New York

Click here to review text of state statute (see N.Y. Gen. Bus. Law, Article 39-F, § 899-AA)

Click here to review the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act").

[For specific rules applicable to state agencies – see N.Y. State Technology Law, §208.]

[For covered entities licensed in New York City - see N.Y. City Admin. Code, Title 20, Chapter 1, §20-117 for additional notification requirements.]

[For specific rules applicable to Financial Services Companies – click here.]

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Private information of New York residents.

“Personal Information” includes any information concerning a natural person which, because of name, number, personal mark or other identifier can be used to identify such natural person.

“Private Information” means either:

(i) personal information in combination with :

any of the data elements of typical personal information definition;
account number, credit or debit card number, in combination with any required security code, access code, password, or other information that would permit access to an individual's financial account;
account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password;
biometric information; or

(ii) a user name or email address in combination with a password or security question and answer that would permit access to an online account.

Important definitions:

“Security Breach” means unauthorized access to or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the security, confidentiality or integrity of private information maintained by a business.

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
Determination whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization can include factors such as: (a) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information, (b) indications that the information has been downloaded or copied, and (c) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of ID theft reported.

Note: The statute contains a “reasonable security requirement” for businesses that own or license private information of New York residents, the specific requirements of which are contained in the statute.

**Covered Entities* / Third Party Recipients**

Subject to statute:

Any person or business which owns or licenses computerized data which includes private information.

Third party recipients:

Any person or business that maintains computerized data which includes private information which such person or business does not own must notify the owner or licensee of any security breach involving private information immediately following discovery of the breach.

Notice Procedures & Timing / Other Obligations

Written, electronic or telephonic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).

Notice to affected residents is required to contain specific content described in statute.
Electronic notice permitted only when the consumer to be notified has consented to such notice, and when such email address, its password, or its security question, was not involved in the breach. A log of all consumers notified electronically must be kept.

Substitute notice is available by means prescribed in the statute if a business demonstrates to the state attorney general that costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.

Other obligations:

Any covered entity that must notify more than 5,000 New York residents at one time of a security breach is also required to notify consumer reporting agencies without delaying notice to affected New York residents.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted.

Safe harbor not available if the compromised data was encrypted with an encryption key that has also been acquired.

Other exemptions:

Exemption for good faith access to, or acquisition of private information by an employee or agent of a business for the purposes of the business so long as any private information is not used or subject to unauthorized disclosure.

Notice to consumers not required if exposure to private information was an inadvertent disclosure by persons authorized to access private information, and the business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials. Such determination must be in writing and maintained for 5 years. If incident affects more than 500 NY residents, a written determination must be provided to Attorney General within 10 days of determination.

Covered entities that provide notice to consumers of an incident pursuant to the following laws are not required to provide additional notice to consumers under the statute, but are still required to provide notice to the Attorney General, Dept. of State, and Division of State Police:

GLBA
HIPAA/HITECH
HITECH
Regulated financial services companies
Data security rules and regulations of any federal or New York state agency

Notification to Regulator / Waiver

Attorney General and Department of State and Division of State Police must be notified of a security breach without delaying notice to affected residents.

The notification must describe timing, content and distribution of the notices to residents and the approximate number of affected persons, and must include a template of the resident notice.

Any covered entity required to provide notification of a breach, including breach of information that is not "private information" to the secretary of health and human services pursuant to HIPAA or HITECH shall provide such notification to the state attorney general within five business days of notifying the secretary.

Penalties

Injunctive relief available, as well as actual costs or losses incurred by affected residents, including consequential financial losses.

For knowing or willful violations, civil penalties of the greater of $5,000 or up to $20 per instance of failed notification, provided that the latter amount may not exceed $250,000.

Private Cause of Action / Enforcement

Private Cause of Action: No.

Attorney General may bring action on behalf of victims of a security breach within three years of earlier of: (i) date Attorney General became aware of incident; or (ii) date of notice to Attorney General. In no event may an action be brought after six years from the date of discovery of a breach, unless the company took steps to hide the breach.

^*Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.