New York Data Breach Notification Laws: Reporting Rules & Timelines (2026)

New York's data breach notification law is one of the most demanding in the country. The combination of GBL Section 899-aa and the SHIELD Act (GBL Section 899-bb) creates a two-part framework: you must notify promptly when breaches happen, and you must maintain reasonable security to prevent them in the first place. A December 2024 amendment tightened the rules further by adding a firm 30-day notification deadline and eliminating delays for scope investigation.

This guide covers every obligation under New York's breach notification and data security laws, including the 2024 and 2025 amendments, who must comply, what triggers notification, required safeguards, penalties, and how the law interacts with the NYDFS cybersecurity regulation.

What Triggers a Data Breach Notification in New York

Under GBL Section 899-aa, notification is required when there has been unauthorized access to or acquisition of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.

The SHIELD Act broadened this trigger significantly in 2019. Before the SHIELD Act, a "breach" required actual acquisition of data. Now, mere unauthorized access is enough to trigger notification obligations, even if the data was not physically taken.

What Counts as Private Information

New York defines "private information" as a person's name (first name or initial plus last name) combined with any of the following data elements:

• Social Security number
• Driver's license number or non-driver ID card number
• Financial account number, credit card number, or debit card number, with or without any required security code, access code, or password
• Biometric information (fingerprint, voiceprint, retina image, or other unique physical representation)
• Username or email address combined with a password or security question and answer

As of March 21, 2025, the definition also includes:

• Medical information (medical history, mental or physical condition, or treatment/diagnosis by a healthcare professional)
• Health insurance information (policy number, subscriber ID, unique insurer identifier, or application/claims history)

A Social Security number alone, without an accompanying name, also qualifies as private information and triggers notification requirements.

The 30-Day Notification Deadline

The December 2024 amendment (S2659B) made two critical changes to notification timing.

First, it established a firm 30-day deadline. Businesses must notify affected New York residents "in the most expedient time possible and without unreasonable delay," but in no event later than 30 days after discovering the breach. This replaced the prior standard of "most expedient time possible," which had no hard deadline.

Second, the amendment eliminated the ability to delay notification while assessing the scope of a breach or restoring system integrity. Under the old law, businesses could take additional time to determine how many people were affected or to fix the vulnerability before notifying anyone. That flexibility is gone. The only remaining exception is for legitimate law enforcement needs, where authorities may request a brief delay to preserve evidence.

These changes took effect immediately upon the governor's signature on December 21, 2024.

Vendor and Service Provider Deadlines

The 30-day clock also applies to vendors and service providers. If a business processes or maintains private information on behalf of another company, it must notify the data owner within 30 days of discovering the breach. The data owner then has its own 30-day window to notify affected individuals.

Who Must Be Notified

New York requires notification to multiple parties. The obligations apply regardless of how many individuals are affected.

Affected Individuals

Any New York resident whose private information was compromised must receive direct notification. Acceptable methods include:

• Written notice (mail)
• Electronic notice (if the person consented to electronic communications)
• Telephone notification

Substitute Notice

Substitute notice is available when direct notification costs exceed $250,000, the breach affects more than 500,000 people, or the business lacks sufficient contact information. Substitute notice requires all three of the following:

• Email notice to all available addresses
• Conspicuous posting on the company's website
• Notification to major statewide media

Government Agencies

Businesses must notify the following state agencies about the timing, content, and distribution of breach notices, plus the approximate number of affected individuals:

• New York Attorney General (online reporting form)
• New York Department of State, Division of Consumer Protection
• New York State Police

Credit Reporting Agencies

If the breach involves Social Security numbers, the business must also notify the three major consumer reporting agencies (Equifax, Experian, and TransUnion).

NYDFS Notification (Financial Services Entities)

The December 2024 amendment initially added the New York Department of Financial Services to the notification list for all businesses. A February 2025 correction (S804) clarified that NYDFS notification is required only for entities that qualify as "covered entities" under 23 NYCRR Part 500. Those entities must comply with the separate 72-hour notification requirement under the NYDFS cybersecurity regulation.

Encryption Safe Harbor

New York provides a safe harbor for encrypted data. If the private information was encrypted and the encryption key was not compromised during the breach, notification is not required.

However, if the unauthorized person also obtained the encryption key, or if there is reason to believe the key was accessed, the full notification obligations apply. This means businesses should store encryption keys separately from the data they protect.

The safe harbor also covers data that has been rendered unreadable or unusable through other security methods, as long as the method used to protect the data was not also compromised.

SHIELD Act Data Security Requirements

The SHIELD Act (GBL Section 899-bb) goes beyond notification. It requires any person or business that owns or licenses private information of New York residents to "develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information."

This obligation applies to businesses nationwide, not just those located in New York. If you hold private information of any New York resident, you must comply.

Administrative Safeguards

The SHIELD Act requires administrative measures including:

• Designating one or more employees to coordinate the security program
• Identifying reasonably foreseeable internal and external risks
• Assessing whether existing safeguards control the identified risks
• Training and managing employees in security practices and procedures
• Selecting service providers capable of maintaining appropriate safeguards and requiring those protections by contract
• Adjusting the security program in light of business changes or new circumstances

Technical Safeguards

Required technical measures include:

• Assessing risks in network and software design
• Assessing risks in information processing, transmission, and storage
• Detecting, preventing, and responding to attacks or system failures
• Regularly testing and monitoring the effectiveness of key controls, systems, and procedures

Physical Safeguards

Required physical measures include:

• Assessing risks of information storage and disposal
• Detecting, preventing, and responding to intrusions
• Protecting against unauthorized access during or after collection, transportation, and destruction of information
• Disposing of private information within a reasonable time after it is no longer needed, by erasing electronic media so the information cannot be read or reconstructed

Small Business Compliance

The SHIELD Act includes a scaled compliance option for small businesses, defined as having fewer than 50 employees, less than $3 million in gross annual revenue for the last three fiscal years, or less than $5 million in year-end total assets. A small business satisfies the safeguard requirements if its security program is appropriate for the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information it collects.

Deemed Compliance

Businesses already subject to and in compliance with certain federal regulations are deemed compliant with the SHIELD Act's safeguard requirements. This includes entities regulated under HIPAA, the Gramm-Leach-Bliley Act, or the NYDFS cybersecurity regulation (23 NYCRR Part 500).

NYDFS Cybersecurity Regulation: Additional Layer for Financial Services

Financial services entities regulated by the New York Department of Financial Services face additional obligations under 23 NYCRR Part 500. Key differences from the SHIELD Act include:

• A stricter 72-hour notification deadline to DFS (compared to 30 days under GBL 899-aa)
• Mandatory written cybersecurity policies
• Required annual penetration testing and bi-annual vulnerability assessments
• Appointment of a Chief Information Security Officer (CISO)
• Annual compliance certification to DFS

The November 2023 amendment to Part 500 further strengthened these requirements. Covered entities must comply with both the SHIELD Act and Part 500, with the stricter standard applying in any area of overlap.

Penalties and Enforcement

The New York Attorney General has exclusive authority to enforce both the breach notification law and the SHIELD Act safeguard requirements.

Notification Violations

For failure to provide timely notification, courts may impose a civil penalty of the greater of $5,000 or $20 per instance of failed notification, capped at $250,000. If the court determines the violation was knowing or reckless, higher penalties may apply.

Safeguard Violations

For failure to maintain reasonable safeguards under the SHIELD Act, courts may impose penalties of up to $5,000 per violation. There is no statutory cap on the total amount.

Statute of Limitations

The Attorney General must bring enforcement actions within three years of discovering the violation. No action may be brought more than six years after the breach occurred, unless the business took steps to conceal it.

Private Right of Action

New York's breach notification law provides a limited private right of action. Individuals may bring claims, but only for actual damages. There is no statutory damages provision and no ability to recover attorney's fees under the breach notification statute.

Recent Enforcement Actions

The Attorney General has actively enforced these laws:

• Root Insurance (2025): Paid $975,000 after a vulnerability exposed approximately 45,000 New Yorkers' driver's license numbers, which were used for fraudulent unemployment claims.
• Wojeski & Company (2025): Paid $60,000 after a ransomware attack exposed client data and the firm waited 18 months to notify victims.
• National Amusements (2024): Paid $250,000 for failing to protect employee personal information.
• Albany ENT & Allergy Services (2024): Paid $500,000 plus $2.25 million for inadequate security practices that exposed patient medical data.

These settlements demonstrate that the Attorney General pursues penalties well beyond the statutory minimums by combining notification violations with safeguard failures and seeking injunctive relief.

Exemptions and Special Cases

Several situations receive special treatment under New York law:

• Good faith employee access: An inadvertent disclosure by an authorized employee does not trigger notification, provided the private information is not expected to be misused and the business takes reasonable steps to prevent further unauthorized access.
• Law enforcement delays: Notification may be delayed at the request of law enforcement if early notice would impede a criminal investigation.
• Already regulated entities: Businesses complying with breach notification requirements under other regulatory frameworks (HIPAA, GLBA, NYDFS) may satisfy some or all of the notification obligations, though they should verify their procedures meet all of GBL 899-aa's specific requirements.

How New York Compares to Other States

New York's 30-day notification deadline places it among the stricter states. For comparison:

• Several states, including Alabama and Colorado, also require notification within 30 days
• Florida requires notification within 30 days
• The strictest deadline is Maine at 30 days
• States like Ohio allow 45 days, and Indiana allows 45 days
• Some states still have no specific deadline, requiring only notification "without unreasonable delay"

New York stands out for the SHIELD Act's separate safeguard requirements, its expanded definition of private information (including biometric and now medical data), and its active enforcement history.

More New York Laws

• New York Data Privacy Laws
• New York Whistleblower Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws

Sources and References

This article draws from the following official New York government sources:

• GBL Section 899-aa (Breach Notification) - Full text of New York's breach notification statute
• GBL Section 899-bb (SHIELD Act Data Security) - SHIELD Act safeguard requirements
• NY Attorney General: SHIELD Act - AG guidance on SHIELD Act compliance
• NY Attorney General: Data Breach Reporting Form - Online breach reporting portal
• S2659B (December 2024 Amendment) - 30-day deadline and other changes
• S804 (February 2025 Amendment) - NYDFS notification clarification
• NY Department of State: Data Security Breach Management - DOS breach reporting guidance
• NYDFS 23 NYCRR Part 500 - Financial services cybersecurity regulation
• NY Office of IT Services: Breach Notification - State entity reporting requirements

This article provides general legal information about [New York data privacy laws](/us-laws/data-privacy-laws/new-york-data-privacy-laws) and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in New York for guidance specific to your situation.