# [Understanding the New York SHIELD Act](https://usercentrics.com/knowledge-hub/new-york-shield-act/) **Businesses handling New York residents' data must meet New York SHIELD Act compliance standards. Learn about security safeguards, breach reporting & penalties.** **Author:** William Newmark · **Read time:** 7 mins · **Published:** Feb 11, 2025 --- The New York SHIELD Act affects any business handling New York state residents' private information. With specific security requirements, breach notification deadlines, and new protected data categories from March 2025, businesses worldwide must understand their obligations. In 2019, New York's data breach laws underwent significant changes when the SHIELD Act was signed into law. The regulation has continued to evolve, with new amendments in December 2024. This article outlines the SHIELD Act's requirements for businesses and protecting and handling New York state residents' private information, from security requirements to breach notifications. --- ## What is the New York SHIELD Act? The [New York Stop Hacks and Improve Electronic Data Security Act](https://www.nysenate.gov/legislation/bills/2019/S5575) (New York SHIELD Act) established data breach notification and security requirements for businesses that handle the private information of New York state residents. The law updated the state's 2005 Information Security Breach and Notification Act with expanded definitions and additional safeguards for data protection. The New York SHIELD Act introduced several requirements to protect New York residents' data. These include: - a broader definition of what constitutes private information - updated criteria for what qualifies as a security or data breach - specific notification procedures for data breaches - implementation of administrative, technical, and physical safeguards - expansion of the law's territorial scope The law also increased penalties for noncompliance with its data security and breach notification requirements. The New York SHIELD Act was implemented in two phases: - breach notification requirements became effective on October 23, 2019 - data security requirements became effective on March 21, 2020 --- ## Who does the New York SHIELD Act apply to? The New York SHIELD Act applies to any person or business that owns or licenses computerized data containing the private information of New York state residents. It applies regardless of whether the business itself is located in New York. This scope marked a significant expansion from the previous 2005 law, which only applied to businesses operating within New York state. The law's extraterritorial reach means that organizations worldwide must comply with its requirements if they possess private information of New York residents, even if they conduct no business operations within the state. --- ## What is a security breach under the New York SHIELD law? The New York SHIELD Act expanded the definition of a security breach beyond the 2005 law's limited scope. The previous law only considered unauthorized acquisition of computerized data as a security breach. The New York SHIELD Act includes the following actions that compromise the security, confidentiality, or integrity of private information: - unauthorized access to computerized data - acquisition without valid authorization to computerized data The law provides specific criteria to determine unauthorized access by examining whether an unauthorized person viewed, communicated with, used, or altered the private information. --- ## What is private information under the New York SHIELD Act? The New York SHIELD law defines two types of information: personal and private. Personal information includes any details that could identify a specific person, such as their name or phone number. Under the 2005 law, private information was defined as personal information concerning a natural person combined with one or more of the following: - Social Security number - driver's license number - account numbers with security codes or passwords The New York SHIELD Act expands this definition of private information to include additional elements: - account numbers and credit or debit card numbers that could enable access to a financial account without additional security codes, passwords, or other identifying information - biometric information that is used to authenticate and ascertain an individual's identity, such as a fingerprint, voice print, or retina or iris image - email addresses or usernames combined with passwords or security questions and answers The law specifically states that publicly available information is not considered private information. This definition is set to expand once again. On December 21, 2024, Governor Kathy Hochul signed two bills that strengthened New York's data breach notification laws. Under one of the [amendments](https://www.nysenate.gov/legislation/bills/2023/S2376/amendment/B), effective March 21, 2025, private information will include: - medical information, including medical history, conditions, treatments, and diagnoses - health insurance information, including policy numbers, subscriber identification numbers, unique identifiers, claims history, and appeals history --- ## What are the data security requirements under the New York SHIELD Act? This New York data security law requires any person or business that maintains private information to implement reasonable safeguards for its protection. There are three categories of safeguards required: administrative, technical, and physical. **Administrative safeguards** include: - appointing one or more specific employees to manage security programs - finding potential risks from internal and external sources - reviewing existing safeguards to check their effectiveness - training employees on the organization's security practices and procedures - choosing qualified service providers who meet security requirements through contracts - modifying security programs when business need change **Technical safeguards** include: - assessing risks in network structure and software design - evaluating risks in information processing, transmission, and storage - detecting, preventing, and responding to attacks or system failures - regularly testing and monitoring the effectiveness of key controls, systems, and procedures **Physical safeguards** include: - assessing risks related to information storage and disposal methods - implementing systems to detect and prevent intrusions - protecting private information from unauthorized access or use during collection, transportation, and disposal - Properly disposing of electronic media within a reasonable timeframe to prevent data reconstruction when it is no longer needed - disposing of private information by erasing electronic media when no longer needed for business purposes so that the information cannot be read or reconstructed Businesses are deemed compliant with these safety requirements if they are subject to and compliant with certain federal laws, such as the [Gramm-Leach-Bliley Act (GLBA)](https://usercentrics.com/knowledge-hub/glba-compliance/), the [Health Insurance Portability and Accountability Act (HIPAA)](https://usercentrics.com/knowledge-hub/health-insurance-portability-and-accountability-act-hipaa/), and the Health Information Technology for Economic and Clinical Health Act (HITECH). --- ## What are the data breach notification requirements under the New York SHIELD law? The New York SHIELD Act sets specific requirements for how and when businesses must notify individuals and authorities about data breaches involving private information. The law previously required businesses that discover a security breach of computer data systems containing private information to notify affected consumers "in the most expedient time possible and without unreasonable delay." The December 2024 amendment added a specific timeline to this requirement. Businesses now have a maximum of 30 days in which to notify affected New York state residents of data breaches. The 30-day time limit came into effect immediately upon the bill being signed. The New York SHIELD Act also previously required businesses to notify three state agencies about security breaches: - the Office of the New York State Attorney General - the New York Department of State - the New York State Police The December 2024 amendment added a fourth state agency to be notified, with immediate effect: the New York State Department of Financial Services. These notices must include information about the timing, content, distribution of notices, and approximate number of affected persons, as well as a copy of the template of the notice sent to affected persons. If more than 5,000 New York state residents are affected and notified, businesses must also notify consumer reporting agencies about the timing, content, distribution of notices, and approximate number of affected persons. The law introduced specific restrictions on methods for notifying affected consumers. Email notifications are not permitted if the compromised information includes an email address along with a password or security question and answer that could allow access to the online account. All notifications must provide contact information for the person or business notifying affected persons as well as telephone numbers and websites for relevant state and federal agencies that offer guidance on security breach response and identity theft prevention. --- ## Enforcement of the New York SHIELD Act and penalties for noncompliance The New York Attorney General has the authority to enforce the New York SHIELD Act, with the power to pursue injunctive relief, restitution, and penalties against businesses that violate the law. The law establishes different levels of penalties based on the nature and severity of the violations. When businesses fail to provide proper breach notifications, but their actions are not reckless or intentional, courts may require them to pay damages that cover the actual costs or losses experienced by affected persons. More severe penalties apply to knowing and/or reckless violations of notification requirements. In these cases, courts can impose penalties of up to USD 5,000 or USD 20 per instance of failed notification, whichever amount is greater. These penalties are capped at USD 250,000. Businesses that fail to implement reasonable safeguards as required by the law face separate penalties. Courts can impose fines of up to USD 5,000 for each violation of these security requirements. --- ## Impact of the New York SHIELD Act on businesses The New York SHIELD law imposes significant obligations for any organization handling New York residents' private information, regardless of location. Businesses must implement comprehensive data security programs with specific safeguards, meet strict breach notification deadlines, and prepare for expanded data protection requirements. Key impacts include: - 30-day mandatory breach notification requirement (currently in effect) - the implementation of administrative, technical, and physical security safeguards - expanded private information definition, in effect March 21, 2025 - potential penalties up to USD 250,000 for notification violations and USD 5,000 per security requirement violation --- ## New York SHIELD Act Compliance Checklist [Download now](https://usercentrics.com/wp-content/uploads/2025/02/NY-Shield-Act-Checklist-1.pdf) Below is a non-exhaustive checklist to help your business comply with the New York SHIELD Act. For advice specific to your organization, it's strongly recommended to consult a qualified legal professional. - Implement reasonable administrative, technical, and physical safeguards to protect the private information of New York residents. - Create and maintain a process to detect data breaches affecting private information. - Establish procedures to notify affected New York state residents within 30 days of discovering a breach. - Set up a system to report breaches to the Attorney General, Department of State, State Police, and Department of Financial Services. - Include contact information and agency resources for breach response and identity theft prevention in all notifications. - Use appropriate notification methods (for instance, do not use email if the breach involves email/password combinations). - Notify consumer reporting agencies if more than 5,000 New York state residents are affected by a breach. - Train employees on security practices and procedures. - Review and update security programs when business circumstances change. - Prepare to protect additional categories of private information (medical and health insurance data) starting March 21, 2025. --- ## Frequently asked questions ### When must businesses outside New York comply with the New York SHIELD Act? Any business that handles the private information of New York state residents must comply with the New York SHIELD Act, regardless of its location. ### What procedures must organizations follow after discovering a data breach affecting New York residents? Organizations must notify affected New York residents within 30 days of discovering a breach. They must also report the breach to four state agencies: the Attorney General, the Department of State, the State Police, and the Department of Financial Services. The report must include details about timing, content, distribution of notices, and the number of affected persons. If the breach affects more than 5,000 New York residents, organizations must also notify consumer reporting agencies about the timing, content, distribution of notices, and approximate number of affected persons. ### What are the financial penalties for noncompliance with the New York SHIELD Act? For knowing and/or reckless violations, courts can impose penalties up to USD 5,000 or USD 20 per failed notification, whichever is greater, with a maximum of USD 250,000. Separate penalties of up to USD 5,000 per violation apply for failing to implement reasonable safeguards. For non-reckless violations, businesses may have to pay actual costs or losses incurred by affected persons. ### How do the December 2024 amendments modify existing New York SHIELD Act requirements? The December 2024 amendments add a 30-day maximum timeline for breach notifications and also require reporting to the New York State Department of Financial Services. Starting March 21, 2025, the amendments also expand protected private information to include medical and health insurance information. ### What specific security measures does the New York SHIELD Act mandate for data protection? The New York SHIELD Act requires businesses to implement three types of safeguards: administrative, such as employee training and risk assessment; technical, including network security and attack prevention; and physical, which cover data storage and disposal. These safeguards must protect private information from unauthorized access, use, or disclosure. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH