New York Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

New York has established one of the most rigorous cybersecurity regulatory environments in the United States, layering general-purpose data protection laws with industry-specific mandates that set a national benchmark. For businesses operating in the state — particularly those in financial services, healthcare, and legal — understanding these overlapping requirements is not optional. The penalties for non-compliance are substantial, and enforcement has been aggressive.

This guide breaks down the specific laws, regulations, and compliance obligations that New York businesses face in 2025. Whether you are subject to the broad SHIELD Act requirements that apply to every business holding New York residents' data or the granular technical mandates of 23 NYCRR 500 for financial services, the information below covers what the law actually requires — not what vendors want you to think it requires.

New York's Data Privacy & Cybersecurity Laws

New York does not have a single, unified data privacy statute. Instead, businesses must navigate a patchwork of laws and regulations that each address different aspects of data protection. The most important are outlined below.

SHIELD Act (2019) — NY General Business Law §899-aa

The Stop Hacks and Improve Electronic Data Security Act, signed into law on July 25, 2019, was New York's most significant update to its data breach notification framework in over a decade. The SHIELD Act did two critical things: it broadened the definition of 'private information' that triggers notification obligations and, for the first time, imposed affirmative data security requirements on any business holding the private information of New York residents. The security provisions took effect on March 21, 2020.

Under the SHIELD Act, private information now includes biometric data (fingerprints, retinal scans, voice prints), email addresses in combination with passwords or security questions, and account numbers or credit card numbers even without an access code if the number alone could be used to access a financial account. This expanded definition captures data categories that previous New York law did not address.

NY DFS Cybersecurity Regulation — 23 NYCRR 500

The New York Department of Financial Services Cybersecurity Regulation, first effective March 1, 2017 and significantly amended in November 2023, is widely regarded as the most comprehensive state-level cybersecurity regulation for financial services in the United States. It applies to all DFS-regulated entities including banks, insurance companies, mortgage brokers, money transmitters, licensed lenders, and their service providers.

The 2023 amendments introduced tiered compliance requirements based on company size. 'Class A' companies — those with over 2,000 employees or over $1 billion in gross annual revenue averaged over three years — face the most stringent requirements, including independent audits of their cybersecurity program, mandatory privilege access management solutions, and automated blocking of commonly used passwords. All covered entities must implement multi-factor authentication, maintain a written incident response plan, encrypt nonpublic information both in transit and at rest, and conduct annual penetration testing and bi-annual vulnerability assessments.

NY COPPA and Children's Privacy Protections

New York's protections for children's data include state-level implementation of the federal Children's Online Privacy Protection Act (COPPA) and the recently enacted New York Child Data Protection Act, which restricts the collection and sale of minors' personal data by online platforms. Businesses operating websites or applications directed at children under 13, or that knowingly collect data from minors, must implement additional consent and data handling procedures.

Proposed NY Privacy Act

New York has considered comprehensive consumer privacy legislation modeled after the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR). The proposed New York Privacy Act would grant residents rights to access, correct, and delete their personal data, impose data minimization requirements on businesses, and establish a private right of action. While the bill has not passed as of early 2025, its repeated introduction signals that comprehensive privacy legislation remains a legislative priority, and businesses should prepare accordingly.

Data Breach Notification Requirements

The SHIELD Act's notification provisions apply to any person or business that owns or licenses computerized data that includes the private information of a New York resident. The history of breaches in New York demonstrates why these requirements exist and how they are enforced.

Who Must Be Notified

• Affected individuals: Every New York resident whose private information was, or is reasonably believed to have been, acquired by an unauthorized person

• New York Attorney General: Written notice describing the breach, the number of affected residents, and the steps taken

• NY Division of State Police: Concurrent notification as required under GBL §899-aa

• NY Department of State: Notification in parallel with other state agencies

• Consumer reporting agencies: Required when more than 5,000 New York residents are affected in a single incident

Timing and Method

Notification must occur in the 'most expedient time possible and without unreasonable delay,' consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach. For biometric data specifically, the law requires notification within 10 business days. Notice may be provided in writing, electronically (with consent), or through substitute notice if the cost of direct notification exceeds $250,000, more than 500,000 individuals must be notified, or the business lacks sufficient contact information.

DFS-Specific Notification — 23 NYCRR 500.17

DFS-regulated entities face a separate, more stringent notification requirement. Under Section 500.17, covered entities must notify the Superintendent of Financial Services within 72 hours of determining that a cybersecurity event has occurred that either (a) impacts the covered entity and requires notification to any government body or self-regulatory agency, or (b) has a reasonable likelihood of materially harming any material part of the entity's normal operations. The 72-hour clock starts at determination, not discovery — but DFS expects prompt investigation.

Industry-Specific Compliance

Beyond the general-purpose SHIELD Act, specific industries in New York face additional regulatory layers that compound their compliance obligations.

Financial Services — 23 NYCRR 500 in Detail

DFS 500 is one of the most prescriptive cybersecurity regulations in the country. Key requirements include: a written cybersecurity policy approved by a senior officer, designation of a qualified Chief Information Security Officer (CISO), annual risk assessments, penetration testing at least annually, vulnerability assessments bi-annually, multi-factor authentication for remote access and privileged accounts, encryption of nonpublic information in transit and at rest, audit trail capabilities with at least five years of record retention (three years for certain transaction records), written vendor management policies, and annual certification of compliance filed with DFS by April 15.

The 2023 amendments added governance requirements including board-level reporting on cybersecurity, mandatory incident response planning and testing, and business continuity and disaster recovery plans. Class A companies must maintain a privileged access management solution, implement an endpoint detection and response solution, and conduct independent audits of their cybersecurity program.

Healthcare — HIPAA and New York Additions

Healthcare organizations in New York must comply with federal HIPAA Security Rule requirements and the SHIELD Act's broader data security mandate. Where HIPAA applies to protected health information (PHI), the SHIELD Act covers all private information — meaning a New York healthcare provider's obligations extend beyond medical records to any personal data they handle. New York has also pursued state-level enforcement of HIPAA violations through the Attorney General's office, creating an additional enforcement layer beyond federal oversight.

Law Firms — ABA and NY State Bar Requirements

Attorneys in New York are bound by the New York Rules of Professional Conduct, which include the obligation to make reasonable efforts to prevent unauthorized disclosure of client information (Rule 1.6). The New York State Bar Association has issued ethics opinions confirming that lawyers must understand the technology risks facing their practices and take appropriate protective measures. Combined with the SHIELD Act's requirements, this means New York law firms face a dual obligation: regulatory compliance for the data they hold and professional ethical obligations to protect client confidences.

New York Compliance Checklist

The following checklist covers the core requirements that New York businesses must address. Organizations subject to 23 NYCRR 500 should treat the DFS-specific items as mandatory additions to the baseline.

• Designate a security coordinator: The SHIELD Act requires someone responsible for your data security program. DFS 500 requires a designated CISO — either internal or through a qualified third-party provider

• Conduct a written risk assessment: Identify the categories of private information you hold, the internal and external threats to that data, and the sufficiency of your current safeguards. DFS 500 requires annual updates

• Implement reasonable administrative safeguards: Employee training, access controls, vendor management policies, and security awareness programs

• Implement reasonable technical safeguards: Intrusion detection systems, regular security testing, secure data disposal, and monitoring of system access. DFS 500 entities must add MFA, encryption, EDR, and penetration testing

• Implement reasonable physical safeguards: Detect and prevent unauthorized access to physical locations where private information is stored, including secure disposal of physical records

• Establish an incident response plan: Document procedures for detecting, responding to, and recovering from data security incidents. DFS 500 requires testing of the plan

• Maintain vendor management controls: Evaluate and contractually require data security practices for third-party service providers who access your data

• Create a data retention and disposal policy: Define how long different categories of private information are retained and how they are securely destroyed when no longer needed

• Document your cybersecurity program: Written policies should cover all elements of your security program. DFS 500 entities must maintain a board-approved cybersecurity policy

• File required certifications: DFS-regulated entities must file an annual certification of compliance by April 15 using the DFS online portal. All businesses should maintain documentation of their compliance efforts for potential AG inquiries

How New York Businesses Stay Compliant

Compliance is not a one-time project. The evolving threat landscape in New York means that the controls adequate today may be insufficient tomorrow. Regulators — particularly DFS — have demonstrated that they expect covered entities to continuously improve their security posture.

• Treat compliance as a continuous program: Annual risk assessments, regular policy reviews, and ongoing employee training are minimum baselines, not one-time exercises

• Align security investments with regulatory requirements: Map your technology purchases to specific SHIELD Act or DFS 500 requirements to avoid spending on controls that do not address your actual compliance gaps

• Engage qualified external partners: Many New York businesses, especially SMBs, lack the internal expertise to build and maintain a compliant cybersecurity program. Understanding what managed IT services include and how managed security services operate can help evaluate whether external support is appropriate

• Monitor regulatory developments: New York's regulatory environment is active. DFS amendments, proposed privacy legislation, and AG enforcement trends should all be tracked as part of your compliance program

• Test your controls: Policies that exist only on paper provide no protection. Regular penetration testing, tabletop exercises, and backup restoration tests verify that your safeguards actually work

Frequently Asked Questions

Does 23 NYCRR 500 apply to my business if I am not a bank or insurer?

23 NYCRR 500 applies to all entities regulated by the New York Department of Financial Services. This includes banks, insurance companies, mortgage brokers, money transmitters, licensed lenders, check cashers, and any other entity operating under a DFS license or registration. If you are unsure whether your business is DFS-regulated, check whether you hold any license or charter issued by the department. The SHIELD Act, by contrast, applies to every business that holds the private information of New York residents regardless of industry.

What is the annual certification requirement under DFS 500?

DFS-regulated entities must file an annual Certification of Compliance by April 15 each year, confirming that they materially complied with Part 500 during the prior calendar year. The certification must be signed by the covered entity's highest-ranking executive and the CISO. If the entity cannot certify full compliance, it must instead file a written acknowledgment identifying the areas of non-compliance and a detailed remediation plan and timeline.

Can the New York Attorney General bring enforcement actions for cybersecurity failures?

Yes. The New York Attorney General has broad enforcement authority under both the SHIELD Act and the state's general consumer protection statute (GBL §349). The AG's office has brought multiple enforcement actions against companies for both failure to implement reasonable safeguards and failure to provide timely breach notification. Civil penalties under the SHIELD Act can reach $5,000 per violation, and the AG can also seek injunctive relief requiring specific security improvements.

How does the SHIELD Act interact with HIPAA for healthcare providers?

The SHIELD Act and HIPAA operate independently but overlap significantly for New York healthcare providers. HIPAA's Security Rule governs the protection of electronic protected health information (ePHI), while the SHIELD Act governs all private information of New York residents. A New York healthcare provider must comply with both — meaning their security program must meet HIPAA's specific ePHI requirements and the SHIELD Act's broader reasonable safeguards standard for all other personal data. Where the SHIELD Act imposes stricter requirements, the stricter standard applies.

What constitutes 'reasonable safeguards' under the SHIELD Act?

The SHIELD Act does not define a specific set of required controls. Instead, it requires businesses to implement 'reasonable' administrative, technical, and physical safeguards appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the personal information it collects. The AG's enforcement actions provide guidance: businesses that fail to implement basic controls like encryption, access management, employee training, and vendor oversight have been found to lack reasonable safeguards. The standard is flexible but has teeth.