Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive provisions for notifications;
  • Limited methods of notification delivery and some must be tracked;
  • Data owners are responsible for breach reporting and notifications;
  • The State Attorney General, Dept. of State, & Division of State Police require notification on their own forms with specific information;
  • Consumer Reporting Agencies may need notified;
  • There are rigid penalties for violation.

Who Me?


New York breach and notification laws may apply if you are a person or business that:

  • Conducts business in New York and owns or licenses computerized data that includes PII;
  • Maintains computerized data that includes PII that you do not own or license.

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in New York include a person's name plus one of the following:

  • Social Security Number;
  • Driver license or identification number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account.

The above information is considered Private Information in NY.



A few of these laws include, but are not limited to:

BUSINESSES: Code – General Business (GBS) / Article 39-F – Notification of Unauthorized Acquisition of Private Information / Section 899-aa. - Notification; person without valid authorization has acquired private information.

STATE AGENCIES: Code – State Technology Law (STT) / Article 2 – Internet Security and Privacy Act / Section 208 - Notification; person without valid authorization has acquired private information.


A few of these laws include, but are not limited to:

Code – General Business (GBS) / Article 26 – Miscellaneous:

390-c*2.  Posting of warnings by commercial entities offering internet access to the public.

399-dd.  Consumer communications records privacy.

399-ddd.  Confidentiality of social security account number.

399-h. Disposal of records containing personal identifying information.

Article 39-G – Document Destruction Contractors.



The NY attorney general’s office may bring action. The court may award damages for actual costs incurred, including consequential financial losses, and civil penalties of $5,000 to $10,000 per instance of failed notification, but is not to exceed $150,000. Action may only be taken within the first two years after the complaint or the discovery.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • If it was acquired by an unauthorized person;
  • If it is determined that notification of the breach will not be necessary, the decision must be documented and maintained for a minimum of three years.


All notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will impede a criminal investigation.


Requires detailed information and potential provision of services

Disclosure may only be made by written notice, telephone or electronically. There are very specific instructions for these methods and requirement of notification logs.

A substitute notice, with specific requirements, may be used if the cost of the notice exceeds $250,000 or persons notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR