Enhance your TRUST relationship with PRIVACY and SECURITY. Privacy Made Simple!

   +1 866 267 0049   830 NE Pop Tilton Place, Jensen Beach, FL 34957

New York
Privacy Laws

Overview

BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay

FINES & PENALTIES – Violations
Up to $250,000

Legal

Regulation Levels

  • Breach Reporting

    Breach Reporting

  • Consumer Notification

    Consumer Notification

  • Vendor Management

    Vendor Management

  • Vendor Contract Required

    Vendor Contract Required

PRIVACY AND SECURITY LAWS

Laws related to personal information and privacy and security.

QUICK FACTS

New York Privacy Law Information

PRIVACY PROGRAM

Organizations that own or license computerized data which includes the private information of New York residents must have specific safeguards in place for data protection and security of their information systems. Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect any personal information disclosed to the Vendor. Organization must ensure their destruction Vendors are compliant with the regulations. Each Vendor contract for document destruction must contain the Vendor’s registration number issued by the Secretary of State.

BREACH REPORTING

Organizations must complete breach notification to the State Attorney General, the Department of State and the Division of State Police for any breach incidents where consumer notification is sent to any New York residents. If the breach affects over 5,000 New York residents, breach notification must be given to consumer reporting agencies using a list of agencies provided by the Attorney General. Specific information must be included in the consumer and regulatory notifications. If it is determined that a breach incident will not result in misuse of information or harm to individuals, the Organization must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.

INDUSTRY SPECIFIC LAWS

Entities governed by sector-specific state and federal regulations must still report to the Attorney General, Department of State, Division of State Police, and credit reporting agencies, pursuant to the data breach notification requirements. For entities subject to Health Insurance Portability and Accountability Act (HIPAA), notice to the State Attorney General is required within 5 business days of notification to the Secretary of Health and Human Services. Document destruction contractors must register with the New York Secretary of State and must renew the registration every 2 years. The Secretary of State will oversee and enforce the regulations for document destruction contractors.

CONSUMER NOTIFICATION

If a breach affects residents of other states, those individuals must be notified based on the breach notification laws of the state where they reside.

VENDOR/THIRD PARTIES

Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Disposal Vendors must be contracted with Organizations for security disposal of records containing personal information. Disposal Vendors must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.

FINES & PENALTIES

Penalties for knowingly or recklessly violating the notification requirements begin at $5,000 or up to $20.00 per the failed notification and can amount up to $250,000.

ADDITIONAL BREACH REPORTING REQUIREMENTS

If it is determined that a breach incident will not result in misuse f information or harm to individuals, the Organization must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.

New York Statutes and Laws

NY GEN. BUS. LAW § 399-DDD

Confidentiality of social security account number

NY GEN. BUS. LAWS § 399-DDD*2

Disclosure of social security number

NY GEN. BUS. LAW § 399-H

Disposal of records containing personal identifying information

23 NYCRR 500 §§ 500.00 – 500-23

Cybersecurity requirements for financial services companies

NY GEN. BUS. LAW §§ 899-AAA – 899-BBB

Document destruction contractors

NY GEN. BUS. LAW § 899-AA

Notification; person without valid authorization has acquired private information

NY GEN. BUS. LAW § 899-BB

Data security protections

DISCLAIMER

The information provided is not legal guidance or recommendations and are for informational purposes only.