New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)
New York data breach and information security law requiring reasonable administrative, technical, and physical safeguards for private information of NY residents, with expanded breach notification.
Primary source
N.Y. Gen. Bus. Law § 899-bb — New York Senate →https://www.nysenate.gov/legislation/laws/GBS/899-BB
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The New York SHIELD Act — codified at N.Y. Gen. Bus. Law § 899-bb (security requirements) and amendments to § 899-aa (breach notification) — applies to any person or business that owns or licenses computerized data including private information of a New York resident.
Security requirements (§ 899-bb): implement and maintain a reasonable security program that includes reasonable administrative safeguards (designated security coordinator, risk assessment, employee training, third-party vendor selection), technical safeguards (network risk assessment, secure development, prevention/detection systems, incident response, regular testing), and physical safeguards (asset inventory, intrusion detection, secure disposal).
Safe harbor: HIPAA-compliant covered entities and business associates are deemed compliant with the security requirements for the private information governed by HIPAA.
Breach notification (§ 899-aa): expanded the definition of "breach" to include unauthorized access (not only acquisition); expanded "private information" to include biometric data, email + password, and account number with security code; required notice to NY OAG and consumer reporting agencies for breaches affecting more than 500 NY residents.
Enforcement: NY OAG civil enforcement with penalties up to $250,000 for knowing or reckless violations.
For NY healthcare practices, the HIPAA safe harbor substantially aligns SHIELD compliance with existing Security Rule work — but breach notification triggers may still differ for ePHI categories the practice holds outside HIPAA's reach.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
HIPAA Breach Notification Rule Overview (45 CFR 164.400-414)
state-leg · State OverlayMassachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information)
state-leg · State OverlayCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
- RegulationMassachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information)Massachusetts data security regulation requiring a written information security program (WISP) protecting personal information of MA residents, with specific technical requirements.
- RegulationHIPAA Breach Notification Rule Overview (45 CFR 164.400-414)When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- ComplianceHIPAA Contingency Plan Template — 45 CFR § 164.308(a)(7)2026 HIPAA contingency plan template — 45 CFR § 164.308(a)(7) data backup, DRP, emergency mode, testing, and applications/data criticality analysis.
- ComplianceHIPAA Encryption Policy Template (45 CFR § 164.312(a)(2)(iv) + (e)(2)(ii))2026 HIPAA encryption policy template — 45 CFR § 164.312(a)(2)(iv) at-rest, § 164.312(e)(2)(ii) in-transit, NIST SP 800-111 algorithms, key management.
- ComplianceHIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B))2026 HIPAA mobile and BYOD policy template — 45 CFR § 164.310(d), § 164.308(a)(1)(ii)(B), NIST SP 800-124r2, enrollment and offboarding workflow.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.