<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">

Complying with the SHIELD Act: Cybersecurity Requirements for Businesses

Complying with the SHIELD Act: Cybersecurity Requirements for Businesses

Complying with the New York SHIELD Act
Posted by TEAM ASCEND on 1/30/20 12:42 PM

<< Back to Blog

New York's SHIELD Act applies to businesses nationwide, with compliance required for anyone who does business with or holds personally identifiable information (PII) of New York residents. The following are key takeaways regarding SHIELD Act compliance.


S5575B, known as the "Stop Hacks and Improve Electronic Data Security Act" (SHIELD Act), was introduced in spring 2019 and goes into effect on March 21, 2020. The bill intends to protect New Yorkers' personal and private information in an increasingly digital world, and sets additional guidelines for data breach notifications involving PII. SHIELD, in part, amended New York's existing data breach notification laws to better match the current cybersecurity landscape while also introducing additional data security requirements for affected businesses.

Here are the top 8 details to know about the SHIELD Act that may affect your organization:

Reasonable Security Requirement

Any business which owns or licenses digital data which contains private information of any resident(s) of New York must develop, implement, and maintain "reasonable safeguards" through an organization-wide cybersecurity program, including:


Data Breach Notification

In the event that your organization experiences a data breach involving PII of New York residents, here are the following considerations to take when notifying necessary parties:

  • Balance Incident Response Procedures & Timeliness
    "Disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, ... or any measures necessary to determine the scope of the breach and restore the [reasonable] integrity of the system." - S5575B
  • Notifying Affected Persons
    Breach disclosure may be provided to affected persons in traditional written notice format, telephone call with documented logs of notification, or via electronic notice, if such consent has been provided to do so. 

  • Notifying Authorities
    If PII has been exposed and New York residents/customers will need to be notified, you must first notify the New York Attorney General and the state police regarding the timing, content, and distribution of your notices. If more than 5,000 New York residents must be notified, you must also notify consumer reporting agencies of your breach and impending notifications.


If you need assistance in complying with the SHIELD Act, reach out to one of our experts for a free cybersecurity consultation today. 

New call-to-action


<< Back to Blog

Posted in Incident Response, Risk Assessments, Alerts, Cybersecurity Tips & Best Practices, Small Business