Charter Data PrivacyJurisdictional Research
Home/New York State/NY SHIELD Act

NY SHIELD Act

Stop Hacks and Improve Electronic Data Security Act

Statute
NY General Business Law §§ 899-aa, 899-bb
Regulations
None specified
Enacted / Last Major Amendment
Security requirements effective 2020
Jurisdictional Layer
New York State (state)

Summary

Expanded NY's breach notification law and added affirmative reasonable-safeguards requirements for any person or business owning or licensing NY residents' private information. Applies concurrently with Ed Law 2-d for charters.

Key Terms

Private information
Broader than Ed Law 2-d PII; includes payment card data, biometric data, employee data

School-side obligations

  • Implement reasonable administrative, technical, and physical safeguards
  • Notify affected NY residents of breach in most expedient time possible
  • Notify NY AG, Department of State, State Police of breach
  • Adopt safe-harbor framework (Ed Law 2-d / Part 121 / NIST CSF satisfies for student data)

Vendor-side obligations

  • If holding NY-resident private info, same safeguards apply
  • Vendor breach notification under Ed Law 2-d (7 days) generally tighter than SHIELD

Breach notification

Without unreasonable delay; specific content requirements; concurrent with NYAG / DOS / State Police notification.

Enforcement

NY Attorney General. Civil penalties up to $20 per failed notification (capped at $250K).

NCSC AI Toolkit — Scanner Fields

These fields in the NCSC AI Toolkit derive from this statute:

shield_act_safeguards_in_placeshield_act_breach_procedure_documented

Case Law — Verification Queue

Pending vLex verification. Never cite these without verification.

  • People v. Capital One
    NY AG enforcement (2019)
    Pre-SHIELD; verify on vLex