NYS Information Security Breach and Notification Act
The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. The statutes can be searched and viewed at the New York State Legislature Site.
State entities and persons or businesses conducting business who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed.
A. FOR PERSONS OR BUSINESSES CONDUCTING BUSINESS:
Under section 899-aa of the General Business Law, a person or business conducting business must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.
For additional information see:
B. FOR STATE ENTITIES:
Under section 208 of the State Technology Law, a state entity must also notify (in addition to the affected NYS residents) three (3) NYS offices: the NYS Attorney General (AG), the NYS Office of Information Technology Services, and the Department of State's Division of Consumer Protection.
For state entities filing a breach notification with the NYS Office of Information Technology Services, please download, complete and submit the following form pdf or doc by email to [email protected].
Note pursuant to the NYS Information Security Policy NYS-P03-002, state entities are also required to notify non-residents if their private information was exposed.
Cyber Incident Reporting for NYS Employees
As per the New York State Information Security Policy, State government entities must notify the Cyber Command Center of any cyber incident which may have a significant or severe impact on operations or security, or which involves digital forensics, to ensure proper incident response procedures, coordination and oversight.
Notification should include as much of the information contained on the following form as possible:
PLEASE NOTE: This form must be encrypted if it contains sensitive information and is emailed to the Cyber Command Center. Note: The NYS Office 365 "tenancy" is encrypted. If you are outside of this "tenancy" you may send the Incident Notification Report to the Cyber Command Center through the New York State Secure Portal (for members only) or consider using the Cyber Command Center's PGP public key available below.
This key should be used to encrypt all sensitive information sent to the Cyber Command Center.
For communications requiring public key encryption, please make sure this key is in your key ring.