Who must comply with the NYS SHIELD Act?

  • March 4, 2020
  • Elisa Silverglade
  • 2 min read

The NYS SHIELD Act broadly requires compliance by “any person or business” that owns or licenses computerized data that contains private information of a New York State resident”.

If you collect a person’s name and address, in addition to a SS or DL number, then you are collecting private information.

It’s important to note is that SHIELD applies regardless of a company’s size or where it’s offices are located. It applies to for-profit companies as well as not-for-profit organizations. And, the Private data that SHIELD covers can be customer data or employee data.

One important takeaway here, is that almost every business with NY State employees must comply with SHIELD.

There are no exemptions or exceptions to the NYS Shield ACT, however there is some flexibility in the law which can make things more manageable for smaller businesses.

A smaller business is defined as one that has: fewer than 50 employees, less than $3 million in gross annual revenue in each of the last 3 fiscal years, or has less than $5 million in year-end total assets.

These businesses may scale their data security program according to their size, and according to the nature and sensitivity of the data they collect.

Additionally, organizations that are already covered by and in compliance with the GLBA, HIPAA/HITEC, or NYS DFS – are considered to be in compliance with the SHIELD Act. Firms regulated by these laws need not do anything else.

One conclusion to draw is that SHIELD will have the biggest impact on industries that are currently un-regulated. NYS Professional services, tax professionals, Real Estate companies, and other industries must now invest more resources into protecting the sensitive information they collect.

While investing resources in a cyber security program that was not required before can feel like a burden for some businesses, the SHIELD ACT is considered a very good step towards protecting NYS residents from becoming the victims of a cyber security attack.

In our next video, we’ll dig a little deeper into what types of data need to be protected according to the NYS SHEILD Act.

Thank you.