NY SHIELD Act · Any Business with New York Customers

The Compliance Requirement That Catches the Most Businesses Off Guard

Most small businesses assume data privacy laws are built for big companies. The NY SHIELD Act says otherwise: if you hold the private information of any New York resident — regardless of where your business is located — you have obligations. This is the sleeper compliance requirement that most organizations discover late.

Review Your SHIELD Act Obligations

Why This One Surprises People

The NY SHIELD Act — Stop Hacks and Improve Electronic Data Security — became effective in March 2020. It expanded New York’s data breach notification requirements and, more significantly, created an affirmative obligation for businesses to maintain reasonable data security safeguards. Both parts matter.

The surprise isn’t the existence of the law — it’s the scope. A Connecticut accounting firm with New York clients. A New Jersey staffing agency that places workers at New York companies. A national e-commerce retailer headquartered in Ohio. If any of them holds the name, Social Security number, financial account information, or other private information of a New York resident, the NY SHIELD Act applies to them.

There’s no revenue threshold that creates a complete exemption. There’s no employee count that puts a business outside the Act. The only relevant question is: do you hold private information belonging to New York residents? If yes, you have obligations.

What the Breach Notification Change Means

Before the SHIELD Act, New York’s breach notification law covered computerized data containing specific categories of information. The SHIELD Act expanded the definition of “private information” significantly — adding biometric data, email addresses with passwords or security questions, username combinations, and healthcare information to the list.

More importantly, the SHIELD Act expanded who must notify and how quickly. Any business that owns or licenses private information of New York residents — not just businesses “doing business” in New York — must notify affected New York residents of a breach in the most expedient time possible without unreasonable delay. The Attorney General can bring enforcement action for violations.

What Counts as “Private Information”

Under the NY SHIELD Act, “private information” is a name or identifier plus any of these data elements. Each combination creates a notification obligation if compromised.

Social Security Numbers

SSN, ITIN, or any government-issued ID number

Financial Account Info

Account numbers, debit/credit card numbers with access codes

Biometric Data

Fingerprints, retina scans, voiceprints, and other unique physical data

Email + Password

Email address combined with password or security question/answer

Medical Information

Health, medical, or mental health records; health insurance information

Username + Credentials

Username or email in combination with a password granting access to an account

Driver’s License

NY driver’s license number or non-driver ID card number

Geolocation Data

Precise geolocation data identifying an individual’s past or present location

“Private information” means a name or other identifier plus any one of the above elements. You don’t need all of them. You need one — and most businesses hold several categories without realizing the combination creates an obligation.

What “Reasonable Safeguards” Actually Means

The NY SHIELD Act requires covered businesses to implement “reasonable safeguards” — which sounds vague until you read the statute. The Act specifies three categories of safeguards that constitute compliance, and they’re more concrete than the name suggests.

  • Administrative safeguards: Designated employee responsible for data security, risk assessment processes, employee training, and procedures for selecting and overseeing service providers
  • Technical safeguards: Risk assessment across network and software, access controls, encryption of data in transit and at rest, monitoring for unauthorized access
  • Physical safeguards: Risk assessment for information storage and disposal, protection against unauthorized access to private information in physical form

Smaller businesses have a modified standard — safeguards “appropriate to the size and complexity” of the business — but “small” doesn’t mean “none.” A 15-person firm in Stamford with 2,000 New York clients has real obligations under this standard. The question is proportionate, not zero.

The Geography Non-Issue

Businesses located outside New York consistently underestimate their SHIELD Act exposure. The Act doesn’t care where you’re incorporated or where your offices are. It cares where your data subjects live. If you hold private information about New York residents — employees, customers, prospects, vendors, anyone — and you experience a breach, you have a notification obligation to those residents and potential enforcement exposure regardless of your physical location.

Connecticut and New Jersey businesses serving New York clients are particularly common in this practice. The conversation usually starts the same way: “We thought that was a New York law for New York businesses.” It’s a New York law for anyone with New York data.

Common SHIELD Act Questions

Does the SHIELD Act apply if our business is not in New York?

Yes. The Act applies to any business that holds private information of New York residents — regardless of where the business is incorporated or where its offices are. Connecticut, New Jersey, and out-of-state firms with New York clients, employees, or customers are in scope.

What counts as private information?

A name or identifier plus any of: Social Security numbers, financial account information with access codes, biometric data, email and password combinations, medical and health information, driver license numbers, or precise geolocation data. One element is enough — you do not need all of them.

What are reasonable safeguards under the Act?

Administrative, technical, and physical safeguards proportionate to your size and complexity. Designated responsibility for data security, risk assessment, employee training, access controls, encryption, and procedures for vendor oversight. Smaller businesses have a scaled standard — not a zero standard.

How quickly must we notify after a breach?

In the most expedient time possible without unreasonable delay. The Attorney General can bring enforcement action for noncompliance. Notification obligations apply even if you only learned of unauthorized access after the fact.

What is the penalty for non-compliance?

The New York Attorney General can pursue civil penalties up to ,000 per violation, plus actual costs and damages. The reputational exposure from a publicized SHIELD enforcement action often outweighs the direct penalty.

Find Out What Your SHIELD Act Obligations Actually Are

A direct conversation about your data environment, your client base, and your current safeguards is the right place to start. Most firms are more compliant than they think — with a few specific gaps that need attention.

Talk to a Technology Advisor
← Back to the Compliance Overview