NYS Information Security Breach and Notification Act
N.Y. Gen. Bus. Law. Section 899-aa
What types of information are covered by the law?
Computerized personal information that contains a combination of name, Social Security number, driver’s license number,
account number, or credit and debit card number.
When is the law triggered?
When a person has acquired computerized data containing personal information without valid authorization.
How does my business determine that information has been aquired without valid authorization?
Your business should look for any one of the following: (1) that information is in the physical possession and control of an
unauthorized person such as a lost or stolen computer or other device; (2) evidence of unauthorized download or copied
information; (3) evidence of unauthorized use of the information.
Good faith acquisition of personal information for a business purpose does not trigger provision of the law so long as the
information is not used or subject to unauthorized disclosure.
When does my business need to disclose a data breach?
The disclosure must be made in the most expedient time possible and without unreasonable delay upon determination of
a data breach. However, law enforcement may require that you delay notication of a data breach if they believe that its
disclosure will impede a criminal investigation.
How does my business disclose that there has been a data breach to New York residents?
Notication can be made by any one of the following methods: written, electronic (but only with consent of the person
you are notifying) or by telephone.
A business could also use substitute notice, if it can demonstrate to the New York State Attorney General that the cost of
providing notice would exceed $250,000 or that the aected class of people to be notied exceeds 500,000 persons. You
may also use substitute notice if you do not have sucient contact information for those who have been aected.
Substitute notice consists of all of the following: e-mail, conspicuous posting on your website, and notication to major
statewide media.
(Continued)
Advocating for and Empowering New York Consumers
Consumer Assistance Hotline: 1-800-697-1220 / https://dos.ny.gov
Kathy Hochul
Governor
Rossana Rosado
Secretary of State
FACTSHEET FOR BUSINESS
A Division of the New York Department of State
What information must be contained in the notice to New York residents?
Notice shall contain a description of the types of information believed to have been acquired by a person without
valid authorization and your contact information so that aected New York State residents may contact you about the
data breach.
When does my business need to notify the credit reporting agencies?
If there are more than 5,000 New York residents aected by the security beach at one time, your business must also notify
consumer reporting agencies as to the timing, content and distribution of the notices.
Which New York State entities need to be informed?
If New York residents are aected, then your business is required to inform:
1. The New York State Oce of the Attorney General;
2. New York State Division of State Police; and,
3. The New York Department of States Division of Consumer Protection.
New York
Department of State
Division of Consumer Protection
SECURITY BREACH NOTIFICATION
One Commerce Plaza
99 Washington Ave., Suite 640
Albany, NY 12231
Fax: 518-473-9055
E-mail:
security_breach_noti[email protected]y.gov
To download the NYS Information Security Breach and Notication Act Reporting form, please visit:
https://its.ny.gov/eiso/breach-notication
09/21
New York State
Oce of the Attorney General
SECURITY BREACH NOTIFICATION
Consumer Frauds &
Protection Bureau
120 Broadway - 3rd Floor
New York, NY 10271
Fax: 212-416-6003
E-mail: [email protected]y.gov
New York State
Division of State Police
New York State Intelligence Center
SECURITY BREACH NOTIFICATION
31 Tech Valley Drive, Second Floor
East Greenbush, NY 12061
Fax: 518-786-9398
E-mail: risk@nysic.ny.gov