Breach Notification

NYS Information Security Breach and Notification Act

The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. The statutes can be searched and viewed at the New York State Legislature Site.

State entities and persons or businesses conducting business who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed.

A. FOR PERSONS OR BUSINESSES CONDUCTING BUSINESS:

Under section 899-aa of the General Business Law, a person or business conducting business must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.

For additional infomation see:

https://ag.ny.gov/internet/data-breach

https://www.dos.ny.gov/consumerprotection/security_breach/data_security_breach.htm

 

B. FOR STATE ENTITIES:

Under section 208 of the State Technology Law, a state entity must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General (AG), the NYS Office of Information Technology Services, and the Department of State's Division of Consumer Protection.

For state entities filing a breach notification with the NYS Office of Information Technology Services, please download, complete and submit the following form pdf or doc by email to [email protected].

Note pursuant to the NYS Information Security Policy NYS-P03-002, state entities are also required to notify non-residents if their private information was exposed.