Breach Notification and Incident Reporting

NYS Information Security Breach and Notification Act

The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. The statutes can be searched and viewed at the New York State Legislature Site.

State entities and persons or businesses conducting business who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed.

A. FOR PERSONS OR BUSINESSES CONDUCTING BUSINESS:

Under section 899-aa of the General Business Law, a person or business conducting business must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.

For additional information see:

Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”)

Department of State Data Security Breach Management

 

B. FOR STATE ENTITIES:

Under section 208 of the State Technology Law, a state entity must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General (AG), the NYS Office of Information Technology Services, and the Department of State's Division of Consumer Protection.

For state entities filing a breach notification with the NYS Office of Information Technology Services, please download, complete and submit the following form pdf or doc by email to [email protected].

Note pursuant to the NYS Information Security Policy NYS-P03-002, state entities are also required to notify non-residents if their private information was exposed.

Cyber Incident Reporting for NYS Employees

As per the New York State Information Security Policy, State government entities must notify the Cyber Command Center of any cyber incident which may have a significant or severe impact on operations or security, or which involves digital forensics, to ensure proper incident response procedures, coordination and oversight.

Cyber Incident Reporting Procedures

Cyber Incident Reporting - Quick Reference Sheet

Notification should include as much of the information contained on the following form as possible:

Incident Notification Report Form

PLEASE NOTE: This form must be encrypted if it contains sensitive information and is emailed to the Cyber Command Center. Note: The NYS Office 365 "tenancy" is encrypted.  If you are outside of this "tenancy" you may send the Incident Notification Report to the Cyber Command Center through the New York State Secure Portal (for members only) or consider using the Cyber Command Center's PGP public key available below.

Public Key

Cyber Command Center Public Key:Text Version (select this if you don't have PGP software) || PGP - (ready version)

This key should be used to encrypt all sensitive information sent to the Cyber Command Center.

For communications requiring public key encryption, please make sure this key is in your key ring.