The SHIELD Act has been in effect since 2020, and it still catches businesses by surprise. Companies headquartered in California, Texas, and Illinois are subject to it. Single-employee consulting practices in upstate New York are subject to it. The mistake most companies make is not the absence of any data security at all, but the assumption that whatever security they have already meets the law’s “reasonable safeguards” standard. The Attorney General’s recent enforcement actions, including settlements ranging from $60,000 to nearly $3 million in the past two years, suggest that assumption is often wrong. A New York business law attorney auditing SHIELD Act compliance typically finds gaps even at companies that believed they were covered, and the December 2024 amendments expanded the scope further.
Here is what the law actually requires, where the gaps tend to sit, and what an audit should cover.
What Triggers SHIELD Act Coverage
The SHIELD Act, codified at New York General Business Law §§ 899-aa and 899-bb, applies to any person or business that owns, licenses, or maintains computerized data containing the “private information” of a New York resident, regardless of where the business is located or whether it does business in New York at all. A single New York customer in a database is enough.
“Private information” is defined as personal information combined with one or more specific data elements:
- Social Security numbers
- Driver’s license or non-driver ID numbers
- Account numbers, credit card, or debit card numbers, with or without security codes if access alone is sufficient
- Biometric information
- Username or email address combined with password or security question answer
- Medical information including diagnoses, treatments, and conditions, added effective March 21, 2025
- Health insurance information including policy numbers, subscriber IDs, and claims history, added effective March 21, 2025
The expansion of the definition to include medical and health insurance information in March 2025 dragged a substantial number of healthcare-adjacent businesses into coverage that previously thought they were outside the Act’s reach.
The Reasonable Safeguards Requirement
Every covered entity must develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of private information. The statute lists specific elements that satisfy the “reasonable safeguards” standard.
Administrative safeguards include designating one or more employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, assessing the sufficiency of existing safeguards, training employees on security practices, selecting capable service providers and requiring contractual safeguards, and adjusting the program in light of business changes.
Technical safeguards include assessing risks in network and software design, assessing risks in information processing, transmission, and storage, detecting and responding to attacks and system failures, and regularly testing and monitoring the effectiveness of key controls.
Physical safeguards include assessing risks of information storage and disposal, detecting and responding to intrusions, protecting against unauthorized access during collection, transportation, and disposal, and disposing of private information within a reasonable time after it is no longer needed.
A business is deemed compliant with the safeguards requirement if it is subject to and in compliance with HIPAA, the Gramm-Leach-Bliley Act, NYDFS Cybersecurity Regulation 23 NYCRR Part 500, or certain other regulatory frameworks. Companies regulated by these regimes do not need duplicate SHIELD Act compliance programs, but they should document the basis for the deemed compliance.
The Small Business Exception Most Companies Miss
A “small business” under the SHIELD Act is any person or business meeting any one of the following criteria: fewer than 50 employees, less than $3 million in gross annual revenue averaged over the last three fiscal years, or less than $5 million in year-end total assets calculated under GAAP.
Small businesses are not exempt from the safeguards requirement. They are required to implement administrative, technical, and physical safeguards appropriate for the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information collected. The compliance bar is calibrated to the risk profile rather than eliminated.
The mistake many small businesses make is treating the small business exception as a pass on having any documented security program at all. Recent enforcement actions, including the 2025 settlement against Wojeski & Company, an accounting firm fined $60,000 after waiting 18 months to notify ransomware victims, demonstrate that small business status does not protect against significant penalties when the safeguards in place are clearly inadequate or notification obligations are ignored.
Breach Notification Timing and What a New York Business Law Attorney Watches
A “breach” under the SHIELD Act includes both unauthorized acquisition and unauthorized access to computerized data containing private information. The 2019 amendments expanded the definition from acquisition only, which means that incidents producing exposure without confirmed exfiltration now trigger notification analysis.
Notification obligations under the December 2024 amendments include several specific deadlines and recipients.
Affected New York residents must be notified in the most expedient time possible, with a maximum 30-day deadline added by the December 2024 amendments. This eliminated the prior practice of extending investigation timelines indefinitely before sending notice.
The notification must include a description of the categories of information accessed or acquired, contact information for the business, telephone numbers and websites of relevant state and federal agencies, and the approximate date of the breach.
The Attorney General, the Department of State, the State Police, and now the Department of Financial Services must each receive notice when affected New York residents are notified, with a single submission through the Attorney General’s portal generally satisfying the multi-agency requirement.
If more than 5,000 New York residents are affected, the major consumer reporting agencies must also be notified.
The “harm” exception allows a business to avoid notifying affected individuals if the exposure is not reasonably likely to result in misuse or financial or emotional harm, but the business must document the determination in writing and retain the documentation for at least five years. If the affected population exceeds 500 New York residents, the written determination must be provided to the Attorney General within 10 days of the determination.
Penalties and Recent Enforcement
The Attorney General can seek injunctive relief, restitution, and civil penalties. For failure to provide timely notification, penalties run up to $20 per instance with a cap of $250,000. For knowing and reckless violations, the penalty is the greater of $5,000 or $20 per instance, capped at $250,000. For failure to maintain reasonable safeguards, penalties run up to $5,000 per violation with no statutory cap on aggregate exposure.
Recent settlements demonstrate how those numbers actually translate. Albany ENT & Allergy Services paid $500,000 plus a separate $2.25 million for inadequate security practices that exposed patient medical data. Root Insurance paid $975,000 in 2025 after a vulnerability exposed 45,000 New Yorkers’ driver’s license numbers used for fraudulent unemployment claims. National Amusements paid $250,000 for failing to protect employee personal information.
The SHIELD Act does not create a private right of action, but the related breach notification statute at GBL § 899-aa permits actual damages claims by affected individuals, and breach incidents routinely produce class action exposure under common-law negligence and breach of contract theories.
Practical Steps for Compliance
A meaningful SHIELD Act audit covers several specific elements. Map the categories of private information your business holds and identify whether any belongs to New York residents. Document the administrative, technical, and physical safeguards already in place against the statutory list of required elements. Review service provider contracts for required safeguard provisions. Verify that an incident response plan exists, identifies the agencies that must be notified, and has been tested. Confirm employee training on security practices is current. Audit data retention and disposal practices against the requirement to dispose of information within a reasonable time after it is no longer needed.
For companies near the small business thresholds, document the basis for that classification and the corresponding scaled safeguards. For companies subject to HIPAA, GLBA, or NYDFS Part 500, document the deemed compliance basis.
When to Bring in a New York Business Law Attorney
SHIELD Act compliance crosses corporate, employment, healthcare, and cybersecurity law in ways that generic data privacy templates do not address well. A New York business law attorney conducting a compliance review can identify the gaps before they become Attorney General settlements, draft the policies and service provider language that hold up under enforcement scrutiny, and run breach response in real time when an incident occurs.
The Mundaca Law Firm advises New York businesses on data security compliance, breach response, and the broader regulatory issues that surface alongside them. If your company holds private information of New York residents and your security program has not been reviewed under the current SHIELD Act framework and the 2024 and 2025 amendments, a compliance review now is significantly less expensive than the consequences of an Attorney General investigation or a class action following a breach.