Fact Sheet for Business

New York State Security Breach Law N.Y. Gen. Bus. Law. Section 899-aa


What is the law?

The information Security Breach and Notification Act.


Whom does the law cover?

Any person or business conducting business in New York State.


What does the law cover?

Computerized personal information that contains a combination of name, Social Security number, driver’s license number, account number, or credit and debit card number.


What information is not covered under this law?

Publicly available information from federal, State and local government records.


When is the law triggered? 

When a person has acquired computerized data containing personal information without valid authorization.


How does my business determine that information has been acquired without valid authorization?

Your business should look for any one of the following:

  1. that information is in the physical possession and control of an unauthorized person such as a lost or stolen computer or other device; 
  2. evidence of download or copied information; 
  3. evidence of unauthorized use of the information. Good faith acquisition of personal information for a business purpose does not trigger provision of the law so long as the information is not used or subject to unauthorized disclosure.

When does my business need to disclose a data breach? 
The disclosure must be made in the most expedient time possible and without unreasonable delay upon determination of a data breach. However, law enforcement may require that you delay notification of a data breach if they believe that its disclosure will impede a criminal investigation. Your business should consult law enforcement when appropriate.

How does my business disclose that there has been a data breach to New York residents?
Notification can be made by any one of the following methods: written, electronic (but only with consent of the person you are notifying) or by telephone. A business could also use substitute notice, if it can demonstrate to the New York State Attorney General that the cost of providing notice would exceed $250,000 or that the affected class of people to be notified exceeds 500,000 persons. You may also use substitute notice if you do not have sufficient contact information for those who have been affected. Substitute notice consists of all of the following: e-mail (when you have this information), conspicuous posting on your website, and notification to major statewide media.


What information must be contained in the notice to New York residents?

Notice shall include contact information for the person or business making the notification and a description of the categories of information that are reasonably believed to have been acquired by a person without valid authorization, including the specific elements of information that are reasonably believed to have been acquired. Please see: https://its.ny.gov/ for more information.