As a small business owner, safeguarding your customers' data is vital in today's world of increasing data breaches and cyberattacks. In New York State, there's a law that outlines what businesses must do to protect customer data: the SHIELD Act. In this article, we'll guide you through the SHIELD Act, what it entails, and how you can comply with it.

What is the New York State SHIELD Act?

The New York State SHIELD (Stop Hacks and Improve Electronic Data Security) Act was signed into law in July 2019 to enhance data security and privacy for New York residents. It requires businesses that collect and maintain private information about New York residents to implement reasonable data security measures to prevent unauthorized access and disclosure.

What is private information under the SHIELD Act?

Under the SHIELD Act, private information refers to any information about a New York resident that, when combined with other information, can be used to identify that person. This includes:

  • Social security number
  • Driver's license number or non-driver identification card number
  • Account number or credit or debit card number, in combination with any required security code, access code, or password
  • Biometric information, such as fingerprints, voiceprints, or retina scans
  • Username or email address, in combination with a password or security question and answer that would permit access to an online account

What are the data security requirements under the SHIELD Act?

Businesses that collect or store private information must implement data security programs that meet specific standards. The programs must be designed to:

  • Protect the confidentiality, integrity, and availability of personal information
  • Identify and assess risks to private information
  • Implement safeguards to control identified risks
  • Regularly test and monitor the effectiveness of those safeguards
  • Adjust the security program as necessary to address changes in technology or the business's operations

Notification Requirements Under the New York State SHIELD Act

If your business suffers a data breach that involves private information, you must notify affected customers and the state attorney general within a reasonable time. Specifically, you must provide notice:

  • In the most expedient time possible and without unreasonable delay
  • In written form, electronic form, or other forms consistent with state and federal law
  • To affected individuals, unless a risk of harm analysis determines that notification is not necessary
  • To the state attorney general's office, either alone or in conjunction with notice to affected individuals

Penalties for Noncompliance with the New York State SHIELD Act

Failing to comply with the SHIELD Act could result in severe penalties, including fines and legal action from affected individuals or the state attorney general. Noncompliance penalties can range from $5,000 to $250,000 per violation.


The New York State SHIELD Act is a critical law designed to protect the personal data of New York State residents. As a small business owner, it's essential to understand your obligations under the law and take appropriate measures to comply with it. By implementing data security programs and notifying customers in case of a data breach, you can protect your business and customers from the negative consequences of a security incident.