Compliance Program Charter - New York
COMPLIANCE PROGRAM CHARTER — NEW YORK SUPPLEMENT
Company: [________________________________]
Effective Date: [__/__/____]
Approved by: [________________________________]
Version: [____]
TABLE OF CONTENTS
- Purpose and Authorization
- New York Regulatory Landscape
- Scope — New York Compliance Domains
- Governance Enhancements
- Core Program Elements — New York Focus
- NYDFS Compliance (If Applicable)
- New York Regulatory Change Management
- New York-Specific Reporting and Metrics
- Resources
- Review and Approval
- Annexes
1. PURPOSE AND AUTHORIZATION
This supplement addresses New York-specific requirements including the SHIELD Act, NYDFS Cybersecurity Regulation (23 NYCRR Part 500), NY consumer protection statutes (GBL §§ 349-350), the NY State Human Rights Law (NYSHRL), and NY whistleblower protections (Labor Law § 740, as amended Jan. 26, 2022, to cover all private-sector employees).
2. NEW YORK REGULATORY LANDSCAPE
| Domain | Key NY Statutes/Regulations | Regulator |
|---|---|---|
| Privacy & Data Security | SHIELD Act (GBL § 899-aa, § 899-bb); NYDFS 23 NYCRR Part 500; NY breach notification (GBL § 899-aa(8)) | NY AG; NYDFS |
| Consumer Protection | GBL § 349 (Deceptive Acts/Practices); GBL § 350 (False Advertising) | NY AG; private plaintiffs |
| Employment | NYSHRL (Exec. Law § 290 et seq.); NYC Human Rights Law (NYC Admin. Code § 8-101); mandatory sexual harassment training; pay transparency (Lab. Law § 194-b) | NY DHR; NYC CCHR |
| Whistleblower | Labor Law § 740 (expanded Jan. 2022 to all private employees); False Claims Act (State Finance Law § 187 et seq.) | Courts |
| Financial Services | 23 NYCRR Part 500; Banking Law; Insurance Law | NYDFS |
| Corporate Governance | NY Business Corporation Law; nonprofit obligations (if applicable) | NY DOS |
3. SCOPE — NEW YORK COMPLIANCE DOMAINS
3.1 Data Security and Privacy
☐ SHIELD Act: reasonable administrative, technical, and physical safeguards for NY private information
☐ Breach notification: AG, DOS, State Police notification for breaches affecting NY residents
☐ NYDFS Part 500 (if covered entity): cybersecurity program, CISO, risk assessment, MFA, encryption, penetration testing, incident notification (72 hours to Superintendent), annual certification
3.2 Consumer Protection
☐ GBL § 349: prohibition of deceptive acts or practices (broad private right of action; no scienter required)
☐ GBL § 350: prohibition of false advertising
☐ Review marketing, advertising, pricing, and disclosures for compliance
3.3 Employment
☐ NYSHRL (Exec. Law § 296): discrimination, harassment, retaliation protections (all employers with 4+ employees; individual liability for supervisors)
☐ NYC Human Rights Law (if NYC operations): among broadest employment protections in the nation
☐ Mandatory sexual harassment prevention training (annual for all employees per Labor Law § 201-g)
☐ Pay transparency (Lab. Law § 194-b): salary range disclosure in job postings (employers with 4+ employees)
☐ Whistleblower protections (Labor Law § 740): expanded protections effective Jan. 26, 2022
3.4 Financial Services (If NYDFS-Covered)
☐ 23 NYCRR Part 500 cybersecurity program
☐ Annual certification to Superintendent (§ 500.17(b))
☐ Third-party service provider security policy (§ 500.11)
☐ CISO designation and Board reporting (§ 500.4)
☐ Incident notification within 72 hours (§ 500.17(a))
4. GOVERNANCE ENHANCEMENTS
| Role | New York Responsibilities |
|---|---|
| CCO | Oversee NY regulatory compliance; NY AG relationship management |
| CISO | SHIELD Act technical safeguards; NYDFS Part 500 compliance (if applicable) |
| Privacy Lead | SHIELD Act administrative safeguards; breach notification procedures |
| Employment Counsel | NYSHRL/NYC HRL compliance; harassment training; pay transparency |
| Consumer Protection Counsel | GBL §§ 349-350 review of marketing and advertising |
| Board/Committee | Receive NY-specific compliance reports; NYDFS annual certification oversight |
5. CORE PROGRAM ELEMENTS — NEW YORK FOCUS
5.1 Risk Assessment — NY Additions
| Risk Area | Focus | Frequency |
|---|---|---|
| SHIELD Act safeguards | Administrative, technical, physical safeguards assessment | Annual |
| NYDFS Part 500 (if applicable) | Full cybersecurity program assessment | Annual |
| GBL §§ 349-350 | Marketing/advertising/disclosure review | Annual |
| NYSHRL/NYC HRL employment | Harassment, discrimination, pay equity | Annual |
| Breach readiness | NY notification procedures (AG, DOS, State Police) | Annual |
5.2 Policies — NY-Specific
☐ NY breach notification procedures (AG, DOS, State Police)
☐ SHIELD Act data security policy
☐ NYDFS cybersecurity policy (if applicable, per § 500.3)
☐ Sexual harassment prevention policy (compliant with Labor Law § 201-g model)
☐ Whistleblower policy (Labor Law § 740 compliant)
☐ Pay transparency policy (Lab. Law § 194-b)
☐ GBL §§ 349-350 marketing review procedures
5.3 Training — NY-Specific
| Training | Audience | Frequency | Requirement |
|---|---|---|---|
| Sexual harassment prevention | All NY employees | Annual | Labor Law § 201-g |
| SHIELD Act data security | Employees handling NY PI | Annual | Best practice |
| NYDFS cybersecurity (if applicable) | IT/security personnel | Annual | § 500.14 |
| GBL §§ 349-350 consumer protection | Marketing, sales, product | Annual | Best practice |
| Whistleblower awareness | All employees | Annual | Best practice |
| Pay transparency | HR, recruiting, hiring managers | Annual | Lab. Law § 194-b |
5.4 Monitoring and Testing — NY Additions
☐ SHIELD Act safeguards verification (administrative, technical, physical)
☐ NYDFS penetration testing (annual) and vulnerability assessment (bi-annual) (if applicable)
☐ Breach notification tabletop exercise
☐ Harassment complaint tracking and trend analysis
☐ GBL §§ 349-350 marketing/advertising audit
☐ Pay transparency audit (job posting compliance)
☐ NYDFS annual certification preparation (if applicable)
5.5 Third-Party Risk — NY Additions
☐ SHIELD Act vendor safeguards verification
☐ NYDFS § 500.11 third-party service provider policy compliance (if applicable)
☐ MFA verification for vendor access to information systems (§ 500.12)
☐ Vendor breach notification SLA alignment with NY requirements
6. NYDFS COMPLIANCE (IF APPLICABLE)
For organizations subject to 23 NYCRR Part 500 (as amended November 1, 2023):
6.1 Program Requirements
☐ Written cybersecurity policy (§ 500.3)
☐ CISO designated with Board reporting (§ 500.4(b))
☐ Annual penetration testing; bi-annual vulnerability assessments (§ 500.5)
☐ Audit trail systems (§ 500.6) — 5 years financial transactions, 3 years otherwise
☐ Access privileges and management (§ 500.7)
☐ Application security (§ 500.8)
☐ Risk assessment (§ 500.9) — annual, documented
☐ Cybersecurity personnel and intelligence (§ 500.10)
☐ Third-party service provider security policy (§ 500.11)
☐ Multi-factor authentication (§ 500.12) — expanded by Nov. 2023 amendments
☐ Data retention limitations (§ 500.13)
☐ Training and monitoring (§ 500.14)
☐ Encryption (§ 500.15)
☐ Incident response plan (§ 500.16)
☐ 72-hour notification to Superintendent (§ 500.17(a))
☐ Annual certification (§ 500.17(b))
6.2 Enhanced Requirements (Nov. 2023 Amendments)
☐ CISO must report to Board or senior governing body at least annually (§ 500.4(b))
☐ Board must have sufficient understanding of cybersecurity to exercise oversight (§ 500.4(d))
☐ Business continuity and disaster recovery plan required (§ 500.16)
☐ Governance framework: written policies approved by senior officer (§ 500.3)
☐ Asset management and inventory requirements (§ 500.13)
☐ Enhanced access controls including privileged access management (§ 500.7)
7. NEW YORK REGULATORY CHANGE MANAGEMENT
| Source | Monitoring |
|---|---|
| NY Legislature | Track proposed legislation through NYLEG/bill tracker |
| NY AG | Monitor enforcement actions, settlements, AG guidance |
| NYDFS | Monitor regulatory amendments, industry letters, and cybersecurity guidance |
| NY DHR/CRD | Monitor employment guidance and complaint trends |
| Courts | Track significant NY privacy, consumer, employment decisions |
8. NEW YORK-SPECIFIC REPORTING AND METRICS
| Metric | Target | Frequency |
|---|---|---|
| SHIELD Act safeguards verification | Completed | Annual |
| NYDFS annual certification (if applicable) | Filed timely | Annual |
| NYDFS 72-hour notification compliance | 100% | Per incident |
| Sexual harassment training completion | 100% of NY employees | Annual |
| GBL §§ 349-350 marketing review | All material campaigns | Ongoing |
| Pay transparency audit | 100% of job postings compliant | Quarterly |
| Vendor NYDFS § 500.11 compliance | 100% | Annual |
9. RESOURCES
☐ CISO/cybersecurity team (NYDFS compliance, if applicable)
☐ Privacy/data security for SHIELD Act
☐ Employment counsel for NYSHRL/NYC HRL
☐ External NY regulatory counsel
10. REVIEW AND APPROVAL
Review annually or upon material NY regulatory change (including NYDFS amendments).
11. ANNEXES
Annex A: NY Breach Notification Checklist
☐ Breach determination (date: [__/__/____])
☐ Affected NY residents identified
☐ NY AG notified (N.Y. Gen. Bus. Law § 899-aa(8)(a))
☐ NY DOS Division of Consumer Protection notified (§ 899-aa(8)(a))
☐ NY State Police notified (§ 899-aa(8)(a))
☐ Individual notice sent "in the most expedient time possible and without unreasonable delay"
☐ If NYDFS-covered: Superintendent notified within 72 hours (§ 500.17(a))
Annex B: NYDFS Annual Certification Preparation Checklist
☐ Cybersecurity program reviewed and updated
☐ Risk assessment completed
☐ Penetration test and vulnerability assessments current
☐ Third-party service provider assessments current
☐ CISO Board report delivered
☐ Incident response plan tested
☐ Training completed
☐ Certification filed by April 15
SOURCES AND REFERENCES
- NY SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, § 899-bb
- NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (2017; amended Nov. 1, 2023)
- N.Y. Gen. Bus. Law §§ 349, 350
- NYSHRL, N.Y. Exec. Law § 290 et seq.
- NY Labor Law § 740 (Whistleblower, as amended Jan. 26, 2022)
- NY Labor Law § 194-b (Pay Transparency)
- NY Labor Law § 201-g (Sexual Harassment Prevention)
- DOJ Evaluation of Corporate Compliance Programs (2023)
- U.S. Sentencing Guidelines § 8B2.1
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026