State notification register
New York data breach notification law: in the most expedient time possible and without unreasonable delay.
New York's breach-notification obligations are set by N.Y. Gen. Bus. Law 899-aa (amended by the SHIELD Act). This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.
Individual deadline
30 days
From discovery / determination
AG notification
Required
All breaches (AG, Dept. of State, State Police)
Private action
Limited
Actual damages only
Statute
NY
N.Y. Gen. Bus. Law 899-aa
Section NY.1
What the statute requires
Under N.Y. Gen. Bus. Law 899-aa, the amended by the SHIELD Act, a business that owns or licenses computerized personal information of New York residents must notify affected individuals in the most expedient time possible and without unreasonable delay, no later than 30 days after discovery.
Attorney general or state-agency notification is all breaches (ag, dept. of state, state police). Where required, the timeline is: aligned with timing and content of individual notices.
Recent change: SHIELD Act added the 30-day individual deadline and expanded safeguard duties.
Section NY.2
What triggers notification
Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.
Encryption safe harbor
Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.
Who must be notified
- [1] Affected New York residents: 30 days
- [2] Attorney general / state agency: all breaches (ag, dept. of state, state police)
- [3] Consumer reporting agencies where the breach is large-scale
Section NY.3
Penalties and enforcement
Greater of $5,000 or $20 per failed notification, capped at $250,000; safeguard violations up to $5,000 each.
Private right of action: Limited. Actual damages only; no statutory damages and no attorney-fee recovery; enforced primarily by the AG.
Primary source:New York statute N.Y. Gen. Bus. Law 899-aa (amended by the SHIELD Act); verified June 2026 against state statutory summaries and the underlying statute text.
Section NY.4
How this compares to the strictest states
The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where New York sits.
New York imposes a fixed 30-day deadline. That places it among the strictest states in the country.
Cross-references
Index / All 50 states + DC
→The full register: deadline and AG threshold for every state.
Schedule 09 / Notification laws
→Global frameworks and the cost of notification.
01 / Breach cost calculator
→Estimate your New York breach exposure, including notification cost.
Regulation / GDPR
→The 72-hour clock and 4%-of-revenue fine framework.
Cost / Notification
→Why notification is roughly 6% of total breach cost.
Schedule F / Reference Q&A
Frequently Asked Questions
Primary source:New York data breach notification statute (N.Y. Gen. Bus. Law 899-aa). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.