Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $250,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Businesses that own or license computerized data which includes private information of New York residents must have specific safeguards in place for data protection and security of their information systems (EFFECTIVE MARCH 21, 2020).
  • Businesses must complete breach notification to the State Attorney General, the Department of State and the Division of State Police for any breach incidents where consumer notification is sent to any New York residents.
  • If the breach affects over 5,000 New York residents, breach notification must be given to consumer reporting agencies using a list of agencies provided by the Attorney General.
  • Entities governed by sector-specific state and federal regulations must still report to the Attorney General, Department of State, Division of State Police and credit reporting agencies, pursuant the data breach notification requirements.
  • For businesses subject to Health Insurance Portability and Accountability Act (HIPAA), notice to the State Attorney General is required within 5 business days of notification to the Secretary of Health and Human Services.
  • Specific information must be included in the consumer and regulatory notifications.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete any necessary regulatory reporting and consumer notifications.
  • If it is determined that a breach incident will not result in misuse of information or harm to individuals, the business must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.
  • If a breach affects residents of other states, those individuals must be notified based on the breach notification laws of the state where they reside.
  • There are separate laws protecting personal data and data disposal, with civil penalties for violations.
  • There is a separate law overseeing document destruction contractors.

Statutes and Laws

  • NY Gen. Bus. Law § 899-aa  Notification; person without valid authorization has acquired private information

    NY Gen. Bus. Law § 899-bb Data Security Protections (EFFECTIVE MARCH 21, 2020)

    NY Gen. Bus. Law §§ 899-aaa – 899-bbb Document destruction contractors

    NY Gen. Bus. Law § 399-ddd  Confidentiality of social security account number

    NY Gen. Bus. Laws § 399-ddd*2  Disclosure of social security number

    NY Gen. Bus. Law § 399-h  Disposal of records containing personal identifying information

    23 NYCRR 500 §§ 500.00 – 500.23  Cybersecurity Requirements for Financial Services Companies

BAck to map