Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $250,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations that own or license computerized data which includes private information of New York residents must have specific safeguards in place for data protection and security of their information systems.
  • Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect any personal information disclosed to the Vendor.
  • Organizations must complete breach notification to the State Attorney General, the Department of State and the Division of State Police for any breach incidents where consumer notification is sent to any New York residents.
  • If the breach affects over 5,000 New York residents, breach notification must be given to consumer reporting agencies using a list of agencies provided by the Attorney General.
  • Entities governed by sector-specific state and federal regulations must still report to the Attorney General, Department of State, Division of State Police and credit reporting agencies, pursuant the data breach notification requirements.
  • For entities subject to Health Insurance Portability and Accountability Act (HIPAA), notice to the State Attorney General is required within 5 business days of notification to the Secretary of Health and Human Services.
  • Specific information must be included in the consumer and regulatory notifications.
  • If it is determined that a breach incident will not result in misuse of information or harm to individuals, the Organization must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.
  • Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other states, those individuals must be notified based on the breach notification laws of the state where they reside.
  • Penalties for knowingly or recklessly violating the notification requirements begin at $5,000 or up to $20.00 per failed notification, and can amount up to $250,000.
  • Disposal Vendors must be contracted with Organizations for secure disposal of records containing personal information.
  • Disposal Vendors must have measures in place for destruction of records containing personal information so the records are unreadable or undecipherable.
  • Organization must ensure their destruction Vendors are compliant with the regulations.
  • Document destruction contractors must register with the New York Secretary of State, and must renew the registration every 2 years.
  • The Secretary of State will oversee and enforce the regulations for document destruction contractors.
  • Each Vendor contract for document destruction must contain the Vendor’s registration number issued by the Secretary of State.

Statutes and Laws

  • NY Gen. Bus. Law § 899-aa  Notification; person without valid authorization has acquired private information

    NY Gen. Bus. Law § 899-bb Data Security Protections

    NY Gen. Bus. Law §§ 899-aaa – 899-bbb Document destruction contractors

    NY Gen. Bus. Law § 399-ddd  Confidentiality of social security account number

    NY Gen. Bus. Laws § 399-ddd*2  Disclosure of social security number

    NY Gen. Bus. Law § 399-h  Disposal of records containing personal identifying information

    23 NYCRR 500 §§ 500.00 – 500.23  Cybersecurity Requirements for Financial Services Companies

BAck to map