What Is The NYS SHIELD Act

All NYS Businesses must comply with the NYS Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This act was created to amend the existing data breach notification law which was quickly becoming outdated.

The act applies the notification requirement to any person or entity possessing private information of a NYS resident, and not solely those that conduct business in the state. The law also updated the notification procedures that companies and state entities must adhere to in the instance of a data breach. In addition, the act includes “reasonable” cybersecurity measures tailored to the size of a business. Another notable feature of this bill is its expanded definition of a data breach to include unauthorized access to private information.


Reasonable administrative safeguards in which a person or business

1) assigns one or more employees to organize the security program;

2) identifies reasonably foreseeable internal and external risks;

3) assesses the effectiveness of safeguards in place to address identified risks;

4) trains and manages employees in the security program practices and procedures;

5) selects service providers equipped to maintain appropriate safeguards, and requires such safeguards by contract; and

6) modifies the security program in coordination to business changes or new circumstances.


Reasonable technical safeguards in which a person or business

1) assesses risks in network and software design; assess risks in information processing, transmission, and storage;

2) detects, prevents and responses to attacks or system failures; and

4) regularly tests and monitors the effectiveness of key controls, systems and procedures.


Reasonable physical safeguards in which a person or business

1) assesses risks of information storage and disposal;

2) detects, prevents and responds to intrusions;

3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.


From developing a framework to implementing your plan, M.A. Polce can help you fulfill all these requirements and get ahead of the curve. Contact us today for your free consultation!

Get Started!

Download the "How Strong is Your Cybersecurity Culture?" Checklist!