New York SHIELD Act: What Every Business Needs to Know About Data Protection

New York SHIELD Act business data protection requirements compliance
/ Uncategorized / By

In March 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act took full effect, significantly expanding the data security obligations for businesses that handle private information about New York residents. Unlike many state data security laws that apply only to large corporations, the New York SHIELD Act business data protection requirements apply to any business — regardless of size or location — that holds private information about New York residents. That means a small business owner in Brooklyn, a law firm in White Plains, a dental practice in Nassau County, or a retailer on Long Island all have specific legal obligations under this law. And those obligations extend beyond digital security to include the proper physical destruction of paper records containing private information.

This guide breaks down what the SHIELD Act requires, which businesses are covered, how it relates to document shredding, and what steps New York businesses need to take now to achieve and maintain SHIELD Act compliance.

New York SHIELD Act business data protection requirements compliance

What Is the New York SHIELD Act?

The SHIELD Act (signed into law in 2019, fully effective March 2020) expanded New York’s existing data breach notification law and added significant new data security program requirements. The key provisions affecting physical document security include:

  • Expanded definition of “private information”: Now includes biometric data, username/password combinations, financial account numbers, and Social Security numbers — much broader than the previous definition.
  • Reasonable data security program requirement: Any business that owns or licenses computerized data containing private information about New York residents must implement and maintain a data security program with “reasonable” administrative, technical, and physical safeguards.
  • Physical safeguards include document disposal: The law specifically calls out the proper disposal of physical records as a required element of a compliant security program.
  • Expanded breach notification requirements: Broader definition of what constitutes a “breach” requiring notification, including exposure of physical records.

Visit our compliance page for information on how professional shredding fits into your SHIELD Act program.

Who Must Comply with the SHIELD Act?

One of the most important — and often misunderstood — aspects of the SHIELD Act is its broad applicability. Any business that owns, licenses, or maintains private information about New York residents must comply, even if the business itself is not located in New York. For New York-based businesses, this means essentially every company that has customers, employees, or vendors in New York state.

There is a limited accommodation for smaller businesses: the SHIELD Act allows companies with fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in year-end total assets to implement a security program that is “reasonable” for their size and complexity. But this doesn’t mean small businesses are exempt — it simply means the bar for what constitutes “reasonable” security is calibrated to their resources.

Key covered business types in New York include:

  • Retail and e-commerce businesses
  • Healthcare providers and health services companies
  • Professional services firms (law, accounting, consulting)
  • Financial services and insurance companies
  • Real estate businesses
  • Educational institutions
  • Non-profits and government contractors

SHIELD Act Physical Safeguards: What Businesses Must Do

The SHIELD Act’s physical safeguard requirements are directly relevant to document shredding. The law requires covered businesses to implement “reasonable physical safeguards,” which the statute describes to include:

  • Assessment of physical risks including unauthorized access to physical records
  • Detection and prevention of unauthorized access to physical records
  • Proper disposal of private information at the end of its useful life

On the disposal requirement, the SHIELD Act aligns with FACTA and other federal regulations: private information on physical media — paper records, printed reports, physical files — must be destroyed in a manner that renders it unreadable and irrecoverable. Shredding is the gold standard for paper documents. This means:

  1. Simply throwing documents in the trash or recycling bin does NOT constitute proper disposal under the SHIELD Act
  2. Consumer-level strip-cut shredding, while better than nothing, may not constitute “reasonable” disposal in all contexts
  3. Industrial cross-cut or micro-cut shredding by a certified vendor is the safest approach

When you use a professional document shredding service, you receive a Certificate of Destruction that documents that you met this requirement.

SHIELD Act Penalties and Enforcement

The New York Attorney General enforces the SHIELD Act. Civil penalties for violations can include:

  • Up to $5,000 per failure to notify affected individuals of a data breach
  • Up to $20 per instance of failure to disclose a breach, with a maximum of $250,000 for a single breach
  • Injunctive relief requiring businesses to implement compliant security programs
  • Attorney General investigations, which themselves create significant costs in legal fees and operational disruption

Beyond state enforcement, SHIELD Act violations can also create civil liability. Customers, employees, or other individuals whose private information is exposed may have grounds for civil claims.

Integrating Document Shredding Into Your SHIELD Act Compliance Program

Building a SHIELD Act-compliant physical data security program doesn’t have to be complicated. Here’s a practical approach for New York businesses:

  1. Conduct a data inventory: Identify all physical records containing private information — where they’re stored, who has access, and how long they’re retained.
  2. Implement a document retention schedule: Determine how long each category of records must be kept (considering both legal requirements and business needs), then establish a destruction schedule.
  3. Deploy locked secure consoles: Place locked shredding consoles throughout your office so employees can securely dispose of documents awaiting destruction.
  4. Engage a certified shredding vendor: Partner with a NAID-certified shredding company that provides Certificates of Destruction and signs a data security agreement.
  5. Train employees: Ensure all staff understand what constitutes private information and how it must be handled and disposed of.
  6. Document everything: Keep records of your security program, shredding schedule, and Certificates of Destruction as evidence of your compliance efforts.

View our service area to confirm we serve your New York location, then contact us for a free consultation on implementing a SHIELD Act-compliant shredding program.

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top