state-AGState OverlayState: NY

New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)

New York data breach and information security law requiring reasonable administrative, technical, and physical safeguards for private information of NY residents, with expanded breach notification.

Primary source

N.Y. Gen. Bus. Law § 899-bb — New York Senate

https://www.nysenate.gov/legislation/laws/GBS/899-BB

Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.

The New York SHIELD Act — codified at N.Y. Gen. Bus. Law § 899-bb (security requirements) and amendments to § 899-aa (breach notification) — applies to any person or business that owns or licenses computerized data including private information of a New York resident.

Security requirements (§ 899-bb): implement and maintain a reasonable security program that includes reasonable administrative safeguards (designated security coordinator, risk assessment, employee training, third-party vendor selection), technical safeguards (network risk assessment, secure development, prevention/detection systems, incident response, regular testing), and physical safeguards (asset inventory, intrusion detection, secure disposal).

Safe harbor: HIPAA-compliant covered entities and business associates are deemed compliant with the security requirements for the private information governed by HIPAA.

Breach notification (§ 899-aa): expanded the definition of "breach" to include unauthorized access (not only acquisition); expanded "private information" to include biometric data, email + password, and account number with security code; required notice to NY OAG and consumer reporting agencies for breaches affecting more than 500 NY residents.

Enforcement: NY OAG civil enforcement with penalties up to $250,000 for knowing or reckless violations.

For NY healthcare practices, the HIPAA safe harbor substantially aligns SHIELD compliance with existing Security Rule work — but breach notification triggers may still differ for ePHI categories the practice holds outside HIPAA's reach.

Use this in your workspace

D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.

Related regulations

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Last reviewed May 23, 2026 · Citation verified May 23, 2026

Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.