New York Data Breach Notification Requirements

New York's data breach notification framework establishes mandatory disclosure obligations for businesses, government agencies, and other entities that collect or maintain private information about New York residents. The framework is anchored in the New York SHIELD Act and the foundational breach notification statute under General Business Law § 899-aa, both enforced primarily by the New York Attorney General's Office. Understanding the scope, timing triggers, and classification rules within this framework is essential for any entity operating in or serving residents of New York State.

Definition and scope

Under New York General Business Law § 899-aa, a "breach of the security of the system" is defined as unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of private information. The 2019 Stop Hacks and Improve Electronic Data Security (SHIELD) Act expanded both the definition of "private information" and the range of entities subject to the law (NY SHIELD Act, S5575B).

Private information under the SHIELD Act includes:

1. Social Security numbers combined with name
2. Driver's license or non-driver ID numbers combined with name
3. Account, credit, or debit card numbers combined with security codes or passwords
4. Biometric information
5. Username or email address combined with a password or security question answer
6. Financial account numbers with access credentials

The scope of covered entities expanded significantly under the SHIELD Act. Any person or business that owns or licenses computerized data including private information of a New York resident is covered — regardless of whether that entity is physically located in New York. This extraterritorial reach means out-of-state companies with New York-resident customers carry the same obligations as New York-domiciled entities.

Scope limitations: This page addresses New York State law only. Federal breach notification obligations under the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Federal Trade Commission Act operate in parallel and are not covered here. Entities subject to NYDFS Cybersecurity Regulation (23 NYCRR 500) face additional, sector-specific incident reporting requirements beyond those described on this page. Situations involving exclusively federal government systems or data belonging solely to residents of other states fall outside New York's GBL § 899-aa jurisdiction.

How it works

The notification process under New York law follows a structured sequence with specific timing and content requirements.

Phase 1 — Discovery and assessment. An entity discovers or is notified of a potential breach. The entity must conduct a reasonable and prompt investigation to determine whether private information of New York residents was actually acquired or likely acquired by an unauthorized person.

Phase 2 — Notification to the Attorney General and regulators. Once a breach is confirmed, covered entities must notify:
- The New York Attorney General's Office
- The New York Department of State
- The New York State Police
- Any relevant state agency that licenses the entity (e.g., the Department of Financial Services for regulated financial entities)

Notification to the AG's office is required "in the most expedient time possible" without unreasonable delay (GBL § 899-aa(8)).

Phase 3 — Notification to affected individuals. Affected New York residents must receive direct written notice. Notification may be provided by mail, electronic notification (where the person has consented to electronic communications), or telephone. Substitute notice — through email, website posting, and statewide media — is permitted only when direct notification would cost more than $250,000, affect more than 500,000 New York residents, or when the entity lacks sufficient contact information.

Phase 4 — Credit reporting agency notification. If a breach affects more than 5,000 New York residents, the entity must notify the major consumer reporting agencies of the timing, distribution, and content of the notices sent to residents.

The New York Office of the Attorney General maintains the enforcement mandate for violations of this notification framework.

Common scenarios

Three categories of incidents generate the majority of breach notifications filed with the New York AG.

Unauthorized network access / ransomware. A threat actor gains access to a database containing names paired with Social Security numbers or financial credentials. Even if the actor's primary intent is encryption for ransom rather than data exfiltration, New York law does not require confirmed exfiltration — unauthorized acquisition or likely acquisition is sufficient to trigger notice. The New York ransomware risks and response landscape documents this as a primary driver of AG enforcement actions.

Third-party vendor exposure. A service provider handling data on behalf of a New York-regulated entity experiences a breach. Under GBL § 899-aa, entities that maintain (not just own) private information are covered. Contractual arrangements with third-party vendors do not shift the notification obligation away from the covered entity that collected the data.

Credential compromise. The SHIELD Act's inclusion of usernames and email addresses combined with passwords as private information means a standalone credential breach — without financial data — can trigger notification. This is a direct expansion from the pre-2019 statute and catches a broader range of phishing and credential-stuffing incidents.

Decision boundaries

Two contrast points define the most operationally significant classification decisions under this framework.

Breach vs. security incident. Not every unauthorized access constitutes a reportable breach. An entity that can demonstrate, through forensic evidence, that private information was accessed but not acquired (e.g., a log file shows a system query that returned no records containing private information) may not face notification obligations. The burden of demonstrating non-acquisition falls on the entity, and the New York cybersecurity incident response documentation standards directly affect this determination.

Encrypted vs. unencrypted data. GBL § 899-aa exempts from notification any breach involving private information that was encrypted — provided the encryption key was not also acquired. This encryption safe harbor creates a direct operational distinction: entities that implement encryption controls aligned with recognized standards (such as those in NIST SP 800-111) can reduce notification obligations even following confirmed unauthorized access.

Notification timing contrast — NY vs. HIPAA. New York's statute requires notification "in the most expedient time possible" without defining a fixed window. HIPAA's Breach Notification Rule, by contrast, sets a hard 60-day deadline from discovery for covered entities (45 CFR § 164.404). For healthcare entities operating in New York, both timelines apply concurrently, and the more stringent standard effectively governs. The full regulatory context for New York cybersecurity addresses how these overlapping obligations interact.

Entities seeking a broader orientation to New York's cybersecurity regulatory landscape can reference the New York Security Authority index for the full range of sector-specific coverage areas.

References

• New York General Business Law § 899-aa — Breach of the Security of the System
• NY SHIELD Act (S5575B, 2019)
• New York Attorney General — Data Security
• NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
• 45 CFR § 164.404 — HIPAA Breach Notification to Individuals (eCFR)
• NYDFS Cybersecurity Regulation, 23 NYCRR 500 (NY DFS)
• HHS Office for Civil Rights — HIPAA Breach Notification Rule