New York SHIELD Act Compliance
New York's SHIELD Act requires businesses to protect private information with reasonable safeguards.
Learn how ImmuniWeb helps you meet its technical-safeguards requirements.
New York SHIELD Act Compliance
What Is the New York SHIELD Act?
The SHIELD Act broadened New York's breach-notification obligations (Section 899-aa) and, for the first time, imposed an affirmative data-security requirement (Section 899-bb): any business holding the private information of New York residents must develop, implement and maintain reasonable safeguards to protect that information.
The Act describes administrative, technical and physical safeguards. Its technical-safeguards examples include assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls.
See how ImmuniWeb helps you meet the SHIELD Act's reasonable technical safeguards - testing and monitoring the apps that hold private information. Request a demo· or run a free Community Edition test.
Who Must Comply with SHIELD Act?
The SHIELD Act applies to:
- Any person or business that owns or licenses computerized private information of New York residents.
- Businesses outside New York that hold the private information of NY residents (extraterritorial reach).
- Any sector and size size - with a lighter-touch standard for small businesses, scaled to their size and complexity.
Any business running web and mobile applications that hold private information of NY residents must secure and test them.
Key SHIELD Act Requirements for Application Security
Application security sits within the reasonable technical safeguards of Section 899-bb:
- Assess risks in software design: assess risks in network and software design and in information processing, transmission and storage.
- Detect, prevent and respond: detect, prevent and respond to attacks or system failures.
- Test and monitor key controls: regularly test and monitor the effectiveness of key controls, systems and procedures.
SHIELD Act Security Requirements in Depth
Section 899-bb - Reasonable Technical Safeguards
Section 899-bb expects businesses to assess risks in network and software design and to detect, prevent and respond to attacks. Penetration testing and vulnerability scanning of web and mobile applications are practical ways to assess software-design risks and validate that controls hold against real attacks.
Testing and Monitoring Key Controls
The Act specifically calls for regularly testing and monitoring the effectiveness of key controls, systems and procedures. Continuous scanning and periodic penetration testing, with attack-surface monitoring, operationalise this expectation.
Common Web & Mobile Application Risks to Address
The application risks the SHIELD Act expects you to address map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach SHIELD Act Application Security with ImmuniWeb
- Map your exposure. Inventory internet-facing apps holding private information with ImmuniWeb Discovery.
- Test web applications with On-Demand (penetration testing) and Neuron (scanning).
- Test mobile applications with MobileSuite and Neuron Mobile.
- Test key controls regularly and remediate with actionable, zero-false-positive reports.
- Keep testing continuously with Continuous in CI/CD.
- Monitor for leaks with Discovery dark-web monitoring.
How ImmuniWeb Helps You Achieve SHIELD Act Compliance
ImmuniWeb helps businesses implement and evidence the reasonable technical safeguards Section 899-bb requires.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Assess software-design risks | Identify vulnerabilities in apps and software. | On-Demand, Neuron, Discovery |
| Detect & respond | Detect, prevent and respond to attacks. | Neuron, Continuous, Discovery |
| Test key controls | Regularly test and monitor control effectiveness. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface and monitors the dark web - evidencing the SHIELD Act's reasonable technical safeguards.
SHIELD Act vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | Framework Application-security angle How ImmuniWeb maps |
|---|---|---|
| New York SHIELD Act | Reasonable technical safeguards (899-bb) | Web/mobile pentest, scanning, ASM, dark-web monitoring |
| California CCPA | Reasonable security | Same testing supports both |
| NYDFS Part 500 | 500.5 pentest + assessments | Same testing supports both |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing apps holding private information
- Web applications tested against the OWASP Top 10
- Mobile applications tested against the OWASP Mobile Top 10
- Software-design risks assessed and addressed
- Key controls regularly tested and monitored
- Findings remediated and re-tested; records retained
- Breach-notification process and exposure monitoring in place
Why SHIELD Act Compliance Matters
The SHIELD Act is enforced by the New York Attorney General, which can seek civil penalties for failures to maintain reasonable safeguards or to notify breaches. Because it applies to any business holding NY residents' private information, its reach is broad - extending well beyond New York-based companies.
Because web and mobile applications are a leading breach vector, demonstrably testing and monitoring them is one of the clearest ways to meet the SHIELD Act's reasonable technical safeguards.