New York's SHIELD Act: What It Means for Businesses

New York's SHIELD Act is the latest US data protection law to come into place. What is it, what does it mean for businesses, and what should SMBs do next?

Blog Post

7 minutes

Jul 22, 2020

New York’s Shield Act is the latest data privacy law that businesses across the country have to take into account, particularly for businesses with any current or potential customers that reside in the state. What effect will it have on organizations and how can they prepare for future regulation and compliance standards?

What Is the New York SHIELD Act?

New York’s SHIELD Act went into effect officially on March 21st and is designed to expand on existing regulations by protecting more consumer information and redefining what constitutes a data breach.

  • Coverage: The SHIELD Act expands who falls under the law’s jurisdiction. Previously, businesses who had to comply with the law were companies who dealt within the state. The new act expands this to include any customer who resides in New York, whether the business is based there or not.
  • Definition: The definition of what makes a security breach has been redefined under the act. Before, personal data and information had to have been acquired by an unauthorized party—aimed at hackers and cybercriminals. Now, consumers must be notified when an unauthorized party has accessed information, regardless of whether or not it’s stolen.
  • Data types: Previously, the type of information protected was any data used in conjunction with a person’s social security number, driver’s license number, or other account numbers that may be used with passwords or access codes allowing access to an account. This has been expanded to include the following:
    • Financial account numbers that can be used to access an account, like a credit card number
    • Account usernames, passwords, emails, and security questions
    • Biometric information used to identify individuals

Businesses must be in compliance with these new regulations now.

“It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks.” – Senator Kevin Thomas, Chairman of the Committee on Consumer Protection

Why Should Businesses Care?


Of course the most obvious consideration to make is the financial implications of running foul of the new compliance regulations.

The statute had previously had a ceiling of $150,000 in fines for a single company, but that has been raised to $250,000.

For knowing and reckless violations—organizations that haven’t established correct compliance procedures—a court can seek penalties of the greater than $5,000 or up to $20 per instance up to the cap of $250,000.

By August 2019, the Attorney General’s office had already levied more than $600 million in fines from businesses that didn’t meet the correct compliance standards under the previous law.

$600 million is a lot of money, and that—along with the signing of this new act into law—is an indication of how seriously New York is taking data privacy protections for consumers.

With the SHIELD Act drastically broadening what businesses must be compliant with and what practices they have in place, it’s likely that that figure will increase dramatically over the coming years.

“The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.” – Gov. Cuomo

In short, there are far more aspects to data protection regulation that companies can fall on the wrong side of, so avoiding fines and making sure that doesn’t happen should be a top priority.

Keeping your business

New legislation like SHIELD, along the existing CCPA in California and GDPR in the European Union, are clear indications that politicians are recognizing consumer dissatisfaction with how organizations are handling their data.

People are more aware of their data rights and privacy than they’ve ever been, and 84% of people say that they care about privacy, care for their own data, care about the data of other members of society, and want more control over how their data is being used.

But how does this affect the success of a business?

Well, frankly, ensuring data protection is as much an effort in self-preservation for organizations as it is keeping their customers’ best interests at heart.

79% of people say they are very or somewhat concerned about how companies are using the data they collect about them

Time and again, businesses that mishandle data or suffer data breaches because of poor information protection standards are shooting themselves in the foot, as consumers will simply take their business to someone else if they feel they’re not being protected.

In fact, 48% of respondents in a survey said they had already switched companies or providers because they were concerned about their data policies and sharing practices.

The message is loud and clear from consumers: take their data seriously or they’ll take their custom to businesses that do.

More to come

As we briefly mentioned, the SHIELD Act bears many resemblances to existing data protection laws like CCPA and GDPR.

SHIELD is not the first, and it certainly won’t be the last.

Laws like these are shaping the conversation regarding how much consumers are protected.

Senior business figures and organizations are calling for a federal data privacy law inspired by GDPR and CCPA, and while a bi-partisan federal bill isn’t close right now, all of these regulations appear to be heading in one direction.

This is especially true when you consider the impact that CCPA and SHIELD have alone—60 million people in California and New York are now being covered by this.

That’s nearly 20% of the entire US population that businesses have to be in compliance with.

It’s likely that in time, other states will follow suit, even if there is no federal law—states including Florida (one of the US’s biggest population centers and markets) are introducing bills to their senate floors.

Businesses who are ahead of the curve will be recognizing that laws likes CCPA and SHIELD are just the start, and preparing their organization with comprehensive standards and practices for data regulation compliance that will be necessary for what’s to come.

What Can Businesses Do to Prepare?

Businesses should start by investing in some key aspects of their business that will help protect their customers’ data. These are namely:

Data protection measures

How is your customer data stored?

One of the reasons cloud adoption is rising so significantly among SMBs is because of their relative ease-of-use and high standards when it comes to data protection.

Whereas in previous years, business owners were hesitant to store confidential data on the cloud, now they are doing it in large numbers as a result of advances in cloud security.

Cloud services like Microsoft’s Azure use Tier IV data centers, which provide maximum security and as little as 26 minutes downtime annually.

Many businesses operate a hybrid system for their data, keeping general work information stored in public cloud data centers; while using a private data center for their more sensitive information, giving them more control and customization options.

This allows more flexibility to organizations which may be especially conscious about how they look after their data.

Related Post: Why You Need a Tier IV Data Center

Staff directly responsible for coordination and risk assessment

Generally speaking, it’s good to have a member of staff (or a vendor) driving your compliance policy.

Handling data efficiently and to standard isn’t just a case of installing new apps. It fundamentally comes down to how your workforce is using and sharing data and the solutions they use to do so.

If they are in breach of new laws, or existing practices are, then you need someone with the know-how and capability to be able to address these concerns and implement the correct standards.

This person should also be responsible for reporting any data breaches that do occur, in addition to routinely assessing any potential risks as regards to data handling, whether it’s hardware- or software-related.

This will be even more pertinent, considering the difficulties companies have been having when sharing data within and between a remote workforce.

Some businesses will choose to have someone in-house to do this, but many will opt for an MSSP because they’re cost-effective and have the expertise of exactly what businesses need to do with regards to data protection services as they pertain to their specific situation.


  • The New York SHIELD Act is a substantial extension of existing data privacy laws, which businesses must be compliant with now.
  • Consumer demands and increasing public interest in data protection laws mean businesses should take their data handling practices extremely seriously to keep their customers satisfied.
  • SHIELD is just the latest in a series data privacy laws, and further laws in years to come will further accelerate the need for organizations to get up to speed with their compliance. 

Is Your Business Compliant?

New laws like GDPR, CCPA, and SHIELD are just the beginning for data protection compliance standards that businesses should be taking into account. A primary objective for any modern organization should be stopping data breaches. But how?

Take a look at our free eBook, What Makes a Good Cybersecurity Defense for a Modern SMB?” and see what measures companies should be putting in place to keep their data secure.


CybersecurityMitigate Cyber RisksCompliance


Impact Insights

Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.

More From Impact

View all Insights