New York State Information Security Breach And Notification Act

What is the significance of this law?

The "Information Security Breach and Notification Act," effective December 7, 2005, provides New York State residents with the right to know when a security breach has resulted in the exposure of their private information.

What types of security breaches are covered by this law?

A security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information.

What type of information is covered by this law?

Private information means any personal information concerning a natural person in combination with any one or more of the following data elements: social security number, driver’s license number, account number, or credit or debit card number in combination with any required security code.

What are the obligations of businesses or state agencies when a breach occurs?

The Information Security Breach and Notification Act requires that the state entity or business notify:

(1) Affected consumers following discovery of the breach in the security of its computer data system. The disclosure must be made in the most expedient time possible consistent with legitimate needs of law enforcement agencies. The notice must be provided to the affected persons by one of the following methods: a) written notice, b) electronic notice, or c) telephone notification.

(2) Consumer reporting agencies if more than 5,000 New York residents are to be notified. The contact information for the three nationwide consumer reporting agencies is as follows:

(3) The Attorney General’s office, the NYS Department of State's Division of Consumer Protection and the NYS Office of Cyber Security & Critical Infrastructure Coordination of the timing, content and distribution of the notices and approximate number of affected persons.  Breached entities may provide notice online to all three entities through the Attorney General’s

If you are a consumer affected by a breach, you may file a complaint through the Attorney General’s online complaint form. Do not submit a breach notification form.

Are there any exceptions to the notification requirements?

The law also provides for substitute notice to consumers if the state entity or business demonstrates to the Attorney General that the cost of providing regular notice would exceed $250,000 or that the affected class of persons exceeds 500,000 or the entity or business does not have sufficient contact information. Where substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the entity’s web site, and notification to statewide media.

What are the penalties for violations of the Information Security Breach and Notification Act?

Under the new law, the Attorney General may seek injunctive relief against any business entity for violating the law. In such action, the court may award damages to consumers for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. If the court finds that a business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of $5,000 or up to $10 per instance of failed notification not to exceed $150,000.