The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
New York
Data Breach Notification Statue
Highlights
Covered Entities: Individuals, businesses, and other entities in New York that own or license computerized data, including private information.
Consumer Notification: Notification must be provided to any New York resident “whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.”
Regulatory Notification: Notification must be provided to the New York Attorney General, New York Department of State, and New York Division of State Police if any New York resident is required to be notified of a breach.
Notification Timeline: Notification must be provided in the most expedient time possible and without unreasonable delay.
Data Format: Electronic.
Citations: N.Y. Gen. Bus. Law § 899-aa.
More Details
Definitions:
- Breach: The “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.”
In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, entities may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.
In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, entities may consider the following factors, among others: indications of (1) physical possession and control of the data, (2) downloading or copying of the data, or (3) use of the data by an authorized person.
- Personal information (PI):
- An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number or tax identification number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account;
- Account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
- Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity.
- Personal information also includes a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
- An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the encryption key was not also accessed or acquired.
- Good Faith: “Good faith access to, or acquisition of, private information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.”
- Risk of Harm: “Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.” In the event of such a determination, the entity must document the determination in writing and maintain it for at least five (5) years. If the incident affects over 500 New York residents, the person or business shall provide the written determination to the state Attorney General within ten (10) days after the determination.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
Direct Notice:
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
- Format: N/A
- Content: Regardless of the method by which notice is provided, the notice must include:
- Contact information for the person or business making the notification;
- Telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identify theft prevention of protection information; and
- A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so accessed or acquired.
- Method: Written, electronic (“provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction”), or by telephone (“provided that a log of each such notification is kept by the person or business who notified affected persons”).
Substitute Notice:
An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available, “except if the breached information includes an e-mail address in combination with a password or security question and answer that would permit access to the online account”; (2) conspicuous posting on the entity’s webpage; and (3) notice to statewide media.
Remediation Services:
N/A
Regulatory Notice:
Notification must be provided to the New York Attorney General, New York Department of State, and New York Division of State Police if any New York resident is required to be notified of a breach.
Credit Reporting Agencies Notice:
In the event more that 5,000 New York residents are notified, the entity must also “notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents.”
Third-Party Notice:
Immediately following discovery of the breach, an entity must notify the owner or licensee of the breach if the PI is maintained on behalf of another entity.
HIPAA:
Any Covered Entity must provide notification to the state Attorney General within 5 business days of notifying the Secretary of Health and Human Services required to provide notification of a breach, including breach of information that is not “private information,” pursuant to HIPAA or the HITECH Act.
Private Action:
N/A
Associated Regulations:
- N.Y. State Tech. Law § 208.
- NY Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500).
Information Security Standard
Highlights
Covered Entities: A person or entity that owns or licenses personal information of New York residents.
First Party Security Standard: Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
Third Party Security Standard: N/A
Disposal/Destruction Standard: N/A
Data Format: Electronic.
Citations: N.Y. Gen. Bus. Law § 899-bb
More Details
Definitions:
- Private Information (PI): Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify a natural person, in combination with any one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
- Financial account or payment card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- Biometric data.
A username or e-mail address in combination with a password or security question and answer that would permit access to an online account without further identifying information constitutes PI.
PI does not include publicly available information which is lawfully made available to the general public from federal, state or local government records.
- Small Business: Any person or business with (i) fewer than 50 employees; (ii) less than $3,000,000 in gross annual revenue in each of the previous 3 fiscal years; or (iii) less than $5,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles.
Methods of Compliance:
A person or business shall be deemed in compliance with New York’s “reasonable safeguards” requirement if it implements a data security program that includes:
- Reasonable administrative safeguards such as: (i) designation of one (1) or more employees to coordinate the security program; (ii) identification of reasonably foreseeable internal and external risks; (iii) assessment of the sufficiency of safeguards in place to control the identified risks; (iv) training and management of employees in the security program practices and procedures; (v) selection of service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and (vi) adjustment of the security program in light of business changes or new circumstances;
- Reasonable technical safeguards such as: (i) assessment of risks in network and software design; (ii) assessment of risks in information processing, transmission, and storage; (iii) detection, prevention, and response to attacks or system failures; and (iv) regular testing and monitoring of the effectiveness of key controls, systems, and procedures; and
- Reasonable physical safeguards such as: (i) assessment of risks of information storage and disposal; (ii) detection, prevention, and response to intrusion; (iii) protection against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; (iv) disposal of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Small businesses are deemed in compliance with the safeguard requirements if the business’s security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.
Exclusions:
- Health Care: Any person or business that is subject to, and in compliance with, regulations implementing HIPAA and the HITECH Act is deemed in compliance.
- Financial: Any person or business that is subject to, and in compliance with, regulations promulgated pursuant to the GLBA is deemed in compliance. Any person or business that is subject to, and in compliance with the NYDFS Cybersecurity Requirements for Financial Services Companies is deemed in compliance.
- Other: Any person or business that is subject to, and in compliance with, any other data security rules and regulations of, and statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission, or agency, or by the federal or New York state courts is deemed in compliance.
Enforcement/Penalties:
Violations of this section are deemed deceptive acts and practices. The New York Attorney General may bring an action on behalf of individuals to enjoin violations and to obtain civil penalties. Violations may result in a civil penalty of up to $15,000 for each violation or three (3) times the restitution needed, whichever is greater. No private right of action exists under this section.
Associated Regulations:
N/A