Covers any business holding private information about New York residents — no size threshold, no geographic exemption.
The New York SHIELD Act applies to any person or business that owns, licenses, or maintains private information about a New York resident — regardless of size, revenue, or location. A ten-person firm in Worcester with three New York clients is covered. A Connecticut manufacturer with New York territory customers is covered. There is no minimum threshold, which makes the SHIELD Act the broadest state data security law Triton’s clients encounter.
Signed in July 2019 with security requirements effective March 21, 2020, the law was meaningfully expanded in March 2025 when Governor Hochul added medical information and health insurance information to the definition of private information. That amendment brought healthcare providers, insurers, and any business holding health-related records more directly into scope than ever before.
The New York Attorney General enforces the SHIELD Act with no cure period — up to $5,000 per violation and $250,000 per enforcement action. A business that receives an AG inquiry either has compliant safeguards in place or it does not. Triton Technologies helps New England businesses close that gap before it becomes a liability.
The SHIELD Act uses a reasonable safeguards standard — not a fixed checklist. It requires businesses to implement administrative, technical, and physical safeguards appropriate to their size and the sensitivity of the data they hold. Without a documented program, “reasonable” only gets defined in hindsight, after a breach has already occurred.
Triton starts with a data discovery exercise: we identify every category of private information your organization holds — Social Security numbers, financial account data, biometric identifiers, and post-March 2025, medical and health insurance records — and map its flow through your systems and third-party processors. From that inventory, we build the three required safeguard categories: technical (MFA, encryption, access controls, vulnerability management), administrative (written security program, risk assessments, employee training, vendor agreements), and physical (device controls, access management, secure data disposal).
We calibrate the program to your actual risk profile — a financial services firm in Hartford serving New York clients faces different exposure than a retail business with a New York shipping list, and the safeguards we build reflect that difference.
The SHIELD Act carries no cure period and no minimum threshold. Any enforcement action applies the $5,000 per-violation standard from day one. A business with 500 New York customers and 20 documented safeguard gaps faces potential exposure of $100,000 in a single AG action. Building a defensible compliance program with Triton eliminates that exposure entirely at a fraction of the cost.
Triton Technologies responds to all client inquiries in under 10 minutes on average — better than 84 percent of MSPs nationally based on third-party benchmarking. For breach-related events where the SHIELD Act requires notification “in the most expedient time possible,” response speed is a legal obligation. A support queue that waits hours is not a defensible security program.
For organizations with existing IT staff, Triton offers co-managed compliance services — your team handles day-to-day operations while our specialists manage the assessment cycle, policy documentation, and incident response procedures year-round. Triton works with businesses under a professional service agreement tailored to your specific needs and environment.
Statute: N.Y. Gen. Bus. Law § 899-aa (breach notification, effective Nov. 19, 2019) and § 899-bb (security requirements, effective March 21, 2020). Amended March 2025 to add medical information and health insurance information to the definition of private information.
Applicability: Any person or business that owns or licenses computerized private information about a New York resident. No revenue threshold, no employee threshold, no geographic limitation. Post-March 2025 private information includes: Social Security numbers; driver license / non-driver ID; financial account numbers with access credentials; biometric information; username and password combinations; medical information; health insurance policy or subscriber numbers.
Required Safeguards (§ 899-bb): Administrative — designate a security coordinator, conduct risk assessments, train employees, vet third-party service providers, maintain a written information security program. Technical — assess network and software design risks, detect and prevent attacks, test and monitor security controls. Physical — protect against unauthorized physical access, secure data storage and disposal.
Enforcement: New York AG, no cure period. Up to $5,000 per violation; up to $250,000 per enforcement action for security failures. Breach notification failures: up to $20 per instance, capped at $250,000. No private right of action. Operates alongside 23 NYCRR 500 (financial services) and NY STOP Act for licensed entities subject to those regimes.
Any business holding private information about New York residents must comply — regardless of size or industry. Triton Technologies brings compliance depth across every sector.
SHIELD Act and 23 NYCRR 500 compliance for accounting firms, financial advisors, insurance agencies, and businesses serving New York financial clients.
Post-March 2025 medical and health insurance data requirements for providers and insurers with New York residents in their patient or member populations.
Written information security programs and safeguard documentation for law firms, consultants, and HR companies managing New York client data.
Data security programs and breach notification readiness for retailers and online businesses with New York customers.
SHIELD Act compliance programs for SaaS providers, app developers, and technology companies with New York user data.
Reasonable safeguard programs for non-profit organizations holding New York donor, client, or employee private information.
Third-party vendor agreements and physical safeguard programs for manufacturers with New York supply chain and customer data.
Privilege-aware data security programs and breach notification procedures for law firms representing New York clients.
Multi-Framework Compliance
Third-Party Verified Average
National Benchmark
Regional Offices
25 Years of IT Expertise
Triton Technologies has supported businesses across New England and New York with data security compliance since 2001. Our team builds SHIELD Act safeguard programs that protect your customers and defend your business.