Public or Private data, your choice

Data Privacy: The New York SHIELD Law


The General Data Protection Regulation (GDPR) is the most famous data privacy legislation. It covers data collected on any citizen of the European Union (E.U.), no matter where it is collected.

This was the proverbial “shot across the bow” that data privacy is a serious matter. In response, other countries have passed privacy regulations.

Because the United States does not have a Federal Privacy Law, states are filling the void.

States Have Taken Matters Into Their Own hands

Many States, including New York, have passed privacy regulations. The other States that have not yet passed laws are sure to follow.

The point is that even though the Federal Government hasn’t acted after GDPR, U.S. companies are not out of the woods. Like the GDPR, most States’ laws cover their residents worldwide.

New York SHIELD Act’s Main Points

SHIELD stands for the “Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The main points are:

  • It dramatically expands the definition of private data. For example, it now includes name, address, social security number, and biometric information.
  • It covers any person or entity that collects data on a New York resident. It doesn’t matter where the collector resides.
  • There are exceptions for small businesses with:
    • Less than 50 employees
    • Less than $3 million in annual revenue in each of the last three years or Less than $5 million in assets.
    • Small businesses claiming exceptions must still comply but with modifications. Always seek appropriate legal counsel when taking this course of action.
  • Redefines “Breach” to include unauthorized access and doesn’t require data to be taken.
  • Adds additional security requirements to safeguard the private information in their care.

There are, of course, other requirements. You can get additional information from the NYS Attorney General’s Office. You can also download the NY SHIELD Law text here. It is always a good idea to get proper legal advice when it comes to compliance.

Noncompliance Is Not An Option

Every company in New York State or who does business with NY residents must comply. Fines can be hefty. The NYS Attorney General can assess up to $250,000 for violations.

New York State is very aggressive in levying fines. So far, they’ve assessed hundreds of millions of dollars against violators.


If you haven’t done so already:

  1. Put in place a data security program. Consult with your I.T. department or Managed Services Provider (MSP).
  2. Regularly conduct risk assessments, including hardware, software, databases, data transfers, etc.
  3. Install an Employee Security Awareness Training program.
  4. Create, and regularly test a Security Incident Response policy.
  5. Choose a person to handle the necessary reporting of incidents.
  6. Install a Business Continuity solution to ensure you can recover quickly.

Data privacy is serious business. The GDPR may have started it, but other countries and individual States are jumping on the bandwagon. Act now.

XSolutions is an I.T. Services Provider serving New York (N.Y.), New Jersey (N.J.), and Connecticut (C.T.). We provide Managed I.T. Services | Managed I.T. Security | Backup & Disaster Recovery| Cloud Data Protection | Security Awareness Training. Call (845) 362-9675 for a free consultation.