US-New YorkCan I sue a company that fails to protect my data under the SHIELD Act?
No, the SHIELD Act does not give private individuals the right to sue a company for data security failures — only the New York Attorney General can enforce it.
What the Law Says
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act amends New York’s data security and breach notification laws, but it explicitly excludes a private right of action.
The SHIELD Act requires businesses that own or license computerized data containing private information of New York residents to implement and maintain reasonable administrative, technical, and physical safeguards to protect that information.
It also expands the definition of 'private information' and lowers the threshold for what constitutes a data breach requiring notification. However, the law makes clear that it does not authorize individuals to sue for violations.
Importantly, enforcement is reserved exclusively for the New York Attorney General, who may seek injunctions, civil penalties, and other remedies.
Statutory TextNothing in this article shall be construed to create a private right of action.
— General Business Law § 899-aa(2) — SHIELD Act
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.