credit card number, or debit card number (in combination with required security code, access code, password, or any other information that would permit access to the financial account)

Account number, credit card number, or debit card number, without additional information, if the number itself could be used to access an individual's financial account without additional identifying information, security code, access code, or password

Biometric information

A username or email address in combination with a password or security question and answer that would permit access to an online account

Notably, biometric information and online account credentials are included. This expands the definition beyond what some other state laws cover and means that organizations holding employee biometric data (fingerprint timeclocks, facial recognition for access) or customer account credentials are likely in scope.

The Three Safeguard Categories

The SHIELD Act organizes the data security obligation into three categories. The Act provides example controls within each category as illustrative guidance, but does not mandate specific implementations.

Administrative safeguards include:

Designating one or more employees to coordinate the security program

Identifying reasonably foreseeable internal and external risks

Assessing the sufficiency of safeguards in place

Training and managing employees on security practices

Selecting service providers capable of maintaining appropriate safeguards

Requiring those safeguards by contract

Adjusting the program in light of business changes or new circumstances

Technical safeguards include:

Assessing risks in network and software design

Assessing risks in information processing, transmission, and storage

Detecting, preventing, and responding to attacks or system failures

Regularly testing and monitoring the effectiveness of key controls, systems, and procedures

Physical safeguards include:

Assessing risks of information storage and disposal

Detecting, preventing, and responding to intrusions

Protecting against unauthorized access to or use of private information during or after collection, transportation, and destruction or disposal

Disposing of private information within a reasonable amount of time after it is no longer needed

The Act's deliberate ambiguity around "reasonable" means that organizations must make defensible decisions about which specific controls satisfy the safeguard categories given their environment, data sensitivity, and risk profile.

Safe Harbor for Compliance with Other Frameworks

The SHIELD Act includes a safe harbor: an entity that is in compliance with the data security requirements of HIPAA, GLBA, NYDFS 23 NYCRR 500, or other applicable federal or state regulations governing data security is deemed compliant with the SHIELD Act's data security obligation.

The safe harbor is consequential. Organizations already operating against HIPAA Security Rule, GLBA Safeguards Rule, NYDFS, or comparable frameworks generally do not need a separate SHIELD Act program. They need only to ensure that the framework's requirements apply to the New York resident data they hold.

For organizations outside the safe harbor (notably, most small to mid-sized businesses without specific federal regulation), the SHIELD Act stands as the data security baseline.

Small Business Reduced Requirements

The SHIELD Act includes a reduced compliance pathway for small businesses, defined as a business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets. Small businesses meet the data security obligation through safeguards appropriate to the size and complexity of the business, the nature and scope of activities, and the sensitivity of the information.

The small business carve-out does not eliminate the obligation; it adjusts the standard of "reasonable" to a smaller-business context. A two-person firm holding only customer email addresses faces a different "reasonable" than a 40-person firm holding payment card data.

A Practical Compliance Checklist

For organizations outside the safe harbor, the following checklist operationalizes the three safeguard categories:

Administrative Safeguards

[ ] Designate a security program coordinator (named individual with responsibility)

[ ] Conduct an annual risk assessment covering internal and external threats

[ ] Maintain a documented security policy approved by leadership

[ ] Implement security awareness training for all employees, refreshed annually

[ ] Maintain a vendor management process with security requirements in contracts

[ ] Maintain an incident response plan with named roles

[ ] Conduct annual review of safeguard effectiveness with documented findings

Technical Safeguards

[ ] Inventory all systems that store or process private information

[ ] Implement access control with multi-factor authentication for sensitive systems

[ ] Maintain a security baseline for each platform (Windows, Linux, cloud) and enforce it

[ ] Detect configuration drift away from baselines through continuous monitoring

[ ] Log security-relevant events with appropriate retention

[ ] Monitor for and respond to suspicious activity

[ ] Encrypt private information at rest and in transit using current standards

[ ] Maintain a vulnerability management program with documented remediation timelines

[ ] Test technical safeguards periodically through penetration testing or equivalent

Physical Safeguards

[ ] Restrict physical access to facilities storing private information

[ ] Maintain physical security controls (badge access, visitor management)

[ ] Securely dispose of physical media containing private information

[ ] Document data retention and disposal procedures

[ ] Maintain inventory of physical media containing private information

How "Reasonable" Is Evaluated

The SHIELD Act standard of reasonableness is evaluated against the organization's environment. Factors that the Attorney General's office and courts consider when evaluating whether safeguards were reasonable:

The size, complexity, and nature of the business

The volume and sensitivity of the private information held

The cost of the safeguards relative to the risks

The state of the art in security controls at the time

Documented risk assessments and the responses to identified risks

The history of incidents and how the organization responded

Industry-standard practices for organizations of similar size and nature

What this means in practice: the organization's documentation matters. Risk assessments that identified specific risks and the controls implemented to address them establish reasonableness. The absence of documented risk assessment or the failure to address identified risks undermines a reasonableness defense.

Incident Response and Breach Notification

The SHIELD Act's other operative pillar is breach notification. If a security event involves unauthorized access to private information, the business must notify:

Affected New York residents

The New York Attorney General

Major consumer reporting agencies (when the breach affects more than 5,000 New York residents)

Other state authorities as required

The notification timing is "without unreasonable delay" and "as soon as practicable" after determination of the breach, except where notice would impede a criminal investigation.

The notification content must include specific information about the breach, the steps taken to investigate and remediate, contact information for affected individuals to ask questions, and information about reporting to consumer reporting agencies and law enforcement.

Penalties and Enforcement

The New York Attorney General enforces the SHIELD Act. Penalties for violation include:

Up to $5,000 per knowing or reckless violation of the data security obligation

Up to $5,000 per knowing or reckless violation of the breach notification obligation

Up to $5,000 per failed notification, in cases of breach notification failures

Civil action for actual costs incurred by individuals as a result of violations

The penalty model is per-violation, not per-record. A single failure to notify affecting 10,000 residents could be either one violation or ten thousand depending on enforcement theory. The aggregate exposure is significant.

How CIS Benchmark Scanning Supports SHIELD Act Compliance

The Technical Safeguards category in the SHIELD Act maps directly to configuration management, access control, audit logging, and continuous monitoring practices that CIS benchmark scanning evaluates automatically.

For SHIELD Act compliance, CIS benchmark scanning produces evidence of:

Baselined configurations across every platform handling New York resident data

Continuous drift detection demonstrating that controls are not just configured but enforced

Audit logging and retention aligned to platform-appropriate standards

Access control configuration including authentication, authorization, and account management

Cryptographic configuration for data at rest and in transit

Vulnerability management when integrated with scanner output

The documentary evidence — timestamped scans, drift events, exception records — establishes that technical safeguards are not aspirational but operationally enforced.

How CISGuard Supports SHIELD Act Programs

CISGuard provides the continuous monitoring infrastructure that SHIELD Act Technical Safeguards expect:

22 CIS benchmarks covering the platforms most New York resident data actually lives on (Windows, Linux, Azure, AWS, M365, Kubernetes)

Per-asset baseline enforcement and drift detection documenting that technical safeguards operate continuously

Immutable audit trail of every scan, drift event, exception, and remediation

Multi-framework mapping showing simultaneous coverage of SHIELD Act, NYDFS 23 NYCRR 500, SOC 2, and other applicable frameworks

Incident-ready evidence pipeline for breach notification and Attorney General review

On-premises and air-gapped deployment options for organizations with sovereignty requirements

See SHIELD Act-aligned features in CISGuard or request a SHIELD Act readiness review.