How to gain Safe Harbor with the New York Data Security Act

In early November, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is sited as the “New York Data Security Act”. The amendment:

  • Updates existing law terms
  • Addresses gaps in the existing New York State data security statute
  • Includes a safe-harbor provision, which adds a layer of protection to companies that hold NYS data security certification

Any organization that maintains the private data of NYS residents is required to establish specific administrative, technical, and physical safeguards.


Administrative safeguards Technical safeguards Physical safeguards
Identifying risks (internal and external) Assessing software and network design risks Assessing information storage and disposal risks
Providing cybersecurity training and awareness Evaluating information processing, transmission, and storage risks Detecting, preventing, and responding to intrusions
Conducting information security audits Discovering, preventing, and responding to cyber incidents Safeguarding against unauthorized users’ access to information and physical location


SHIELD provides safe harbor to certified compliant entities

SHIELD defines “certified compliant entities” as any organization that observes and yields to federal or NYS cybersecurity laws, e.g. the NYDFS Cybersecurity Regulation or the Health Insurance Portability and Accountability Act.

These organizations will most likely have an ISO 27001- and/or NIST 800-5-accredited information security management system (ISMS) in place that is certified by an authorized third-party organization. If the company holds independent certification with the ISO and/or NIST standards, it should receive safe harbor.

Certified compliant entities will receive immunity from specific state enforcement actions, even if they violate certain statutes. However, if an organization demonstrates willful misconduct, actions of bad faith, or gross negligence, it will be held accountable and not benefit from safe harbor.

How to gain protection under safe harbor

In order to take advantage of SHIELD’s safe harbor provision, an organization must ensure it has an adequate, certified information security framework in place. There are a few frameworks that will help your organization to establish safe harbor, including ISO 27001.

Although implementing an ISMS is an investment of time and resources, safe harbor helps to mitigate risks, alleviate costs, and reduce the chance of attorney general enforcement litigation.

Ensure your organization complies with SHIELD

SHIELD is scheduled to take effect on January 1, 2018 with reporting due 120 days from that date on May 1, 2018. With safe harbor a major incentive, every organization affected by SHIELD – or any other state or federal cybersecurity regulation – should implement an ISO 27001-accredited ISMS.

ISO 27001 is the international standard that defines best practice for an ISMS. An ISMS that conforms to ISO 27001 will help an organization strengthen its security efforts, mitigate data breach risk, and become more efficient. Specific outcomes from enlisting ISO 27001 for your ISMS include:

  • Protecting your reputation
  • Meeting client cybersecurity needs
  • Avoiding fines and financial penalties
  • Meeting international data security laws

To learn more about the New York Act (SS6933), visit our information page >>