New York State law requires businesses and other entities to notify consumers in the event of a data security breach so that affected consumers can take appropriate action to protect themselves against the threat of identity theft.
When Is a Data Security Breach Notification Triggered?
A data security breach notification is required when an unauthorized person acquires, or is reasonably believed to have acquired, computerized data containing personal information of individuals consisting of a combination of a person's name, Social Security number, driver's license number, bank account number, and/or credit and debit card number with PIN or access code (defined by law as "private information").
What Are The Risks?
Personal privacy is compromised by a data security breach and there is an increased possibility of identity theft. Businesses are also at risk of losing customers, as studies have shown that consumers lose trust in a brand after a data security breach and ultimately may switch to a competitor.
Who Must Be Notified?
Any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization must be notified in accordance with provisions of the New York State Security Breach Law. The primary method of notification will be through the mail, but for large breaches affecting more than 500,000 New Yorkers there may be substitute notice through the company's website and the media.
Entities must effectuate notice to all required recipients via the Office of the Attorney General’s online portal.
What Resources Are Available For Businesses?
The Division provides the following resources for businesses and other entities:
If you have questions or concerns about a data security breach, please contact the Division. We will review your message and/or question and respond accordingly.