New York Data Breach Rule Summary
NY Gen. Bus. Law § 899-AA - § 899-BB
SUMMARY:
EFFECTIVE. December 7, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person, business, or State entity that conducts business in New York and owns or licenses computerized data that includes Personal Information; and (2) any person, business, or State entity, even if the entity does not conduct business in New York, which maintains computerized data that includes Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or State entity. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. Any information concerning a person (including name, number, personal mark, or other identifier) used to identify a person, in combination with any one or more of the following data elements, when the personal information or data element is not encrypted, or encrypted but the key has also acquired:
-
Social Security Number.
-
Driver’s license number or non-driver identification card number.
-
Biometric information, that includes data generated by electronic measurements of an individual’s unique physical characteristics, such as fingerprint, voice print, retina, or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
User name or e-mail address in combination with a password or security question and answer that would permit access to an online account
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the New York residents affected. In addition, the Attorney General, the Department of State's Division of Consumer Protection, and the Division of State Police shall be notified of the timing, content and distribution of the notices, and approximate number of affected individuals.
If more than 5,000 New York residents are involved in a breach, the person, business, or State entity shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, content and distribution of the notices, and the approximate number of affected individuals.
The law also does not require consumer notification if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent to the affected State residents when the person, business or State entity becomes aware of, or is notified of, a security breach incident. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic (provided that a log is kept by the person or business giving notice).
-
Electronic (if consent has been provided by the affected individual(s), and a log is of each notification is kept by the person or business giving notice).
-
Substitute notice as provided below.
The Notice shall include the following:
-
Contact information for the person or business making the notification.
-
The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
-
A description of the personal information data elements believed to have been acquired.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or State entity can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person, business or State entity has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or State entity has an email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or State entity if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or State entity maintains computerized data that includes Personal Information which it does not own, then the person, business or State entity shall notify the owner or licensee of the breach immediately upon discovery. The person, business or State entity that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law. For failure to provide timely notification, the court may impose a civil penalty of up to $20 per instance of failed notification not to exceed $250,000. For failure to maintain reasonable safeguards, the court may impose a civil penalty of up to $5,000 per violation.
The penalties provided in this Section are in addition to any other lawful remedy available. Any action must be commenced within two years of discovery of the breach or date of the complaint.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical, and physical safeguards.
DATA DISPOSAL PROVISIONS. NY Gen. Bus. Law § 399-H. No person, business, firm, partnership, association, or corporation, not including the state or its political subdivisions, shall dispose of a record containing personal identifying information unless the person, business, firm, partnership, association, or corporation, or other person under contract with the business, firm, partnership, association, or corporation does any of the following: a. shreds the record before the disposal of the record; or b. destroys the personal identifying information contained in the record; or c. modifies the record to make the personal identifying information unreadable; or d. takes actions consistent with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access to the personal identifying information contained in the record. Provided, however, that an individual person shall not be required to comply with this subdivision unless he or she is conducting business for profit.
LEGISLATIVE UPDATES.
A.B. 4254 – Signed into law on 8/10/2005, Effective 12/7/2005.
N.Y. STT. Law § 208 – Effective 12/7/2005.
S. 2605-D – Signed into law on 3/28/2013, Effective 3/28/2013.
S. 5575B – Signed into law on 7/25/2019, Effective 10/23/2019.
For more information, see here: http://public.leginfo.state.ny.us/lawssrch.cgi?NVLWO:
AND
http://public.leginfo.state.ny.us/lawssrch.cgi?NVLWO:
AND
https://its.ny.gov/breach-notification
AND
https://ag.ny.gov/internet/data-breach
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.