Conformité à la loi SHIELD de New York
New York's SHIELD Act requires businesses to protect private information with reasonable safeguards. Learn how ImmuniWeb helps you meet its technical-safeguards requirements.
Conformité à la loi SHIELD de New York
What Is the New York SHIELD Act?
The SHIELD Act broadened New York's breach-notification obligations (Section 899-aa) and, for the first time, imposed an affirmative data-security requirement (Section 899-bb): any business holding the private information of New York residents must develop, implement and maintain reasonable safeguards to protect that information.
The Act describes administrative, technical and physical safeguards. Its technical-safeguards examples include assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls.
See how ImmuniWeb helps you meet the SHIELD Act's reasonable technical safeguards - testing and monitoring the apps that hold private information. Request a demo· or run a free Community Edition test.
Who Must Comply with SHIELD Act?
The SHIELD Act applies to:
- Any person or business that owns or licenses computerized private information of New York residents.
- Businesses outside New York that hold the private information of NY residents (extraterritorial reach).
- Any sector and size size - with a lighter-touch standard for small businesses, scaled to their size and complexity.
Any business running web and mobile applications that hold private information of NY residents must secure and test them.
Key SHIELD Act Requirements for Application Security
Application security sits within the reasonable technical safeguards of Section 899-bb:
- Assess risks in software design: assess risks in network and software design and in information processing, transmission and storage.
- Detect, prevent and respond: detect, prevent and respond to attacks or system failures.
- Test and monitor key controls: regularly test and monitor the effectiveness of key controls, systems and procedures.
SHIELD Act Security Requirements in Depth
Section 899-bb - Reasonable Technical Safeguards
Section 899-bb expects businesses to assess risks in network and software design and to detect, prevent and respond to attacks. Penetration testing and vulnerability scanning of web and mobile applications are practical ways to assess software-design risks and validate that controls hold against real attacks.
Testing and Monitoring Key Controls
The Act specifically calls for regularly testing and monitoring the effectiveness of key controls, systems and procedures. Continuous scanning and periodic penetration testing, with attack-surface monitoring, operationalise this expectation.
Risques courants des applications Web et mobiles à remédier
The application risks the SHIELD Act expects you to address map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Échecs cryptographiques — chiffrement faible ou absent exposant des données sensibles.
- Injection — Injection SQL, de commande ou autre via des entrées non validées.
- Insecure Design — contrôles de sécurité manquants par conception, pas seulement à cause d'un bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Échecs d'identification et d'authentification — gestion faible des connexions, des sessions ou des identifiants.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Échecs de la journalisation et de la surveillance de la sécurité — attaques non détectées.
- Server-Side Request Forgery (SSRF) — le serveur est induit en erreur pour effectuer des requêtes malveillantes.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach SHIELD Act Application Security with ImmuniWeb
- Map your exposure. Inventory internet-facing apps holding private information with ImmuniWeb Discovery.
- Testez les applications web avec On-Demand (tests d'intrusion) et Neuron (balayage).
- Testez les applications mobiles avec MobileSuite et Neuron Mobile.
- Test key controls regularly and remediate with actionable, zero-false-positive reports.
- Keep testing continuously with Continuous in CI/CD.
- Monitor for leaks with Discovery dark-web monitoring.
How ImmuniWeb Helps You Achieve SHIELD Act Compliance
ImmuniWeb helps businesses implement and evidence the reasonable technical safeguards Section 899-bb requires.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| Assess software-design risks | Identify vulnerabilities in apps and software. | On-Demand, Neuron, Discovery |
| Detect & respond | Detect, prevent and respond to attacks. | Neuron, Continuous, Discovery |
| Tester les contrôles clés | Regularly test and monitor control effectiveness. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface and monitors the dark web - evidencing the SHIELD Act's reasonable technical safeguards.
SHIELD Act vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Framework Application-security angle How ImmuniWeb maps |
|---|---|---|
| New York SHIELD Act | Reasonable technical safeguards (899-bb) | Tests d’intrusion Web/mobile, analyse, ASM, surveillance du Dark Web |
| CCPA Californie | Sécurité raisonnable | Les mêmes tests couvrent les deux |
| NYDFS Part 500 | 500.5 pentest + assessments | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventory of internet-facing apps holding private information
- Applications web testées contre le Top 10 OWASP
- Applications mobiles testées par rapport à la liste OWASP Mobile Top 10
- Software-design risks assessed and addressed
- Key controls regularly tested and monitored
- Les failles identifiées sont corrigées et retestées ; les enregistrements sont conservés
- Breach-notification process and exposure monitoring in place
Why SHIELD Act Compliance Matters
La loi SHIELD est appliquée par le Procureur Général de New York, qui peut demander des sanctions civiles pour non-respect des obligations de mise en place de mesures de protection raisonnables ou de notification des violations. Étant donné qu’elle s’applique à toute entreprise détenant des informations privées de résidents de l’État de New York, son champ d’application est large – s’étendant bien au-delà des entreprises basées à New York.
Les applications web et mobiles étant un vecteur de violation majeur, les tester et les surveiller de manière démonstrable est l’un des moyens les plus clairs de se conformer aux mesures de protection techniques raisonnables exigées par la loi SHIELD.