This website uses cookies. View our cookie policy
Select regional store:

New York Data Security Act

In early November, New York Attorney General Eric T. Schneiderman announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD). This proposed bill (S6933) is referred to as the ‘New York Data Security Act’.

The SHIELD Act has recently been introduced into the legislature in New York as a program bill and amendment to the state’s existing data security statute.

SHIELD’s aim is to protect New Yorkers’ personal information from a growing number of data breaches, and to ensure they are notified when such breaches occur.


Achieve immunity with ISO 27001 certification

SHIELD would create a safe harbor under which organizations compliant with ISO 27001 (and supported by the best-practice guidelines contained in ISO 27002) or NIST 800-53 would not be subject to prosecution by the Attorney General unless there is evidence of “willful misconduct, bad faith, or gross negligence.

Find out more about ISO 27001 and ISO 27002 >>


Get started with ISO 27001 certification today

Speak to an expert

The key changes proposed by the SHIELD Act

Under the SHIELD Act, organizations would have a legal responsibility to handle the sensitive data of New York residents in keeping with administrative, technical, and physical safeguards.

The administrative safeguards include:

  • Designating employees to coordinate a security program
  • Identifying internal and external risks
  • Assessing the sufficiency of safeguards to control risks
  • Training employees in security practices
  • Selecting capable service providers
  • Adjusting the security program with changes in the business

The technical safeguards include:

  • Assessing risks in software and network design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to incidents or system failure
  • Testing and monitoring systems, controls, and procedures

The physical safeguards include:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access or use of private information
  • Reasonably disposing of private information after it is no longer needed


Who does the SHIELD Act apply to?

The SHIELD Act will apply to all companies handling the sensitive personal data of New York residents, whether they do business in New York or not.


Penalties under the SHIELD Act

Failure to comply with the legislation could result in a civil suit and penalties under the General Business Failure of up to $5,000 per violation or $20 per each instance of failed notification, up to a maximum of $250,000.


How IT Governance can help

IT Governance has wide-ranging information security expertise to help organizations achieve compliance with the international information security standard, ISO 27001 (and ISO 27002).

We offer a comprehensive suite of information resources, solutions, and consultancy services.



Contact us today to discuss your compliance requirements by emailing or calling 877 317 3454.