Management, compliance & auditing

NY SHIELD Act: Security awareness and training requirements for New York businesses

Susan Morrow
September 21, 2020 by
Susan Morrow


The world of data protection and privacy regulations has brought us many laws and acts. The most commonly cited are the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The wide remit of these regulations has increased general awareness of data security issues. These regulations have also created stringent requirements that companies the world over must abide by.

One such regulation is the NY SHIELD Act. The latest update to the act includes important changes in what constitutes a data breach. Importantly, the Act also sets out a series of safeguards, including security awareness training, that can help protect private information.

The security measures inherent in data protection regulations offer important guidelines. These security measures are not just about avoiding fines and sanctions, but they can be used to prevent data breaches that have a wide-reaching impact on a business. With 15.1 billion data records breached in 2019, conforming to a regulation such as the NY SHIELD Act has never been more important.

What is the NY SHIELD Act?

The updated New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act came into force on March 21, 2020, in the middle of the COVID-19 pandemic. The updated Act, with an original effective date of October 23, 2019, sets out new measures around data security requirements.

The New York SHIELD Act applies if an organization processes the private data of New York residents (both customers and employees). The NY SHIELD Act requires measures to be taken to protect the security, confidentiality, and integrity of these data.

The NY SHIELD Act defines personal information as something such as a name or some other identifier. Private information is personal information PLUS various data elements if those elements are not encrypted. This includes:

  1. Social Security number
  2. Driver’s license or other identity documents
  3. Biometric information, e.g. a fingerprint, iris image, etc.
  4. Financial data, e.g., account number, credit or debit card number (without security code), if the number could be used to access a financial account without additional identifiers
  5. Usernames or email addresses with a password or security question

Non-compliance with the act results in fines of up to $5,000 per violation, with a cap set at $250,000.

How does the NY SHIELD Act define a data breach?

The NY SHIELD Act emphasizes what constitutes a data breach event. Previously, the act described a data breach as unauthorized “acquisition” of private information. The definition of a data breach is now expanded to include unauthorized access. This presents a much wider scope for a business to deal with. The NY SHIELD Act specifically states:

“ … factors to consider include indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person."

This can mean that an employee could accidentally view or share private information.

The exception to this requires that a company proves (by way of documentary evidence) that a data breach of private information:

" … will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials."

Whatever way you approach compliance with the NY SHIELD Act, security hygiene and other security awareness training for employees is a vital baseline to work from.

Does the NY SHIELD Act specify security measures?

No security measures are mandated by the NY SHIELD Act. However, it offers examples of reasonable measures across three key business areas:


  • Administrative
  • Technical
  • Physical


Some examples taken from each of the three safeguard areas of the NY SHIELD Act include:

Administrative safeguards

  • Designate an individual(s) that is responsible for security programs
  • Conduct a risk assessment process
  • Train and manage employees in security program practices and procedures

Technical safeguards

  • Risk assess IT infrastructure components
  • Data risk assessment of information processing

Physical safeguards

  • Perform risk assessments of information storage and disposal
  • Protect against unauthorized access/use of private information

What measures can be used to help meet NY SHIELD Act compliance?

Certain key strategic measures can be used to cover many of the requirements of the NY SHIELD Act.

Risk assessments

Performing risk assessments on data and associated security measures is generally good practice. It also helps you to meet several of the requirements set out in the act. This includes “assesses risks in network and software design” and “assesses risks in information processing, transmission and storage”.

Security awareness training

One of the administrative safeguards the Act outlines is that an organization should endeavor to “train and manage employees in the security program practices and procedures”. 

According to the Verizon Data Breach Investigations Report (DBIR), 32% of data breaches involve phishing attacks. To counter human-enabled cyberattacks, NIST now recommends using security awareness training. Security awareness training packages prepare your employees for the complex nature of modern cybersecurity attacks.

Designate individual(s) to manage security programs

Placing a person(s) in charge of a security program helps to ensure security measures are effective. A security program administrator can ensure that risk assessments are carried out, security awareness training used and regular checks and tests are performed. Without administrative oversight, not only will you risk a compliance issue with the NY SHIELD Act, but you also will not have a visible driver for your security program.

Test and scan

Technical measures augment and enforce administrative and training provisions. Vulnerability testing, privacy impact assessments and automated scanning for security gaps give you the knowledge of where data breaches can occur. This intelligence can be used to find appropriate technical measures to close off gaps. Measures include multi-factor authentication (MFA) and a zero-trust security approach.

Detect and respond

As well as using appropriate security measures, proactive approaches to protecting against data breaches should include detection and response. Managed detection and response (MDR) brings security measures together using a layered approach. MDR is often provided as-a-service via a Managed Security Services Provider (MSSP). The MSSP will provide mechanisms to protect data across your extended network.


The NY SHIELD Act is one of a number of data protection laws that present challenges for organizations the world over. These challenges can be met using tried and tested measures such as risk assessments. Training your employees in the complexities of data protection and making them aware of how data breaches happen is now a fundamental part of this updated regulation.



  1. 5575B,
  2. Number of Records Exposed in 2019 Hits 15.1 Billion, RIskBased Security
  3. 2019 Summary of findings, Verizon
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.