New York Employee Handbook Requirements (2026)

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act isn't just a cybersecurity law. It's an employment law that belongs in your handbook. Any business that holds private information of a New York resident must implement reasonable safeguards across three categories: administrative (employee training, risk assessments, vendor management), technical (network monitoring, encryption, intrusion detection), and physical (secure data storage and disposal).

Here's what trips employers up: the SHIELD Act applies to you even if you have no physical presence in New York. If you hold data on a single New York resident, whether a remote employee, a customer, or an applicant, you're covered. The December 2024 amendments made things stricter:

• Breach notification must now happen within 30 days (previously no hard deadline)
• Reports must also go to the NY Department of Financial Services
• Protected private information now includes medical and health insurance data (effective March 21, 2025)

Penalties: up to $5,000 per violation for failing to maintain reasonable safeguards, and up to $20 per instance of failed breach notification, capped at $250,000. The Attorney General handles enforcement, and there's no private right of action. That $250K cap adds up fast with a large employee or customer base.

The common mistake? Treating this as an IT problem instead of an HR problem. Your handbook needs a written data security policy, and you need documented proof that employees received training. A firewall won't help you if your people aren't trained.

The fix: Add a data security and breach notification policy to your handbook. Document employee training on data handling. Review vendor contracts for data security provisions. Build a breach response plan with the 30-day notification timeline baked in.

Sources: NY GBL Sec. 899-aa (SHIELD Act); NY GBL Sec. 899-bb (breach notification); 2024 SHIELD Act Amendments (S.9563/A.10310); NY Attorney General enforcement authority under GBL Sec. 899-aa(6).

New York has two pay transparency laws, and the interaction between them catches employers off guard. The NYC Salary Transparency Act (effective November 2022) covers employers with 4+ employees in the city. The New York State Pay Transparency Law (Section 194-B, effective September 2023) extends coverage statewide for employers with 4+ employees.

The NYC Commission on Human Rights isn't treating this as a paperwork exercise. As of early 2024, the Commission had filed 33 complaints, most targeting employers who simply omitted salary ranges from job postings. First-time violators in NYC can avoid civil penalties by submitting proof of cure within 30 days, but that cure counts as an admission of liability. Subsequent violations carry penalties up to $250,000.

The state law penalties work differently: $1,000 for a first violation, $2,000 for a second, and $3,000 for each one after that, enforced by the NY Department of Labor.

What employers get wrong:

• Remote roles: If the position reports to a New York supervisor or office, the law applies even if the employee works in another state
• Internal postings: Promotions and transfers need salary ranges too
• "Competitive salary" isn't a range. You must list a minimum and maximum
• Third-party job boards: You're responsible for postings on Indeed, LinkedIn, and recruiting platforms, not just your careers page

The fix: Audit every active job posting across all platforms. Establish pay ranges based on actual compensation data, not guesses. Train recruiters that ranges are mandatory for every posting, internal or external. If you're in NYC, the cure provision is a one-time grace period, not a permanent safety net.

Sources: NYC Administrative Code Section 32-532 (NYC Salary Transparency Act); NY Labor Law Sec. 194-b (State Pay Transparency Law); NYC Commission on Human Rights enforcement data (2024); NY Department of Labor penalty schedule under Sec. 194-b(4).

Unlike most states that tie training requirements to employer size, New York requires every employer with one or more employees to provide annual interactive sexual harassment prevention training. That's not a typo. Even a business with a single employee must comply. NYC layers on additional requirements for employers with 15+ employees under the Stop Sexual Harassment in NYC Act.

The training must be interactive, not a passive video. It must cover: the definition of sexual harassment under both state and federal law, examples of conduct that constitutes harassment, the internal complaint process, information about the federal EEOC and the NY Division of Human Rights, bystander intervention topics, and the specific responsibilities of supervisory employees.

Penalties start at $100 per employee for a first violation and escalate with each subsequent violation. Violations include: not providing annual training, not distributing a written sexual harassment prevention policy, and not providing a complaint form. For an employer with 200 employees, a first violation means $20,000, and that's before any actual harassment claim leverages the training gap.

NYC employers with 15+ employees face additional requirements: training must be completed by employees who work more than 80 hours per calendar year in the city and have been employed for at least 90 days.

The real cost isn't the fine. It's the lawsuit defense. Documented training is a critical element in defending against harassment claims. Without it, you lose the ability to argue you took reasonable preventive measures.

The fix: Implement annual training on a fixed schedule (calendar year or hire anniversary). Use New York-specific interactive training, not a generic national program. Distribute the state model policy (or your own compliant version) to every employee. Keep completion records for at least 3 years. If you have NYC employees, track the 80-hour/90-day thresholds separately.

Sources: NY Labor Law Sec. 201-g (sexual harassment prevention training and policy requirements); NYC Administrative Code Section 8-107(29) (Stop Sexual Harassment in NYC Act); NY Division of Human Rights model training and policy materials.

Since May 7, 2022, New York employers who monitor employee email, internet usage, or telephone conversations on company-provided devices must provide written notice to employees upon hire. The employee must acknowledge receipt in writing, and the employer must conspicuously post the notice in the workplace.

The penalties are structured to sting repeat offenders: $500 for a first offense, $1,000 for a second, and $3,000 for a third and every subsequent offense. The Attorney General handles enforcement, with no private right of action.

What makes this easy to violate:

• It covers almost everything. Email monitoring, internet usage tracking, phone call recording, GPS tracking on company devices. If you're watching what employees do on company systems, you need the notice
• New hires slip through the cracks. The notice must be given at hire, not during orientation two weeks later
• Remote workers count. If you monitor a remote employee's company laptop usage, you need the notice even if they never set foot in a New York office
• Acknowledgment must be documented. Verbal notice doesn't count. You need a signature or electronic acknowledgment

This one is genuinely low-effort to fix, which makes non-compliance even less defensible. The law doesn't restrict your right to monitor. It just requires you to tell employees you're doing it.

The fix: Add an electronic monitoring disclosure to your onboarding packet and handbook. Get signed acknowledgment from every employee. Post the notice in your workplace (and consider your digital workplace for remote teams). Audit your acknowledgment records annually.

Sources: NY Civil Rights Law Sec. 52-c (employee electronic monitoring notice requirements); NY Attorney General enforcement authority under CRL Sec. 52-c(3); penalty schedule under CRL Sec. 52-c(4).

New York now has three distinct paid leave programs that interact in overlapping and confusing ways. As of January 2025, there's a new one to track.

Paid Family Leave (PFL): Up to 12 weeks at 67% of the employee's average weekly wage (capped at 67% of the statewide average weekly wage, $1,177.32/week in 2025). Covers bonding with a new child, caring for a family member with a serious health condition, and qualifying military family needs.

Paid Sick Leave (PSL): 40 hours for employers with 5-99 employees, 56 hours for 100+. Covers the employee's own illness, a family member's illness, and safe leave purposes (domestic violence, sexual assault, stalking, human trafficking).

Paid Prenatal Leave (new January 2025): 20 hours of job-protected paid prenatal leave at the employee's regular rate of pay during any 52-week period. This applies to all employers regardless of size, with no threshold. It's separate from and in addition to both PFL and PSL.

The interaction trap: PFL and PSL are separate programs with separate banks, but their qualifying reasons overlap. An employee caring for a sick parent could use PSL (own family member's illness) and PFL (family caregiving), but cannot receive more than full wages while collecting PFL benefits. Employers cannot require employees to exhaust PSL or vacation before taking PFL.

The prenatal leave addition means a pregnant employee in New York could access: 20 hours prenatal leave + 26 weeks of short-term disability (for pregnancy complications or recovery) + 12 weeks PFL (bonding) + their regular PSL bank. Tracking all of this concurrently is a real administrative challenge.

The fix: Build separate tracking for PFL, PSL, and prenatal leave banks. Train managers that employees choose which leave to use. You can't force them onto one program over another. Update your handbook to include the prenatal leave provision. Consider leave management software if you have 50+ employees.

Sources: NY Workers' Compensation Law Article 9 (Paid Family Leave); NY Labor Law Sec. 196-b (Paid Sick Leave); NY Labor Law Sec. 196-c (Paid Prenatal Leave, effective January 2025); 12 NYCRR Part 380 (PFL regulations).