New York Cybersecurity Laws and Compliance Requirements
New York maintains one of the most complex and layered cybersecurity regulatory environments in the United States, drawing from state-level statutes, financial sector rules, and intersecting federal frameworks. This page maps the major laws, regulatory bodies, compliance obligations, classification boundaries, and structural tensions that define cybersecurity compliance for organizations operating in New York. The frameworks covered range from the NYDFS Cybersecurity Regulation (23 NYCRR 500) to the SHIELD Act and the New York General Business Law breach notification provisions.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Compliance elements checklist
- Reference table or matrix
Definition and scope
New York cybersecurity compliance refers to the body of legal obligations imposed on organizations that collect, process, store, or transmit data belonging to New York residents or that operate within regulated industries headquartered or licensed in the state. These obligations arise from at least four distinct legal sources: the NYDFS Cybersecurity Regulation (23 NYCRR Part 500), the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, codified at N.Y. General Business Law §§ 899-aa and 899-bb), the New York State breach notification statute, and sector-specific requirements layered over those baseline rules by agencies including the New York State Department of Health (NYSDOH) and the New York State Office of Information Technology Services (ITS).
The geographic and legal scope of these laws extends to any entity — regardless of physical location — that holds private information on New York residents. This coverage scope is broader than a physical presence test. The SHIELD Act explicitly applies to any person or business that owns or licenses computerized data that includes private information of a New York resident, not only businesses domiciled in New York. Federal frameworks including HIPAA (45 CFR Parts 160 and 164), the Gramm-Leach-Bliley Act, and NIST cybersecurity publications inform compliance posture but are not administered by New York state agencies and therefore fall outside the primary scope of this reference. The regulatory context for New York cybersecurity provides detailed mapping of these federal-state intersections.
Scope limitations: This page does not address federal prosecution of cyber crimes under 18 U.S.C. § 1030 (Computer Fraud and Abuse Act), SEC cybersecurity disclosure rules, or obligations specific to federal contractors. Local municipal rules — such as New York City's Cyber Command directives — are distinct from state law and are addressed separately under New York municipal cybersecurity.
Core mechanics or structure
New York cybersecurity compliance operates through three structural layers that interact but impose independent obligations.
Layer 1 — NYDFS 23 NYCRR 500 (Financial Services Sector)
The New York Department of Financial Services issued 23 NYCRR Part 500 in March 2017, with significant amendments effective November 2023. The regulation applies to "covered entities" — entities holding a license, registration, charter, or authorization issued by DFS — including banks, insurance companies, licensed lenders, and mortgage servicers. The amended 2023 rule introduced a tiered structure: Class A companies (defined as covered entities with at least 2,000 employees or $1 billion in gross annual revenue from New York business) face enhanced requirements including independent audits of cybersecurity programs and a Chief Information Security Officer (CISO) reporting directly to the board. The full amended text is maintained by NYDFS.
Core 23 NYCRR 500 obligations include a written cybersecurity policy, annual penetration testing, access privilege controls, multi-factor authentication for critical systems, encryption of nonpublic information in transit and at rest, and a 72-hour incident notification requirement to NYDFS. Third-party service provider security programs are also mandated — a point directly relevant to New York third-party vendor cybersecurity.
Layer 2 — SHIELD Act (Cross-Sector)
The SHIELD Act, effective March 21, 2020, replaced the prior data breach notification statute and added an affirmative "reasonable security" obligation. Any business owning or licensing private information of New York residents must implement a data security program containing administrative, technical, and physical safeguards. Small businesses (defined as fewer than 50 employees, less than $3 million in gross annual revenues in the prior 3 fiscal years, or less than $5 million in year-end total assets) face a scaled standard requiring only security measures "reasonable for the size and complexity" of their operations. The New York State Attorney General's office — whose enforcement role is covered in depth at New York OAG cybersecurity enforcement — holds primary civil enforcement authority under the SHIELD Act.
Layer 3 — Breach Notification (N.Y. GBL § 899-aa)
New York's breach notification statute requires notification to affected New York residents in the most expedient time possible and without unreasonable delay following discovery of a breach of private information. Notification to the New York Attorney General, Department of State, and Division of State Police is required when the breach affects more than 500 New York residents. Regulated entities subject to HIPAA or GLBA notification requirements satisfy New York breach notification if their own notification procedures are at least as protective as the state standard.
Causal relationships or drivers
The density of New York cybersecurity law reflects several converging pressures. New York State processes a disproportionate volume of U.S. financial transactions — the New York financial services sector accounts for a substantial portion of the state's GDP — making financial sector compromise a systemic national risk, which prompted NYDFS to act ahead of federal regulators.
High-profile breach enforcement actions by the New York Attorney General — including actions against 19 companies in 2022 under Operation: Cache Out — directly shaped legislative expansion through the SHIELD Act. Each major enforcement cycle has produced interpretive guidance that clarifies but also expands practical compliance scope. Organizations navigating New York cybersecurity risk assessment requirements often trace their compliance programs directly to OAG enforcement letters rather than statutory text.
The 2019 Capital One data breach, which exposed over 100 million customer records, reinforced legislative momentum nationally and accelerated NYDFS's 2023 amendment package. NYDFS cited the Capital One incident pattern — an exploited misconfigured firewall — as evidence that prior 2017 rules lacked sufficient technical specificity.
Classification boundaries
New York cybersecurity obligations fall into distinct categories depending on the regulated entity type and the nature of data handled.
By entity type:
- DFS-regulated entities: Subject to 23 NYCRR 500 as primary framework, SHIELD Act as secondary floor.
- Healthcare entities: Subject to NYSDOH regulations, HIPAA, and SHIELD Act; the NYDFS framework does not apply.
- State agencies: Subject to NYS ITS cybersecurity policies (NYS-P03-002) and Executive Order 117 (2013), not NYDFS rules.
- All others holding NY resident data: Subject to SHIELD Act reasonable security standard and breach notification.
By data type:
Private information under New York law (N.Y. GBL § 899-a) includes Social Security numbers, driver's license numbers, financial account credentials, biometric information (added 2019), health information, and username/password combinations. General business contact information is not classified as private information under this statute.
By company size:
Small business exemptions under the SHIELD Act reduce compliance burden on firms meeting the statutory thresholds, but do not eliminate the obligation to provide "reasonable" security or to notify following a breach.
Tradeoffs and tensions
The layering of NYDFS 23 NYCRR 500 over the SHIELD Act creates a compliance architecture where DFS-licensed entities must meet two partially overlapping standards simultaneously, with 23 NYCRR 500 being more prescriptive. Where the two conflict in scope or definition, the more specific NYDFS rule governs for covered entities. However, the SHIELD Act's definition of "private information" is broader in some respects than the NYDFS definition of "nonpublic information," creating data classification ambiguity at organizational boundaries.
Incident notification timing presents a structural tension. NYDFS requires notification within 72 hours of determining that a cybersecurity event has occurred. New York's breach notification law uses an "expedient time" / "unreasonable delay" standard that does not specify a fixed hour threshold. Organizations covered by both must manage parallel notification timelines to different agencies on different triggers.
The SHIELD Act's reasonable security standard does not define minimum technical controls, creating interpretive uncertainty. The New York OAG has issued enforcement guidance citing NIST SP 800-53 and the CIS Controls as reference frameworks, but adherence to neither is formally mandated by statute. This is a persistent source of compliance planning tension, particularly for entities not subject to the more prescriptive 23 NYCRR 500 — a dynamic further explored in the New York Security Authority index.
Third-party risk management obligations under 23 NYCRR 500 §500.11 require covered entities to hold vendors to contractual cybersecurity standards, but the SHIELD Act imposes no equivalent third-party flow-down requirement. This creates an asymmetric vendor obligation framework where financial sector vendors face contractual pressure that vendors serving other sectors do not.
Common misconceptions
Misconception 1: The SHIELD Act only applies to New York businesses.
The statute explicitly covers any business that owns or licenses private information of a New York resident — a standard based on data residency, not business location. A California-based e-commerce company with New York customers is subject to SHIELD Act obligations.
Misconception 2: Compliance with HIPAA or PCI-DSS satisfies New York law.
HIPAA compliance satisfies New York's breach notification requirement only if the covered entity's own procedures are "at least as protective" as New York law. HIPAA does not satisfy the SHIELD Act's affirmative reasonable security obligation, which imposes independent requirements. PCI-DSS compliance is not a statutory safe harbor under any New York cybersecurity statute.
Misconception 3: Small businesses have no cybersecurity obligations under the SHIELD Act.
Small business status reduces the standard to "reasonable for the size and complexity" of the business, but it does not create a complete exemption. Breach notification obligations apply regardless of company size. For resources specific to this segment, see New York small business cybersecurity.
Misconception 4: The 72-hour NYDFS notification clock starts at breach discovery.
The 72-hour clock under 23 NYCRR 500 §500.17 begins when the covered entity determines that a cybersecurity event meeting the notification threshold has occurred — not at the moment of first detection. The distinction between detection and determination has been a point of NYDFS examination focus in enforcement reviews.
Misconception 5: A written cybersecurity policy satisfies the SHIELD Act.
The SHIELD Act requires an implemented data security program with operational administrative, technical, and physical safeguards — not merely a documented policy. The OAG has pursued enforcement where organizations had policies but lacked demonstrated operational controls.
Compliance elements checklist
The following elements represent the discrete obligations arising from New York's primary cybersecurity statutes. This is a structural inventory, not legal or compliance advice.
NYDFS 23 NYCRR 500 (Covered Entities)
- [ ] Written cybersecurity policy approved by senior officer or board
- [ ] Designated CISO (direct board reporting required for Class A companies)
- [ ] Annual penetration testing program
- [ ] Bi-annual vulnerability assessments
- [ ] Multi-factor authentication implemented for critical systems and remote access
- [ ] Encryption of nonpublic information in transit and at rest
- [ ] Audit trail maintenance for a minimum of 5 years
- [ ] Third-party service provider security policy (§500.11)
- [ ] Incident response plan (§500.16)
- [ ] 72-hour NYDFS notification for qualifying cybersecurity events
- [ ] Annual certification of compliance filed with NYDFS
- [ ] Independent cybersecurity audit for Class A companies
SHIELD Act (All Covered Businesses)
- [ ] Implemented data security program with administrative safeguards
- [ ] Implemented technical safeguards (access controls, encryption, monitoring)
- [ ] Implemented physical safeguards (storage, disposal)
- [ ] Risk assessment performed to identify reasonably foreseeable risks
- [ ] Employee training on data security practices
- [ ] Third-party service provider oversight (contractual obligations)
- [ ] Breach notification procedures documented and operational
- [ ] Notification mechanism to NYS AG, DOS, and State Police for breaches affecting 500+ NY residents
Reference table or matrix
| Framework | Administering Body | Applies To | Key Obligation | Notification Deadline |
|---|---|---|---|---|
| 23 NYCRR Part 500 (2023 amended) | NY Dept. of Financial Services | DFS-licensed entities | Written cybersecurity program, CISO, MFA, encryption | 72 hours to NYDFS |
| SHIELD Act (N.Y. GBL § 899-bb) | NY Attorney General (enforcement) | Any entity with NY resident data | Reasonable security program | Without unreasonable delay |
| Breach Notification (N.Y. GBL § 899-aa) | NY Attorney General / DOS / State Police | Any entity with NY resident data | Notification to affected individuals and agencies | Most expedient time possible; AG/DOS/Police for 500+ residents |
| NYS ITS Policy NYS-P03-002 | NY Office of Information Technology Services | NY state agencies | Agency information security program | Per NYS ITS incident reporting procedures |
| HIPAA Security Rule (45 CFR Part 164) | HHS Office for Civil Rights | Covered healthcare entities and BAs | Technical, administrative, physical safeguards | 60 days from discovery (breach notification) |
| NIST Cybersecurity Framework (CSF 2.0) | NIST (voluntary reference) | All sectors (non-mandatory in NY) | Identify, Protect, Detect, Respond, Recover functions | Not applicable (voluntary framework) |
References
- NYDFS Cybersecurity Regulation 23 NYCRR Part 500 — New York Department of Financial Services
- NY General Business Law § 899-aa and § 899-bb (SHIELD Act) — New York State Senate Legislative Database
- NIST SP 800-53, Rev. 5 — Security and Privacy Controls — National Institute of Standards and Technology
- NIST Cybersecurity Framework 2.0 — National Institute of Standards and Technology
- HHS HIPAA Security Rule — 45 CFR Part 164 — U.S. Department of Health and Human Services
- New York State Office of Information Technology Services — Information Security Policy NYS-P03-002 — NYS ITS
- NY Attorney General — Data Security — Office of the New York State Attorney General
- CIS Critical Security Controls — Center for Internet Security