The NY SHIELD Act: Is Your Business Protected?

Understand Your Obligations & Secure Your Data Before It's Too Late.

What is the NY SHIELD Act?

The "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, effective March 2020, fundamentally changed New York's data security landscape. It mandates that any person or business owning or licensing computerized data which includes private information of New York residents must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information.

Key requirements and expansions include:

  • Expanded Definition of Private Information: Now covers biometric data, email addresses with passwords or security questions, and financial account numbers (even without an access code if it could permit access).
  • Broader Geographic Scope: Applies to businesses anywhere in the world if they hold private data of NY residents. You don't need a physical presence in New York to be subject to the Act.
  • Mandated "Reasonable" Security Safeguards: Requires a comprehensive data security program with specific administrative, technical, and physical safeguards. Small businesses have some flexibility but are not exempt.
  • Expanded Breach Notification: The definition of a "breach" now clearly includes unauthorized *access* to private information, not just acquisition.

What This Means For Your Business

If your organization handles the private information of even one New York resident – whether they are customers, employees, or users – you are legally obligated to comply with the SHIELD Act. This isn't just for large corporations; small and medium businesses are equally responsible. Compliance means:

  • Designating an employee to coordinate your security program.
  • Conducting regular risk assessments to identify vulnerabilities.
  • Implementing technical safeguards like encryption, multi-factor authentication, and intrusion detection.
  • Establishing administrative safeguards such as employee training, access controls, and vendor due diligence.
  • Developing physical safeguards to protect data stored on-site.
  • Having a clear incident response plan for data breaches.

The consequences of non-compliance can be severe, including substantial fines from the NY Attorney General, costly litigation, and irreparable damage to your brand's reputation and customer trust.

The Price of Negligence: Enforcement Examples

The New York Attorney General's office actively enforces data security standards. While some cases may pre-date the SHIELD Act's full effect or involve multiple statutes, they highlight the types of failures and penalties businesses face for inadequate data protection affecting New Yorkers:

EyeMed Vision Care (2022)

EyeMed agreed to a $4.5 million settlement with multiple states, including New York, after a 2020 data breach exposed the sensitive data of approximately 2.1 million consumers. The investigation found that EyeMed failed to implement fundamental security measures such as multi-factor authentication for a compromised email account, adequate logging and monitoring, and sufficient data retention policies, making it vulnerable to a phishing attack that lasted for nearly a week.

Wegmans Food Markets (2022)

Wegmans paid New York $400,000 as part of a settlement after a cloud storage misconfiguration inadvertently exposed the personal information of over 3 million customers nationwide. The NY AG investigation emphasized the failure to maintain reasonable security measures to protect sensitive customer information, particularly when utilizing cloud services, leading to unauthorized access to names, email addresses, and passwords.

Shein / Zoetop (2022)

The parent company of online retailers Shein and Romwe was ordered to pay $1.9 million to New York State for failing to properly handle a 2018 data breach that compromised the personal information of tens of millions of customers, including many New Yorkers. The NY AG found that Zoetop failed to adequately secure customer data and then misrepresented the scope and severity of the breach, failing to notify most affected customers, which contravenes the spirit and requirements of robust data security and breach notification laws like the SHIELD Act.

These examples underscore the serious financial and reputational risks of inadequate data security and the proactive enforcement stance of the New York Attorney General.

Is Your Business SHIELD Act Compliant? Don't Guess.

Navigating the NY SHIELD Act can be complex, but ignoring it isn't an option. Custody & Agency's Pathway Sentinel Program provides the ongoing support you need to achieve and maintain compliance.

Our program offers:

  • Comprehensive risk assessments tailored to your business.
  • Development and implementation of "reasonable" security safeguards.
  • Ongoing monitoring and alerts for potential vulnerabilities.
  • Guidance on incident response and breach notification.

Protect your customers, your reputation, and your bottom line.

Get Your Basic SHIELD Act Audit & Secure Your Future

© 2025 Custody & Agency. All rights reserved.

The information provided on this page is for general informational purposes only, and does not constitute legal advice. It is essential to consult with a qualified legal professional to understand your specific obligations under the NY SHIELD Act and other applicable data privacy laws.