New York Attorney General Cybersecurity Enforcement Actions

The New York Attorney General (OAG) exercises enforcement authority over entities that collect, store, or transmit personal data belonging to New York residents, including enforcement actions rooted in cybersecurity failures. This page covers the legal basis for OAG cybersecurity enforcement, the mechanisms through which investigations and penalties are initiated, documented scenarios from published OAG actions, and the boundaries that distinguish OAG enforcement from parallel regulatory regimes. Professionals navigating compliance obligations, breach response, or vendor risk management in New York will find this reference directly applicable to understanding the enforcement landscape.

Definition and scope

The New York Attorney General's cybersecurity enforcement authority derives primarily from two statutory frameworks: the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, signed into law in 2019 and codified at N.Y. Gen. Bus. Law §§ 899-aa and 899-bb) and the New York Executive Law § 63(12), which empowers the AG to pursue entities engaged in persistent fraud or illegal conduct. The SHIELD Act expanded breach notification obligations and introduced affirmative data security program requirements for any business holding private information of New York residents — regardless of where that business is incorporated or physically located.

OAG enforcement covers a broad range of entities: private corporations, healthcare providers, retailers, technology platforms, financial services firms not already subject to exclusive NYDFS supervision, and nonprofit organizations. For a fuller picture of how the SHIELD Act structures those obligations, see New York SHIELD Act Cybersecurity Obligations.

Scope limitations: OAG cybersecurity enforcement does not apply to federal agencies or federally chartered entities where preemptive federal law displaces state authority. Entities regulated exclusively under the NYDFS Cybersecurity Regulation (23 NYCRR 500) may face parallel but distinct proceedings — the OAG and NYDFS operate under separate statutory mandates and do not share enforcement jurisdiction over the same violations. Details on the NYDFS framework are covered at NYDFS Cybersecurity Regulation 23 NYCRR 500. The OAG does not cover cybercrime prosecution, which falls to the New York State Police Cyber Analysis Unit and district attorneys' offices.

How it works

OAG cybersecurity enforcement typically proceeds through four phases:

Trigger — Breach notification or complaint intake. Enforcement actions are most commonly initiated when a business submits a breach notification to the OAG under N.Y. Gen. Bus. Law § 899-aa, which requires notification within the "most expedient time possible" and without unreasonable delay. Third-party complaints and investigative journalism can also open a docket. The OAG's Bureau of Internet and Technology receives these notifications and screens for potential violations.
Investigation. The OAG issues civil investigative demands (CIDs) requesting records, security audit logs, vendor contracts, and internal communications. Entities under investigation must produce documentation demonstrating their data security program. Failure to maintain a program that includes reasonable administrative, technical, and physical safeguards — as required under SHIELD Act § 899-bb — can independently constitute a violation even absent a confirmed breach.
Negotiation and Assurance of Discontinuance (AOD). The majority of OAG cybersecurity enforcement actions resolve through an Assurance of Discontinuance rather than litigation. An AOD is a binding legal agreement under Executive Law § 63(15) in which the respondent agrees to remediation steps, enhanced security measures, and monetary penalties.
Penalty imposition and monitoring. Civil penalties under the SHIELD Act for failure to notify range up to $5,000 per violation (N.Y. Gen. Bus. Law § 899-aa(6)). Penalties for inadequate data security programs are assessed under the General Business Law's deceptive practices provisions, where the OAG has discretion to seek damages reflecting consumer harm. AODs frequently include 2–3 year compliance monitoring periods.

The full regulatory context for these enforcement activities is mapped at Regulatory Context for New York Cybersecurity.

Common scenarios

OAG enforcement actions have addressed a consistent set of failure patterns, documented in publicly released AODs and press releases from the New York Attorney General's office:

Credential stuffing attacks resulting in account takeovers. In a 2022 sweep, the OAG investigated 17 companies following credential stuffing attacks affecting approximately 1.1 million New York consumer accounts, finding that companies failed to detect attacks, notify consumers, or implement bot-detection controls.
Inadequate breach notification timelines. Entities have faced penalties for delayed notifications — cases where breaches were discovered internally months before any consumer or regulatory notice was issued, violating the SHIELD Act's "unreasonable delay" standard.
Third-party vendor incidents. A recurring pattern involves breaches originating at vendors or subprocessors who held New York resident data. The OAG has taken the position that the data holder (not the vendor) bears primary notification responsibility. For organizations assessing vendor risk, New York Third-Party Vendor Cybersecurity covers contractual and technical control expectations.
Healthcare and retail sector failures. Healthcare entities not exclusively governed by HIPAA's preemptive provisions, and retail operators lacking point-of-sale encryption, have both been subjects of OAG actions. The New York Healthcare Cybersecurity reference addresses the intersection of state and federal frameworks in that sector.
Ransomware and failure to disclose. Entities that suffered ransomware events affecting New York resident data but characterized the incident as not triggering notification obligations have faced OAG scrutiny. New York Ransomware Risks and Response covers how ransomware events map to notification thresholds.

Decision boundaries

Understanding when OAG enforcement applies — versus NYDFS, FTC, or HHS OCR — requires mapping the regulated entity type against the applicable statutory trigger:

Enforcement Body	Primary Statute	Entity Scope	Key Trigger
NY Attorney General	SHIELD Act / Exec. Law § 63	Any entity holding NY resident data	Breach notification failure; inadequate security program
NYDFS	23 NYCRR 500	Licensed financial entities in NY	Cybersecurity program deficiencies; incident reporting failures
FTC	FTC Act § 5	Entities in or affecting interstate commerce	Unfair or deceptive data security practices
HHS OCR	HIPAA Security Rule	Covered entities and business associates	Protected health information safeguard failures

The OAG's reach is broader than NYDFS in entity scope but narrower in prescriptive technical requirements. NYDFS-regulated entities facing a breach will typically engage both regulators, but the legal standards and penalty structures differ. A technology startup holding New York consumer data faces OAG jurisdiction under the SHIELD Act even if it has no NYDFS license and no federal sectoral regulator.

The New York Security Authority home reference provides the broader landscape of cybersecurity obligations applicable across these frameworks in New York State.

Entities that have experienced an incident and are determining reporting obligations should cross-reference New York Data Breach Notification Requirements and New York Cybersecurity Incident Response to identify parallel timelines and agency contacts.

References

📜 6 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Services & Options Key Dimensions and Scopes of NewYork Cybersecurity Regulations & Safety NewYork Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ NewYork Cybersecurity: Frequently Asked Questions