New York's Data Breach Notification Law

December 7, 2015 

By Caitlin Steinke, Law Firm of Tina Foster

This article was created to supplement a presentation given by Tina Foster and Caitlin Steinke on data/system security issues and solutions in the New York legal aid community. The full presentation is available here.

Almost all 50 states have a law that identifies the notification requirements that must be followed when a business operating in that state suffers a data breach. This article examines the requirements outlined in New York General Business Law § 899-aa, New York’s data breach notification law.

Which businesses are covered by New York’s data breach notification law?

The law applies to any business that (1) conducts business in New York and (2) owns or licenses computerized data that includes private information.

What constitutes a data breach?

A data breach is the unauthorized acquisition, or acquisition without valid authorization, of private information of a New York resident.

What is private information?

Private information is personal information (a name, number, personal mark, or other identifier that can be used to identify an individual) plus one or more of the following data elements:

  • social security number
  • driver’s license number

  • non-driver identification card number

  • account, credit, or debit card number, along with the security information that would permit access to the financial account

How do I know if a data breach has occurred?

To determine whether private information has been acquired, or is reasonably believed to have been acquired, your business can consider the following:

  • evidence that the information is in the possession and control of an unauthorized person (for example, if your business's computer was stolen)

  • evidence that the information has been downloaded or copied

  • evidence that the information was used by an unauthorized person (for example, if identity theft was reported)

When are the notification requirements triggered?

The notification requirements are triggered once your business becomes aware of the breach, through discovery or notification. 

Do I need to notify the New York state government of the data breach?

Yes. If the data breach affects New York residents, your business must complete and submit the New York State Security Breach Reporting Form as soon as possible after learning of the breach. The form will include:

  • The number of New York residents affected

  • The dates on which the breach occurred and was discovered

  • A description of the breach and the information acquired

  •  A template of the notice to affected New York residents

The reporting form must be sent to the following state agencies:

  1. New York State Attorney General’s Office

  2.  New York State Division of State Police

  3. New York State Department of State Division of Consumer Protection

Do I need to notify credit reporting agencies of the data breach?

Yes, but only if the data breach affected more than 5,000 New York residents.

What if I only license the information acquired during the data breach?

In addition to all the other notification requirements, your business must notify the owner or licensee immediately following discovery of the breach.

How soon must I notify affected New York residents of the data breach?

The notification shall be made “in the most expedient time possible and without unreasonable delay." However, such notification may be delayed if law enforcement determines that it would compromise a criminal investigation.

How do I notify the New York residents affected by the data breach?

Your business should notify each affected individual through one of the following methods:

  • Written notice

  • Electronic notice (only if the individual has expressly consented to receiving said notice in electronic form and your business keeps a log of each electronic notification) 

  • Telephone notification (only if your business keeps a log of each telephone notification)

  • Substitute notice (only if the cost of providing notice would exceed $250,000 or there are more than 500,000 affected individuals. This alternative must be presented to the New York State Attorney General) 

What information do I need to include in my notification to the affected New York residents?

Notice to the affected individuals shall include (1) your business's contact information and (2) a description of the categories of information that were acquired during the data breach, including specification of the elements of personal information and private information that were, or are reasonably believed to have been, acquired.

What if I don’t comply with the notification requirements?

Failure to notify New York residents affected by a data breach could result in your business having to pay damages for costs or losses incurred by a New York resident entitled to notice. The court could also impose civil penalties if your business knowingly or recklessly violated these notification requirements.



This article provides only general information, and is not intended as legal advice. Please consult with an attorney for guidance on specific legal matters.