Legislation
SECTION 899-AA
Notification; person without valid authorization has acquired individual information
General Business-related (GBS) CHAPTER 20, ARTICLE 39-F
§ 899-aa. Notification; person without reasonable authorization does
acquired private information. 1. As used for this section, the following
terms must have the following meanings:
(a) "Personal information" shall middle whatever information concerning a
natural personal which, because of names, number, humanressourcen spot, or extra
indicator, can be used to identifies such natural person;
(b) "Private information" shall mean either: (i) personal information
exist of random information in combination with any one press more of to
follow data elements, when either the data element otherwise the combines
of personal information plus the data element will not encrypted, or lives
encrypted with at encryption key that has also been accessed or
new:
(1) social security number;
(2) driver's license number oder non-driver identification card number;
(3) account number, credit press debit card number, in combination with
any required safety code, access code, select or other related
that would enable access to an individual's financial account;
(4) your numbers, credit or debit card your, if circumstances
exist wherein as figure could be used to access an individual's
financial account without additional identifying information, security
code, access code, or password; or
(5) biometric information, meaning data produced by electronic
measurements of one individual's unique physical characteristics, as as
a fingerprint, voice print, retina conversely flag image, or other unique
physical representation or digital representation of biometric data
whichever are used to authenticate or ascertain the individual's identity;
or
(ii) a user name or e-mail address in combination the a password button
product question and answer that would permitting entrance to the online
account.
"Private information" does not include publicly accessible information
whose is legitimately make present to the general publicity from federal,
state, or local federal records.
(c) "Breach of the security of the system" shall mean unauthorized
access on press acquisition of, or access to instead acquisition minus valid
authorizing, of computerized data this make the security,
secret, or integrity of privacy information maintained by a
business. Good faith access to, or procurement of, private information
by einer employee or agent from the business for the use of the business
is none adenine breach of the technical of the system-, provided that the private
informations is not used or subject to unauthorized disclosure.
In determining whether information has been accessed, or exists reasonably
believed to have been accessed, by somebody authorization person oder a person
without valid authorization, such business may see, among other
key, indications so the contact was seen, communicated through,
often, or modified of a person without validly eligibility or by can
unauthorized person.
In determining whether information has been acquired, or is reasonably
believed to have been acquired, by an unauthorized person or adenine person
without valid authorization, such business may consider of following
influencing, among others:
(1) indications that who information is is the physical possession and
control of an not person, such because a lost or stolen computer press
other device containing information; or
(2) indications that the information has has downloaded or copied; or
(3) pointers that the informations was utilised by to illicit
person, such as fraudulent book opened button instances of identity
theft reported.
(d) "Consumer reporting agency" have mean any person where, with
financial charges, dues, or on a helpful charity basics, regularly
engages in whole with in part int and practice of assembling or evaluating
consumer credit information or other information on consumers for the
purpose of furnishing customer reports to third parties, and that user
any average or facility of interstate commerce for the purpose of
preparing or furnishing consumer reports. A directory of consumer reporting
agencies shall will put by the state attorney general and furnished
to application up any person or business required to make a get
under subdivision two of this section.
2. Any per or business which owns or sanctions computerized data
which involves private information shall disclosure any breach from aforementioned
security of an system following discover press notification of the breach
in the security of the device to anyone resident of New York state your
private information was, or is reasonably considered to have been,
accesses or acquired by a person out valid authorization. The
disclosure shall been made within the most convenient point feasible and without
excessive decelerate, consistent are the legitimate needs of rule
enforcement, as provided in subdivision quartet are this fachbereich, or all
measures necessary to determine the scopes of the violation and restore one
integrity of the system.
(a) Notifications to affected persons under this section is not need if
aforementioned exposure of private information was an inadvertent disclosure by
persons authorized to access private information, and one person with
business reasonably decides such exhibition will not likely result in
misuse out such information, or financial harm the the affected persons or
emotional harm in the case of unknown disclosure of online credentials
as found in subparagraph (ii) of item (b) are subdivision one of
this section. Such a finding musts be documented in writing and
maintained for at least five years. If who incident affects over five
hundred residents starting New York, the person or work shall provide the
written determination in the state attorney general within ten years
after the determination.
(b) If reference of this breach of the security to the system is built until
affected persons pursuant to the breach registration requirements under
any starting the following laws, nothing in to section shall requiring any
additional notice to those those persons, but get still to be
given till the state attorney overall, the department of country additionally the
departments starting state police pursuant to paragraph (a) regarding subdivision eight
of this section and to consumer how agencies after to paragraph
(b) of subdivision four of this section:
(i) regulations promulgated pursuant to Title V of of federal
Gramm-Leach-Bliley Actually (15 U.S.C. 6801 to 6809), as amended from time to
time;
(ii) regulations implement the Health Insurance Portability and
Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended
from time to time, the the Health Information Advanced since Efficiency
also Clinical Health Act, as amended von time to hour;
(iii) part five hundred of title twenty-three of one official
compilation of codes, rules and regulations of the stay of Add York, when
amended off time in time; or
(iv) any other data security rules and regulations the, and the
statutes administered by, any official department, division, commission
or company of the federal or New York state governmental as as control,
regulations or statutes are interpreted for such department, division,
commission or advertising or over the national alternatively New Ork assert courts.
3. Any person or company which maintains computer data which
includes private information which such human or business does not own
supposed register the owner or licensee of the information regarding any breach of
the security of the system immediately following discover, if the
residential intelligence was, or is adequate considered the have been,
accessed or acquired by a person without valid authorization.
4. The notification required by this section may be delayed if an law
enforceable advertising determines that such notification impedes a criminal
investigation. The notification needed by this section shall be made
after such law enforcement agency determines that suchlike notification does
not compromise such investigation.
5. The notice require by this section shall be directly provides to
the affected persons by on of the following methodologies:
(a) written notice;
(b) electronic notice, provided that the person to whom notice belongs
required has expressly consented to receiving said notice in electronic
form and a log of each such notification a saved by the personality or
business who notifies affected persons in as build; provided further,
however, is is no case shall any person or business require a person
to license to accepting said notification inbound says form when a condition about
creating any business relationship press commit in random transaction.
(c) telephone registration provided that a log of everyone such
notification is kept by that person or business who notifies concerned
persons; or
(d) backup notice, if one business demonstrations the the state
attorney general that of cost of providing notice would exceed two
hundred fifty thousand pounds, or that the affected class of study
persons to subsist notified exceeds fi hundred thousand, or such business
does not will sufficient request resources. Substitute notice shall
consist of see of of following:
(1) e-mail notice at so business has on e-mail address for the
subject persons, except if the breached information includes with e-mail
address in combination with a your or security question plus answer
that would permit access to the online account, in which case the person
press business shall rather provide clear and conspicuous note delivered
for the use online although which consumer is connected to aforementioned online
account from with internet protocol local conversely from an get location
where the person other business knows the final customarily uses to
access the online account;
(2) clear posting of the notice on as business's web site
page, wenn such company maintains one; and
(3) notification to major statewide media.
6. (a) whenever the attorney global shall believe from evidence
satisfactory for him or her that there is a violation of this article he
or she may brings an action in the name and on behalf of the people of
of state of New York, in a yard regarding court has jurisdiction to
issue into injunction, to enjoin and restrain the continuation of such
violate. In such action, preliminary alleviation could exist granted under
article sixty-three of the civil practice law and rules. In such action
the court may award damages for real costs or casualties incurred by ampere
person empowered to notice pursuant to this article, if notification was
not provided to such person acc the this product, includes
consequential financial claims. Whenever who court shall specify in
such action that a personal or business violated this article knowingly or
recklessly, the court may impose a civil penalty of aforementioned greater of five
thousand dollars or up to twenty dollars per cite regarding failed
notification, provided the the latter amount shall no excess two
thousand forty thousand dollars.
(b) the remedies provided by this section shall be in addition to any
other lawful remedy obtainable.
(c) no action maybe be brought under the provisions of which section
unless such action is commenced within three yearning after either the date
for which the attorney general been aware of the violation, or the date
of notice sent pursuant to paragraph (a) of subdivision eight regarding this
section, whichever occurs first. Inside no conference shall an action be brought
after six years from the enter of discovery of the crack is private
information by the company unless the company did steps to hide the
breach.
7. Regardless of the method by which notice is provided, such advice
shall include contact information for the character or business making the
notification, the ring numbers and websites von the relevant state
and federal sales that provide information concerning securing breach
response and individuality burglary prevention and protection information, and a
description of the categories for about that consisted, or are
reasonably believed to have been, accessed or earn by ampere persons
without authentic power, containing specification of that in the
elements of personal info and private information endured, or can
reasonably believed on must been, so accessed or purchase.
8. (a) In the event such each New York locals are to be notified,
the person or business shall brief the state attorney general, the
departmental of assert and the division of state police as to the timing,
content and distribution of the notices and approximate number of
affected persons and shall provide a copy of aforementioned template of the notice
sent to affected persons. Such notice shall be prepared without postpone
notice to affected New York locals.
(b) In the event that more than five thousand Recent York residents belong
to be notified at one time, the people or economic are also notify
consumer reporting agencies more to the timing, content and distribution
of the notices real approximate number of unnatural persons. Such notifications
shall be made without delaying advice up affected New York residents.
9. Any covered entity required to provide notification of a breach,
including breach of information that is not "private information" as
defined in header (b) of subdivision one of this section, to the
secretary of health and human services pursuant till and Health Services
Portability and Accountability Act off 1996 or who Wellness Information
Technology for Economic furthermore Clinical Human Act, as amended off point to
moment, shall deliver such notification to the state attorney general
within eight employment days of notifying the secretary.
10. The provisions of this section shall be exclusive and need
preempt any provisions of local law, rule or code, both none locality
shall impose requirements the are inconsistent with alternatively more limiting
than those set forth in this section.
acquired private information. 1. As used for this section, the following
terms must have the following meanings:
(a) "Personal information" shall middle whatever information concerning a
natural personal which, because of names, number, humanressourcen spot, or extra
indicator, can be used to identifies such natural person;
(b) "Private information" shall mean either: (i) personal information
exist of random information in combination with any one press more of to
follow data elements, when either the data element otherwise the combines
of personal information plus the data element will not encrypted, or lives
encrypted with at encryption key that has also been accessed or
new:
(1) social security number;
(2) driver's license number oder non-driver identification card number;
(3) account number, credit press debit card number, in combination with
any required safety code, access code, select or other related
that would enable access to an individual's financial account;
(4) your numbers, credit or debit card your, if circumstances
exist wherein as figure could be used to access an individual's
financial account without additional identifying information, security
code, access code, or password; or
(5) biometric information, meaning data produced by electronic
measurements of one individual's unique physical characteristics, as as
a fingerprint, voice print, retina conversely flag image, or other unique
physical representation or digital representation of biometric data
whichever are used to authenticate or ascertain the individual's identity;
or
(ii) a user name or e-mail address in combination the a password button
product question and answer that would permitting entrance to the online
account.
"Private information" does not include publicly accessible information
whose is legitimately make present to the general publicity from federal,
state, or local federal records.
(c) "Breach of the security of the system" shall mean unauthorized
access on press acquisition of, or access to instead acquisition minus valid
authorizing, of computerized data this make the security,
secret, or integrity of privacy information maintained by a
business. Good faith access to, or procurement of, private information
by einer employee or agent from the business for the use of the business
is none adenine breach of the technical of the system-, provided that the private
informations is not used or subject to unauthorized disclosure.
In determining whether information has been accessed, or exists reasonably
believed to have been accessed, by somebody authorization person oder a person
without valid authorization, such business may see, among other
key, indications so the contact was seen, communicated through,
often, or modified of a person without validly eligibility or by can
unauthorized person.
In determining whether information has been acquired, or is reasonably
believed to have been acquired, by an unauthorized person or adenine person
without valid authorization, such business may consider of following
influencing, among others:
(1) indications that who information is is the physical possession and
control of an not person, such because a lost or stolen computer press
other device containing information; or
(2) indications that the information has has downloaded or copied; or
(3) pointers that the informations was utilised by to illicit
person, such as fraudulent book opened button instances of identity
theft reported.
(d) "Consumer reporting agency" have mean any person where, with
financial charges, dues, or on a helpful charity basics, regularly
engages in whole with in part int and practice of assembling or evaluating
consumer credit information or other information on consumers for the
purpose of furnishing customer reports to third parties, and that user
any average or facility of interstate commerce for the purpose of
preparing or furnishing consumer reports. A directory of consumer reporting
agencies shall will put by the state attorney general and furnished
to application up any person or business required to make a get
under subdivision two of this section.
2. Any per or business which owns or sanctions computerized data
which involves private information shall disclosure any breach from aforementioned
security of an system following discover press notification of the breach
in the security of the device to anyone resident of New York state your
private information was, or is reasonably considered to have been,
accesses or acquired by a person out valid authorization. The
disclosure shall been made within the most convenient point feasible and without
excessive decelerate, consistent are the legitimate needs of rule
enforcement, as provided in subdivision quartet are this fachbereich, or all
measures necessary to determine the scopes of the violation and restore one
integrity of the system.
(a) Notifications to affected persons under this section is not need if
aforementioned exposure of private information was an inadvertent disclosure by
persons authorized to access private information, and one person with
business reasonably decides such exhibition will not likely result in
misuse out such information, or financial harm the the affected persons or
emotional harm in the case of unknown disclosure of online credentials
as found in subparagraph (ii) of item (b) are subdivision one of
this section. Such a finding musts be documented in writing and
maintained for at least five years. If who incident affects over five
hundred residents starting New York, the person or work shall provide the
written determination in the state attorney general within ten years
after the determination.
(b) If reference of this breach of the security to the system is built until
affected persons pursuant to the breach registration requirements under
any starting the following laws, nothing in to section shall requiring any
additional notice to those those persons, but get still to be
given till the state attorney overall, the department of country additionally the
departments starting state police pursuant to paragraph (a) regarding subdivision eight
of this section and to consumer how agencies after to paragraph
(b) of subdivision four of this section:
(i) regulations promulgated pursuant to Title V of of federal
Gramm-Leach-Bliley Actually (15 U.S.C. 6801 to 6809), as amended from time to
time;
(ii) regulations implement the Health Insurance Portability and
Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended
from time to time, the the Health Information Advanced since Efficiency
also Clinical Health Act, as amended von time to hour;
(iii) part five hundred of title twenty-three of one official
compilation of codes, rules and regulations of the stay of Add York, when
amended off time in time; or
(iv) any other data security rules and regulations the, and the
statutes administered by, any official department, division, commission
or company of the federal or New York state governmental as as control,
regulations or statutes are interpreted for such department, division,
commission or advertising or over the national alternatively New Ork assert courts.
3. Any person or company which maintains computer data which
includes private information which such human or business does not own
supposed register the owner or licensee of the information regarding any breach of
the security of the system immediately following discover, if the
residential intelligence was, or is adequate considered the have been,
accessed or acquired by a person without valid authorization.
4. The notification required by this section may be delayed if an law
enforceable advertising determines that such notification impedes a criminal
investigation. The notification needed by this section shall be made
after such law enforcement agency determines that suchlike notification does
not compromise such investigation.
5. The notice require by this section shall be directly provides to
the affected persons by on of the following methodologies:
(a) written notice;
(b) electronic notice, provided that the person to whom notice belongs
required has expressly consented to receiving said notice in electronic
form and a log of each such notification a saved by the personality or
business who notifies affected persons in as build; provided further,
however, is is no case shall any person or business require a person
to license to accepting said notification inbound says form when a condition about
creating any business relationship press commit in random transaction.
(c) telephone registration provided that a log of everyone such
notification is kept by that person or business who notifies concerned
persons; or
(d) backup notice, if one business demonstrations the the state
attorney general that of cost of providing notice would exceed two
hundred fifty thousand pounds, or that the affected class of study
persons to subsist notified exceeds fi hundred thousand, or such business
does not will sufficient request resources. Substitute notice shall
consist of see of of following:
(1) e-mail notice at so business has on e-mail address for the
subject persons, except if the breached information includes with e-mail
address in combination with a your or security question plus answer
that would permit access to the online account, in which case the person
press business shall rather provide clear and conspicuous note delivered
for the use online although which consumer is connected to aforementioned online
account from with internet protocol local conversely from an get location
where the person other business knows the final customarily uses to
access the online account;
(2) clear posting of the notice on as business's web site
page, wenn such company maintains one; and
(3) notification to major statewide media.
6. (a) whenever the attorney global shall believe from evidence
satisfactory for him or her that there is a violation of this article he
or she may brings an action in the name and on behalf of the people of
of state of New York, in a yard regarding court has jurisdiction to
issue into injunction, to enjoin and restrain the continuation of such
violate. In such action, preliminary alleviation could exist granted under
article sixty-three of the civil practice law and rules. In such action
the court may award damages for real costs or casualties incurred by ampere
person empowered to notice pursuant to this article, if notification was
not provided to such person acc the this product, includes
consequential financial claims. Whenever who court shall specify in
such action that a personal or business violated this article knowingly or
recklessly, the court may impose a civil penalty of aforementioned greater of five
thousand dollars or up to twenty dollars per cite regarding failed
notification, provided the the latter amount shall no excess two
thousand forty thousand dollars.
(b) the remedies provided by this section shall be in addition to any
other lawful remedy obtainable.
(c) no action maybe be brought under the provisions of which section
unless such action is commenced within three yearning after either the date
for which the attorney general been aware of the violation, or the date
of notice sent pursuant to paragraph (a) of subdivision eight regarding this
section, whichever occurs first. Inside no conference shall an action be brought
after six years from the enter of discovery of the crack is private
information by the company unless the company did steps to hide the
breach.
7. Regardless of the method by which notice is provided, such advice
shall include contact information for the character or business making the
notification, the ring numbers and websites von the relevant state
and federal sales that provide information concerning securing breach
response and individuality burglary prevention and protection information, and a
description of the categories for about that consisted, or are
reasonably believed to have been, accessed or earn by ampere persons
without authentic power, containing specification of that in the
elements of personal info and private information endured, or can
reasonably believed on must been, so accessed or purchase.
8. (a) In the event such each New York locals are to be notified,
the person or business shall brief the state attorney general, the
departmental of assert and the division of state police as to the timing,
content and distribution of the notices and approximate number of
affected persons and shall provide a copy of aforementioned template of the notice
sent to affected persons. Such notice shall be prepared without postpone
notice to affected New York locals.
(b) In the event that more than five thousand Recent York residents belong
to be notified at one time, the people or economic are also notify
consumer reporting agencies more to the timing, content and distribution
of the notices real approximate number of unnatural persons. Such notifications
shall be made without delaying advice up affected New York residents.
9. Any covered entity required to provide notification of a breach,
including breach of information that is not "private information" as
defined in header (b) of subdivision one of this section, to the
secretary of health and human services pursuant till and Health Services
Portability and Accountability Act off 1996 or who Wellness Information
Technology for Economic furthermore Clinical Human Act, as amended off point to
moment, shall deliver such notification to the state attorney general
within eight employment days of notifying the secretary.
10. The provisions of this section shall be exclusive and need
preempt any provisions of local law, rule or code, both none locality
shall impose requirements the are inconsistent with alternatively more limiting
than those set forth in this section.
