New York Data Breach Notification Law

Notification deadline: Most expedient time possible

Enforcement: New York Attorney General

Overview

The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security) significantly expanded breach notification requirements and added mandatory security program requirements for businesses handling New York residents' private information.

Who Must Be Notified

• • Affected New York residents
• • New York Attorney General
• • Department of State
• • State Police (if over 5,000 residents affected)

Covered Data Types

Social Security number, Driver's license number, Financial account number with access code, Credit/debit card number with security code, Biometric information, Username with password or security questions, HIPAA-covered health information

Notification Requirements

• • Timing: Most expedient time possible
• • Content must include: description of incident, types of data exposed, contact information
• • Offer identity theft protection services for SSN breaches
• • Submit copy of notification to AG, State Police (if 5,000+ affected)
• • Alternative notice (media) allowed if cost exceeds $250,000 or 500,000+ affected

Exemptions

• • Encrypted data (if key not compromised)
• • Publicly available information
• • Information subject to GLBA, HIPAA (but notification still required)

Penalties

Civil penalties up to $5,000 per violation or $20 per failed notification (up to $250,000). Additional penalties for knowing/reckless violations.