How to comply with SHIELD act?

Aug 28, 2019

Max 10min read




Are you storing data and private information of New York residents? The state has enforced breach notification law Stop Hacks and Improve Electronic Data Security (SHIELD) Act updating the scope and requirements for consumers’ sensitive information protection. In order to fulfill the requirements you should have information security program in place. Need help with that? 

 What’s the name of the bill? 

Senate Bill S5575B (ACTIVE)

Who does it apply to?

Companies that create or maintain information about New York residents. 


Starting in October 2019 the complimentary act on the Identity Theft Prevention and Mitigating Services takes action. It states that companies which faced a breach with Social Security numbers should provide these customers with additional benefits. SHIELD Act comes into force on March 21, 2020, so you still have time to prepare. Ask UnderDefense Security Experts for an advice. 

What has changed? 

 The definition of breach was broadened including the terms when an unauthorized person gains information. Learn more about vCISO support to get prepared to changes.

 Is it similar to any other privacy laws?  

 Last year GDPR (General Data Protection Regulation) has came into action In Europe that protects customers private data disclosure. It has already issued big number fines for its violation: 

📌British Airways £183 million 
📌Marriott around £99 million 
📌World Trade Center Bucharest £15 thousand.

UnderDefense advises that it’s better to check yourself before the breach happens and take proactive measures rather than pay fines.

The chart below shows how much companies pay after they suffered a breach in 2019 in the USA. According to IBM and Ponemon study, the health and financial industries have been the most popular to be breached and had the biggest difficulty retaining customers after they experienced noncompliance. 

fintech statistics on breach 2019
Source: IBM and the Ponemon Institute’s annual “Cost of a Data Breach” report

Coming back to SCHIELD, the business regulated by and complied with (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) is not required to further notify affected New York residents. However, they still have to alert New York attorney general, the New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police. We are here to help you out, if it gets too complicated.


New York state takes proactive measures to show the importance of privacy and data security.

Regardless of the fact whether that organization does business in New York, each should comply with the SHIELD Act when you hold private information of a New York state resident.

In order to prevent being fined and lose the clients’ trust UnderDefense recommends reviewing your data breach prevention and response activities, build robust data protection programs, and invest in written information security programs (WISPs).

Read more

Download MDR Datasheet

Read more about our Incident Response Service