To ensure the best browsing experience, please enable JavaScript in your web browser. Without it, many website features are inaccessible.


Total Tests:
485,773,462
737,046
130,956

New York SHIELD Act Compliance

New York's SHIELD Act requires businesses to protect private information with reasonable safeguards.
Learn how ImmuniWeb helps you meet its technical-safeguards requirements.

Read Time: 8 min. Updated: July 8, 2025
New York SHIELD Act Compliance
Please fill in the fields highlighted in red below

Talk to a Specialist about
New York SHIELD Act Compliance

  • Start your free trial of ImmuniWeb products
  • Receive personalized product pricing
  • Talk to our technical experts
Gartner Cool Vendor
SC Media
IDC Innovator
*
*
Private and ConfidentialYour data will stay private and confidential

New York SHIELD Act Compliance

What Is the New York SHIELD Act?

The SHIELD Act broadened New York's breach-notification obligations (Section 899-aa) and, for the first time, imposed an affirmative data-security requirement (Section 899-bb): any business holding the private information of New York residents must develop, implement and maintain reasonable safeguards to protect that information.

The Act describes administrative, technical and physical safeguards. Its technical-safeguards examples include assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls.

See how ImmuniWeb helps you meet the SHIELD Act's reasonable technical safeguards - testing and monitoring the apps that hold private information. Request a demo· or run a free Community Edition test.

Who Must Comply with SHIELD Act?

The SHIELD Act applies to:

  • Any person or business that owns or licenses computerized private information of New York residents.
  • Businesses outside New York that hold the private information of NY residents (extraterritorial reach).
  • Any sector and size size - with a lighter-touch standard for small businesses, scaled to their size and complexity.

Any business running web and mobile applications that hold private information of NY residents must secure and test them.

Key SHIELD Act Requirements for Application Security

Application security sits within the reasonable technical safeguards of Section 899-bb:

  • Assess risks in software design: assess risks in network and software design and in information processing, transmission and storage.
  • Detect, prevent and respond: detect, prevent and respond to attacks or system failures.
  • Test and monitor key controls: regularly test and monitor the effectiveness of key controls, systems and procedures.

SHIELD Act Security Requirements in Depth

Section 899-bb - Reasonable Technical Safeguards

Section 899-bb expects businesses to assess risks in network and software design and to detect, prevent and respond to attacks. Penetration testing and vulnerability scanning of web and mobile applications are practical ways to assess software-design risks and validate that controls hold against real attacks.

Testing and Monitoring Key Controls

The Act specifically calls for regularly testing and monitoring the effectiveness of key controls, systems and procedures. Continuous scanning and periodic penetration testing, with attack-surface monitoring, operationalise this expectation.

Common Web & Mobile Application Risks to Address

The application risks the SHIELD Act expects you to address map closely to the OWASP Top 10:

  • Broken Access Control — users reaching data or actions they should not.
  • Cryptographic Failures — weak or missing encryption exposing sensitive data.
  • Injection — SQL, command or other injection via unvalidated input.
  • Insecure Design — missing security controls by design, not just by bug.
  • Security Misconfiguration — default, incomplete or unsafe configuration.
  • Vulnerable & Outdated Components — unpatched libraries and frameworks.
  • Identification & Authentication Failures — weak login, session or credential handling.
  • Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
  • Security Logging & Monitoring Failures — attacks going undetected.
  • Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.

For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.

How to Approach SHIELD Act Application Security with ImmuniWeb

  1. Map your exposure. Inventory internet-facing apps holding private information with ImmuniWeb Discovery.
  2. Test web applications with On-Demand (penetration testing) and Neuron (scanning).
  3. Test mobile applications with MobileSuite and Neuron Mobile.
  4. Test key controls regularly and remediate with actionable, zero-false-positive reports.
  5. Keep testing continuously with Continuous in CI/CD.
  6. Monitor for leaks with Discovery dark-web monitoring.

How ImmuniWeb Helps You Achieve SHIELD Act Compliance

ImmuniWeb helps businesses implement and evidence the reasonable technical safeguards Section 899-bb requires.

Requirement What it requires ImmuniWeb products
Assess software-design risks Identify vulnerabilities in apps and software. On-Demand, Neuron, Discovery
Detect & respond Detect, prevent and respond to attacks. Neuron, Continuous, Discovery
Test key controls Regularly test and monitor control effectiveness. On-Demand, Neuron, MobileSuite, Neuron Mobile

ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface and monitors the dark web - evidencing the SHIELD Act's reasonable technical safeguards.

SHIELD Act vs International Frameworks

If you already work to international standards, the same ImmuniWeb testing supports all of them:

Framework Application-security angle Framework Application-security angle How ImmuniWeb maps
New York SHIELD Act Reasonable technical safeguards (899-bb) Web/mobile pentest, scanning, ASM, dark-web monitoring
California CCPA Reasonable security Same testing supports both
NYDFS Part 500 500.5 pentest + assessments Same testing supports both
ISO/IEC 27001 Annex A technical controls Testing as control evidence

Penetration Testing vs Security Scanning

Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.

Compliance Checklist (Application Security)

  • Inventory of internet-facing apps holding private information
  • Web applications tested against the OWASP Top 10
  • Mobile applications tested against the OWASP Mobile Top 10
  • Software-design risks assessed and addressed
  • Key controls regularly tested and monitored
  • Findings remediated and re-tested; records retained
  • Breach-notification process and exposure monitoring in place

Why SHIELD Act Compliance Matters

The SHIELD Act is enforced by the New York Attorney General, which can seek civil penalties for failures to maintain reasonable safeguards or to notify breaches. Because it applies to any business holding NY residents' private information, its reach is broad - extending well beyond New York-based companies.

Because web and mobile applications are a leading breach vector, demonstrably testing and monitoring them is one of the clearest ways to meet the SHIELD Act's reasonable technical safeguards.

Frequently Asked Questions

  • Q
    What is the New York SHIELD Act?
    A
    The Stop Hacks and Improve Electronic Data Security Act (2019), which expanded New York's breach-notification law and added a data-security requirement (GBL 899-bb).
  • Q
    Who enforces the SHIELD Act?
    A
    The New York Attorney General.
  • Q
    Who must comply with the SHIELD Act?
    A
    Any person or business that owns or licenses computerized private information of New York residents, including businesses outside New York.
  • Q
    What does Section 899-bb require?
    A
    Reasonable administrative, technical and physical safeguards - including assessing software-design risks and regularly testing and monitoring the effectiveness of key controls.
  • Q
    Does the SHIELD Act require security testing?
    A
    Its reasonable-technical-safeguards standard is met in practice through penetration testing, vulnerability scanning and monitoring of systems holding private information.
  • Q
    How does ImmuniWeb help with SHIELD Act compliance?
    A
    By testing and securing the web and mobile applications that hold private information and by monitoring the attack surface for exposure.
Please fill in the fields highlighted in red below

Talk to a Specialist about
New York SHIELD Act Compliance

  • Start your free trial of ImmuniWeb products
  • Receive personalized product pricing
  • Talk to our technical experts
Gartner Cool Vendor
SC Media
IDC Innovator
*
*
Private and ConfidentialYour data will stay private and confidential
Talk to an Expert