New York SHIELD Act: What Businesses Must Know About Data Disposal

New York SHIELD Act data disposal - state law compliance for businesses
/ Uncategorized / By

In March 2020, New York State significantly strengthened its data protection laws with the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. For New York businesses, the SHIELD Act represented a major expansion of obligations around how private information is collected, stored, and — critically — disposed of. Unlike previous laws that were narrowly focused on specific industries, the New York SHIELD Act data disposal requirements apply to virtually every business that handles information about New York residents, regardless of company size or industry.

Many business owners in New York City, Long Island, and Westchester County are still unaware of how the SHIELD Act’s disposal requirements translate to their everyday document management practices. This post breaks down exactly what the law demands, what “reasonable” disposal means, and why certified document shredding is the most reliable way to meet your SHIELD Act obligations.

New York SHIELD Act data disposal - state law compliance for businesses

What Is the New York SHIELD Act?

The SHIELD Act amended New York’s existing data breach notification law (General Business Law Section 899-aa) and added a new section requiring businesses to implement reasonable data security measures. The key expansions included:

  • Broadening the definition of “private information” to include biometric information, username/password combinations, and more
  • Extending the law’s reach to ANY business that owns or licenses computerized data about New York residents — not just businesses physically located in New York
  • Mandating reasonable administrative, technical, and physical safeguards for private information
  • Explicitly including proper disposal and deletion as part of required security measures

The law recognizes that data security doesn’t end when information is no longer needed — the manner in which you dispose of private information is just as important as how you store it. Visit our compliance resources for more information on New York’s regulatory landscape.

What Counts as “Private Information” Under the SHIELD Act?

Understanding what information triggers SHIELD Act disposal obligations is essential. The law defines private information broadly as any information that, combined with a New York resident’s name, could be used to harm that person. This includes:

  • Social Security number
  • Driver’s license or state ID number
  • Account number plus any security code or password that would allow access to a financial account
  • Credit or debit card number plus any security code
  • Biometric information (fingerprints, voice prints, retina scans)
  • Username or email address combined with a password that would permit access to an online account
  • Medical or health insurance information (when combined with other identifying information)

Consider how many of your daily business documents contain this type of information: employee onboarding forms with SSNs, customer credit applications, medical insurance enrollment forms, vendor contracts with financial account details. Each of these is subject to the SHIELD Act’s disposal requirements.

SHIELD Act Disposal Requirements: What “Reasonable” Means

The SHIELD Act requires “reasonable” disposal of private information — meaning rendering it unreadable, indecipherable, and unrecoverable. While the law doesn’t mandate a specific method, it provides guidance that effective measures might include:

  1. Shredding — Cross-cut or micro-cut shredding of paper documents
  2. Erasing — Secure, certified erasure of electronic data using methods that prevent recovery
  3. Destruction — Physical destruction of digital media (hard drives, USBs, CDs) so data cannot be retrieved

Simply throwing documents in a recycling bin — even in the secure recycling bins many offices use — does NOT meet the SHIELD Act’s disposal standard. Paper in a recycling bin can be retrieved and read by anyone who accesses it. Only shredding before recycling satisfies the requirement that information be rendered unreadable.

New York Shredding provides certified shredding services specifically designed to satisfy New York SHIELD Act requirements, including a Certificate of Destruction documenting every destruction event.

Who Must Comply and What Are the Penalties?

If your business owns, licenses, or maintains computerized data including private information of ANY New York resident, the SHIELD Act applies to you — even if your business is based in another state. This is a critical point that catches many businesses off guard.

The New York Attorney General has enforcement authority over SHIELD Act violations. Penalties include:

  • Civil penalties of up to $5,000 per violation for failure to implement reasonable security measures
  • Civil penalties of up to $20 per instance of failed notification (with a cap of $250,000) for data breach notification violations
  • Potential class action lawsuits from affected consumers
  • Reputational damage and business disruption costs

Small businesses are not exempt, though the law does provide that a small business (fewer than 50 employees, less than $3 million in gross annual revenue in the last three years, or less than $5 million in year-end total assets) may implement a security program that is appropriate given its size and complexity.

NY SHIELD Act Shredding Requirements: Building Compliance

Meeting your NY SHIELD Act shredding requirements doesn’t have to be complicated. Here’s a practical approach for New York businesses:

  1. Audit your documents — Identify all documents and records that contain private information as defined by the SHIELD Act
  2. Establish a retention policy — Determine how long each document type needs to be kept; consult with legal counsel for industry-specific requirements
  3. Implement secure destruction — Partner with a certified shredding company for both paper documents and electronic media
  4. Document everything — Maintain Certificates of Destruction to prove compliance; these are your evidence in any regulatory audit or legal proceeding
  5. Train employees — Ensure all staff understand disposal requirements and have easy access to secure disposal options (locked shredding consoles)
  6. Review and update annually — Laws evolve; review your disposal policies annually with legal counsel

New York Shredding Document Destruction, Inc. can help you build a complete SHIELD Act-compliant disposal program, from deploying locked consoles throughout your New York area office to scheduled shredding pickups and Certificate of Destruction documentation. Contact us today to discuss your compliance needs.

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top