In a pentest conducted for a New York company, which privacy law is most likely to apply, and what ethical considerations should guide the engagement?

Focusing on state-specific privacy obligations, the SHIELD Act is the law most likely to apply in a pentest for a New York company. It governs the protection of personal information of New York residents and imposes reasonable security safeguards as well as breach notification requirements. Because the client is based in New York, you’ll be operating under the expectations of NY data protection rules and the contract terms you and the client have agreed to, which usually align with SHIELD Act requirements. GDPR or CCPA would only be the primary law if there were EU data subjects or California residents involved, respectively, or if the engagement contract explicitly requires compliance with them; without those bases, treating those laws as the default is inappropriate. Ethically, you must have explicit, written authorization and a clearly defined scope, test only what is necessary, and conduct tests with safe, controlled methods to minimize risk to data and services. Handle any exposed personal data securely, limit data access, log activity, encrypt sensitive results, and delete data after the engagement per policy. Communicate findings responsibly, coordinate remediation with the client, and follow all applicable laws and contractual privacy terms to avoid unintended harm.