US-New York

What security measures must businesses implement under the SHIELD Act?

3 safeguard typ

Required categories

50+ employees

Small business exemption threshold

$5,000

Civil penalty per violation

30 days

Breach notification deadline

The Short Answer

Businesses must implement reasonable administrative, technical, and physical safeguards to protect private information, as defined by New York’s SHIELD Act.

What the Law Says

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires any person or business that owns or licenses computerized data containing private information of New York residents to implement and maintain reasonable safeguards.

Reasonable safeguards fall into three categories: administrative, technical, and physical. Administrative safeguards include designating employees to coordinate security, identifying internal and external risks, assessing safeguards effectiveness, and training employees. Technical safeguards involve access controls, encryption, monitoring systems, and regular testing. Physical safeguards cover disposal of private information, detection of intrusions, and protection against unauthorized access.

The law applies broadly — even to out-of-state businesses handling NY residents’ private information — unless they qualify as a 'small business' (fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in year-end total assets). Small businesses must still implement 'reasonable' safeguards appropriate to their size and complexity.

Statutory Text
Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
— N.Y. Gen. Bus. Law § 899-bb(2) — Duty to protect private information

Statutory Text
‘Private information’ means any combination of (i) a name and (ii) one or more of the following data elements: social security number, driver’s license number, account number, credit or debit card number, biometric information, or user name/email address with password or security question/answer.
— N.Y. Gen. Bus. Law § 899-aa(4) — Definition of private information

Statutory Text
‘Reasonable safeguards’ shall include administrative, technical and physical safeguards… appropriate to the size and complexity of the covered entity.
— N.Y. Gen. Bus. Law § 899-bb(2)(b) — Safeguard requirements

Sources

statuteN.Y. Gen. Bus. Law § 899-aa — Definitions statuteN.Y. Gen. Bus. Law § 899-bb — Duty to protect private information

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.