Consumer Response to a Data Security Breach

Pursuant to New York State law, businesses and other entities must notify any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. Private information is defined as a person's name, Social Security number, driver's license number, bank account number, and/or credit and debit card number with personal identification number (PIN) or access code.

Affected consumers are generally notified by U.S. mail, but under certain circumstances notification may be made by e-mail, telephone, website posting or through the media. The breaching entity must also inform the New York State Department of State Division of Consumer Protection, the Office of the New York State Attorney General, and the New York State Division of State Police.

What Steps Should You Take?

The Division advises consumers who believe their identity or personal privacy may have been compromised by a data security breach to:

  • Get the facts before you do anything. The notification you receive by mail from the breached entity, or see posted on its website, will inform you as to what data was compromised and when the breach occurred. The notification should also provide contact information for the breached entity so you can investigate the facts further
  • Ask what the breached entity will do to reduce your risk of identity theft. For example, will credit monitoring services be offered at no cost for a specific period of time?
  • Ask whether the breached entity will notify the three major credit reporting agencies: TransUnion, Equifax and Experian. They are required to do so when more than 5,000 New Yorkers are affected
  • Watch for signs of fraud. Not every security breach ends in theft or fraud. Check your credit card billing statements for fraudulent charges and monitor your bank and other financial statements. If you spot something suspicious or unusual, report it to your credit card or financial company immediately
  • Check your credit report. Under the law, you are entitled to one free credit report per year from each of the three major credit reporting agencies. Review the report carefully and follow-up to dispute or correct any errors or fraudulent entries. For more information, read the Check Your Credit Reports Regularly for Free page
  • Close accounts. Depending upon the nature of a data security breach, you may need to close certain accounts and open new ones with different passwords. You should not be charged for doing this
  • Learn more about personal information protections. You may want to consider contacting a credit reporting agency and placing a Fraud Alert or Security Freeze on your credit file. This will make it more difficult for someone to open a credit card account or borrow money in your name. Placing a Fraud Alert is free. Placing a Security Freeze is free the first time and under other circumstances. For more information, read the Check Your Credit Reports Regularly for Free page
  • Retain your paperwork. Keep all records about the data security breach and retain your notes of any follow-up conversations for future reference.


Last Modified: September 23, 2011