top of page
  • Writer's pictureNMSG


Updated: Mar 9, 2020

New York State's SHIELD Act goes into full effect on March 21, 2020.


SHIELD stands for the 'Stop Hacks and Improve Electronic Data Security' and was originally signed into law by Governor Andrew Cuomo on July 25, 2019. The act, which essentially is two things, A) an expansion on existing breach notification requirements of General Business Law 899-AA and, B) a broader definition of what constitutes 'private information' according to new section 899-BB, does mainly three things in relation to an entity with private information about New York residents:

  1. Expands on what qualifies as private information

  2. Establishes breach notification qualifications and requirements

  3. Requires businesses to have a cybersecurity program in place that establishes reasonable security.

Should businesses fail to comply, New York's Attorney General may bring action in the form of an injunction, or courts may impose civil penalties of up to a maximum of $250,000.


This Act requires businesses to have in place a security program or plan capable of providing New York State residents with a level of reasonable security. In order to do so, at least three conditions need be met. The first condition is administrative, where ongoing mitigating activities like security planning, risk management, and training are given the proper time, attention and importance that they deserve. Secondly, there needs to be a physical component that protects against unauthorized physical access and unwanted intrusion. Last but certainly not the least, there must be a technical component which addresses, remediates, and manages ongoing threats of attack.

Any cybersecurity program and/or plan designed to close vulnerability loops and mitigate clear-present risks need be based on some level of business intelligence of your internal and external operation environment. This means knowing your own security posture, that of your vendors, and those along your supply chain. Equally indispensable are data privacy protections that speak specifically to data use, classification, access, storage, sharing, and ultimate destruction.


Sign up here for notification of our upcoming free webinar where Nine Mile Security Group's CEO will go into detail on what small and medium-sized businesses need to build an effective and 'reasonable' cybersecurity program. The webinar also will include tips on how to ensure compliance with both New York State's SHIELD Act and California's CCPA.

You will walk away with a clear understanding of the SHIELD Act, what your cybersecurity program or plan should include, and what must be included in any accompanying data privacy protections that underlie critical operations.

***This article is not intended to nor serves as official legal advice***

24 views0 comments

Recent Posts

See All
bottom of page