Press Release
New York, 18th September 2025: One of the most urgent issues facing contemporary businesses is data breaches. Legislators have taken action to make sure businesses handle data responsibly because personal information is continuously being gathered, stored, and shared. To improve consumer protection and hold companies responsible for protecting sensitive data, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in New York. Understanding the Shield Act in New York is essential for businesses that serve or operate in New York in order to stay out of trouble and keep the trust of their clients.
New York’s current data breach notification laws have been greatly expanded by the SHIELD Act, which went into effect in March 2020. Its main objective is to make sure companies implement appropriate security measures to protect New Yorkers’ private information.
According to a spokesperson of COMPCITI Business Solutions Inc., the SHIELD Act has a wide scope, in contrast to certain laws that only apply to businesses that are physically based in a state. Its provisions must be followed by any company, regardless of location, that gathers or retains the private information of New Yorkers.
The definition of “private information” is expanded by the SHIELD Act. It now contains biometric information, usernames, password-protected email addresses, security questions and answers, and Social Security numbers and financial account information. In a time when digital threats are on the rise, this broader scope guarantees people better protection.
In the past, businesses were only obligated to alert people if they obtained private information. Even if private information wasn’t actually stolen, the SHIELD Act requires notification if it was simply accessed by an unauthorized party. Businesses now have an increased obligation to respond promptly and openly in the event of a possible breach.
The SHIELD Act’s mandate that companies use “reasonable” data security measures is arguably its most important feature. Three main areas are covered by these safeguards:
Administrative protections include system monitoring, security responsibility assignment, and employee training.
Technical protections include intrusion detection systems, data encryption, and routine risk assessments.
According to physical safeguards, records should be disposed of securely, and unauthorized physical access should be avoided.
Businesses need to show that they are protecting sensitive data proactively.
Regardless of where they are based, all companies that gather or keep private information about New Yorkers are subject to the SHIELD Act. For small businesses, it does offer some flexibility, though. Businesses that employ fewer than 50 people, generate less than $3 million in gross yearly revenue, or have less than $5 million in total assets are permitted to scale their security measures in accordance with their complexity and size.
