New York State law requires businesses and other entities to notify consumers in the event of a data security breach so that affected consumers can take appropriate action to protect themselves against the threat of identity theft.
When Is a Data Security Breach Notification Triggered?
A data security breach notification is required when an unauthorized person acquires, or is reasonably believed to have acquired, computerized data containing personal information of individuals consisting of a combination of a person's name, Social Security number, driver's license number, bank account number, and/or credit and debit card number with PIN or access code (defined by law as "private information").
What Are The Risks?
Personal privacy is compromised by a data security breach and there is an increased possibility of identity theft. Businesses are also at risk of losing customers, as studies have shown that consumers lose trust in a brand after a data security breach and ultimately may switch to a competitor.
Who Must Be Notified?
Any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization must be notified in accordance with provisions of the New York State Security Breach Law. The primary method of notification will be through the mail, but for large breaches affecting more than 500,000 New Yorkers there may be substitute notice through the company's website and the media.
Entities must also provide written notification to the New York State Department of State Division of Consumer Protection, New York State Attorney General, and the New York State Division of State Police.
How Do Breaching Entities Notify the Required State Agencies?
Notification to the required State agencies mentioned above must occur using the New York State Information Security Breach and Notification Act Reporting form.
What Resources Are Available For Businesses?
The Division provides the following resources for businesses and other entities:
- New York State Security Breach Law Fact Sheet for Business covering N.Y. Gen. Bus. Law. Section 899-aa: security breach law. (For a handy reference guide, download the PDF version.)
- This sample data security breach notification letter to consumers can be adapted by breaching entities to notify New Yorkers of a data security breach incident. It is for informational purposes only. It should not be construed as legal advice and/or as policy of the State of New York. It is recommended that a business entity consult with a privacy professional and/or an attorney for further guidance.
If you have questions or concerns about a data security breach, please contact the Division. We will review your message and/or question and respond accordingly.