Timing of Consumer Notification
“Most expedient time possible and without unreasonable delay.”
Method of Notice
Mail. Phone permitted if log of each notification is kept by person or business who notifies affected persons. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized acquisition or acquisition without valid authorization of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a business.
PII Definition
Any information concerning natural person which can be used to identify such natural person, in combination with any of these, when not encrypted, or encrypted with an encryption key that has also been acquired:
  1. Social Security number;
  2. Driver's license number or non-driver identification card number; or
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual's financial account.
Third Party Notice
If data collector maintains covered information for someone else, it must notify them following discovery of breach.
How to Notify
No specific content requirement.
Substitute Notice
All: (a) email when business has email address for subject persons; (b) conspicuous posting of notice on business's website page, if it maintains one; and (c) notification to major statewide media.
Credit Monitoring
Not required.
When to Notify Credit Agencies
If more than 5,000 New York residents are to be notified at one time.
This State's Law
State Government Agency Notification Required
Yes, New York Attorney General, Department of State and Division of State Police.