New York State Security Breach Laws
Published February 10, 2011
Assembly Bill 4254
New York General Business Law: § 899-aa
New York State Technology Law: § 208
Effective Date: December 8, 2005
Definition of Personal Information (Private Information): An individual’s first name or first initial and last name linked with any one or more of the following data elements, when either the personal information or data element is not encrypted or encrypted with an encryption key that has also been acquired:
(a) Social security number;
(b) Driver’s license number or non-driver identification card number; or
(c) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Summary: Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Visit the state Web site