New York Data Breach Notification Law: Requirements & Legislation
In the event of a data breach, companies must often report to those affected. As there is no national consensus on the manner in which these notifications must be made, states have developed their own standards. New York is no exception, with a set of nuanced requirements. For those businesses operating in New York, it is essential to remain cognizant of changing legislation, and standard practice.
Defining a data breachA "Breach in the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the business should look for any of the following:
- That information is in the physical possession and control of an unauthorized person such as a lost or stolen computer or other device;
- Evidence of unauthorized download or copied information;
- Evidence of unauthorized use of the information.
Good faith acquisition of personal information for a business purpose does not trigger provision of the law so long as the information is not used or subject to unauthorized disclosure.
Defining personal identifiable information (PII)
Like most states, New York defines "private information" as personal information concerning a natural person which, because of a name, number, personal mark, or other identifier, can be used to identify said person, in combination with any one or more of the following data elements:
- Social Security number;
- driver's license or non-driver identification card number; or
- account, credit or debit card number, in combination with any required security or access code, or password that would permit access to an individual's financial account.
As personal information becomes increasingly available online, states are adopting more expansive definitions of PII. Additional information regarding privacy laws can be found here.
Notification and disclosure trigger
When personal information has been accessed without valid authorization, the disclosure must be made in the most expedient manner possible, and without unreasonable delay - typically within 30 days. However, law enforcement may require that you delay notification of a data breach if they believe that its disclosure would impede a criminal investigation. Notification can be made by any one of the following methods: written, electronic (but only with consent of the person you are notifying, this is important), or by telephone. A business could also substitute notice (e-mail, conspicuous posting on your website, and notification to major statewide media), if it can demonstrate to the New York State Attorney General that the cost of providing notice would exceed $250,000 or that the affected class of people to be notified exceeds 500,000 persons. You may also substitute notice if you do not have sufficient contact information for those affected.
It should be noted that most states, including New York, do not require notification if that data has been encrypted and the encryption key has not been compromised. Data encryption is your last line of defense. All data, regardless of sensitivity, should be encrypted. In the event of a data breach, the following entities must be notified. NYS Breach and Notification form, available here.
Related content: How to Ensure Mobility and Security Within Your Business
States frequently update privacy regulations, and in the wake of numerous high-profile breaches, there has been a push for country-wide legislative reform. New York currently has a several bills proposing notification reform. One of the most significant is called the "Stop Hacks and Improve Data Security" (SHIELD) Act. The Act would require reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentives to certify security compliance. Specifically, the bill:
- Carves out "compliant regulated entities," defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law's reasonable security requirement. The bill provides that "certified compliant entities," defined as those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards, receive safe harbor from AG enforcement actions under this law.
- Provides a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards "appropriate to the [small business's] size and complexity".
- For all other businesses, requires "reasonable safeguards" and provides clear examples of safeguards (e.g. technical, administrative, and physical measures).
- Deems inadequate security a violation of GBL 349 and permits the Attorney General to bring suit and seek civil penalties under GBL 350(d).
- Broadens the requirements for reporting a breach to the Attorney General by adding as a trigger of required notice:
- "Access to" (e.g. viewing of) private info (in addition to current trigger for "acquisition").
- Notification for breaches of additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data.
- Applies the notice requirement to anyone holding private info of New Yorkers, changing the current requirement that they "conduct business" in New York State. This is a trend in breach notifications.
Operating in New York
Any business operating in New York should remain attentive to relevant legislature, as New York data breach notification laws and regulations are constantly being amended. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location. Remember, there are many ways to mitigate the risk factors associated with data breaches:
- Implement automatic system patches for all applications and core operating systems.
- Keep your anti-virus software up to date.
- Use cloud-based services that offer advanced protection including data encryption and automatic web-traffic validation.
- Encrypt all devices and information, to protect both sensitive user and client data.
- Leverage "https." Hypertext Transfer Protocol (HTTP) Secure allows for secure communication over a computer network by providing bidirectional encryption. This protects against eavesdropping or tampering with information by a malicious third party.
For assistance with operational compliance, proactive security strategies, or developments on New York data breach notification law, contact iCorps for more information.