Summary: New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires businesses that hold private information of New York residents to implement reasonable data security safeguards. Enforcement activity has increased significantly, and businesses that have not reviewed their data security practices should act now.
What the SHIELD Act Requires
The SHIELD Act, codified at New York General Business Law § 899-bb, requires any person or business that owns or licenses computerized data containing the private information of New York residents to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that information. The Act applies regardless of where the business is located — if you hold data on New York residents, you are covered.
“Reasonable safeguards” under the SHIELD Act include administrative safeguards such as designating an employee to coordinate security programs, identifying reasonably foreseeable risks, and training employees on security practices. Technical safeguards include assessing risks in network and software design, detecting and responding to system failures, and testing security measures. Physical safeguards include assessing risks related to information storage, detecting and responding to intrusions, and properly disposing of private information.
Why Enforcement Matters Now
The New York Attorney General’s office has increasingly prioritized data security enforcement actions. Recent settlements have involved businesses of all sizes, from large enterprises to small and mid-sized companies that failed to implement basic security measures. The enforcement pattern suggests that the AG’s office is focused on companies that have experienced data breaches and are found to have lacked the “reasonable safeguards” required by law.
For businesses that also use AI tools — particularly those processing customer data through AI platforms — the SHIELD Act creates additional compliance considerations. Data shared with AI vendors, processed through machine learning models, or stored in cloud-based AI systems must be protected under the same standards. Our AI Enhanced General Counsel practice advises clients on the intersection of AI adoption and data privacy compliance.
What Your Business Should Do
If your business has not conducted a data security assessment under the SHIELD Act framework, now is the time. Key steps include conducting a risk assessment of your current data security practices, implementing written security policies and employee training, reviewing vendor agreements to ensure data security obligations are addressed, establishing incident response procedures for potential data breaches, and documenting your compliance efforts. The SHIELD Act includes a safe harbor for small businesses that implement security programs appropriate to their size and complexity, but the safe harbor requires affirmative steps — simply being small is not enough.
Need help with SHIELD Act compliance? Contact Travis & DeBlase PLLC at (212) 248-2120 or schedule a consultation to discuss your data security obligations.