What Are New York's Data Breach Notification Requirements?

In the event of a data breach, companies must often report to those affected. As there is no national consensus on the manner in which these notifications must be made, states have developed their own standards. New York is no exception, with a set of nuanced requirements. For those businesses operating in New York, it is essential to remain cognizant of changing legislation, and standard practice.

Defining a data breach

A "Breach in the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the business should look for any of the following:

  1. That information is in the physical possession and control of an unauthorized person such as a lost or stolen computer or other device;
  2. Evidence of unauthorized download or copied information;
  3. Evidence of unauthorized use of the information.

Good faith acquisition of personal information for a business purpose does not trigger provision of the law so long as the information is not used or subject to unauthorized disclosure.

Defining personal identifiable information (PII)

Like most states, New York defines "private information" as personal information concerning a natural person which, because of a name, number, personal mark, or other identifier, can be used to identify said person, in combination with any one or more of the following data elements:

  1. Social Security number;
  2. driver's license or non-driver identification card number; or
  3. account, credit or debit card number, in combination with any required security or access code, or password that would permit access to an individual's financial account.

As personal information becomes increasingly available online, states are adopting more expansive definitions of PII. Additional information regarding privacy laws can be found here

Notification and disclosure trigger

When personal information has been accessed without valid authorization, the disclosure must be made in the most expedient manner possible, and without unreasonable delay - typically within 30 days. However, law enforcement may require that you delay notification of a data breach if they believe that its disclosure would impede a criminal investigation. Notification can be made by any one of the following methods: written, electronic (but only with consent of the person you are notifying, this is important), or by telephone. A business could also substitute notice (e-mail, conspicuous posting on your website, and notification to major statewide media), if it can demonstrate to the New York State Attorney General that the cost of providing notice would exceed $250,000 or that the affected class of people to be notified exceeds 500,000 persons. You may also substitute notice if you do not have sufficient contact information for those affected.

It should be noted that most states, including New York, do not require notification if that data has been encrypted and the encryption key has not been compromised. 

Data encryption is your last line of defense. All data, regardless of sensitivity, should be encrypted.

Related content: How to Ensure Mobility and Security Within Your Business

What state entities do I notify

In the event of a data breach, the following entities must be notified. NYS Breach and Notification form, available here.

New York State Office of the Attorney General
Consumer Frauds & Protection Bureau
120 Broadway - 3rd Floor
New York, NY 10271
Fax: 212-416-6003
E-mail: breach.security@ag.ny.gov

New York State Division of State Police
New York State Intelligence Center
31 Tech Valley Drive, Second Floor
East Greenbush, NY 12061
Fax: 518-786-9398
E-mail: risk@nysic.gov

New York Department of State Division of Consumer Protection
One Commerce Plaza
99 Washington Ave., Suite 640
Albany, NY 12231
Fax: 518-473-9055
E-mail: security_breach_notification@dos.ny.gov

Pending legislation

States frequently update privacy regulations, and in the wake of numerous high-profile breaches, there has been a push for country-wide legislative reform.

New York currently has a several bills proposing notification reform. One of the most significant is called the "Stop Hacks and Improve Data Security" (SHIELD) Act. The Act would require reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentives to certify security compliance. Specifically, the bill:

  • Carves out "compliant regulated entities," defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law's reasonable security requirement. The bill provides that "certified compliant entities," defined as those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards, receive safe harbor from AG enforcement actions under this law.
  • Provides a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards "appropriate to the [small business's] size and complexity".
  • For all other businesses, requires "reasonable safeguards" and provides clear examples of safeguards (e.g. technical, administrative, and physical measures).
  • Deems inadequate security a violation of GBL 349 and permits the Attorney General to bring suit and seek civil penalties under GBL 350(d).
  • Broadens the requirements for reporting a breach to the Attorney General by adding as a trigger of required notice:
    • "Access to" (e.g. viewing of) private info (in addition to current trigger for "acquisition").
    • Notification for breaches of additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data. 
  • Applies the notice requirement to anyone holding private info of New Yorkers, changing the current requirement that they "conduct business" in New York State. This is a trend in breach notifications. 

Operating in New York

Any business operating in New York should remain attentive to relevant legislature, as data breach regulations are constantly being amended. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location. 

Remember, there are many ways to mitigate the risk factors associated with data breaches:

  1. Implement automatic system patches for all applications and core operating systems.
  2. Keep your anti-virus software up to date. 
  3. Use cloud-based services that offer advanced protection including data encryption and automatic web-traffic validation.
  4. Encrypt all devices and information, to protect both sensitive user and client data.
  5. Leverage "https." Hypertext Transfer Protocol (HTTP) Secure allows for secure communication over a computer network by providing bidirectional encryption. This protects against eavesdropping or tampering with information by a malicious third party. 

For assistance with operational compliance, or proactive security strategies,
contact iCorps for more information. 

As more businesses move to the cloud, it's important to ask your cloud provider the tough questions when it comes to data security. Check out this eBook for the top seven questions to ask. 

New Call-to-action

Related Content:
4 Ways Managed IT Services Can Scale with a New York Business
NYC Smart City Technology & Cyber Attack Vulnerability
What are Pennsylvania's Data Breach Notification Requirements?