New York § 899-AA Notification; person without valid authorization has acquired private information

New York Statutes

§ 899-AA — Notification; person without valid authorization has acquired private information

New York § 899-AA

Law GBSGeneral Business

Art. 39-FNotification of Unauthorized Acquisition of Private Information; Data Security Protections

This text of New York § 899-AA (Notification; person without valid authorization has acquired private information) is published on Counsel Stack Legal Research, covering New York primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

N.Y. General Business § 899-AA (2026).

Text

§ 899-aa. Notification; person without valid authorization has\nacquired private information. 1. As used in this section, the following\nterms shall have the following meanings:\n (a) "Personal information" shall mean any information concerning a\nnatural person which, because of name, number, personal mark, or other\nidentifier, can be used to identify such natural person;\n (b) "Private information" shall mean either:

(i)personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted, or is\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's lice

Free access — add to your briefcase to read the full text and ask questions with AI

§ 899-aa. Notification; person without valid authorization has\nacquired private information. 1. As used in this section, the following\nterms shall have the following meanings:\n (a) "Personal information" shall mean any information concerning a\nnatural person which, because of name, number, personal mark, or other\nidentifier, can be used to identify such natural person;\n (b) "Private information" shall mean either: (i) personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted, or is\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's license number or non-driver identification card number;\n (3) account number, credit or debit card number, in combination with\nany required security code, access code, password or other information\nthat would permit access to an individual's financial account;\n (4) account number, credit or debit card number, if circumstances\nexist wherein such number could be used to access an individual's\nfinancial account without additional identifying information, security\ncode, access code, or password; or\n (5) biometric information, meaning data generated by electronic\nmeasurements of an individual's unique physical characteristics, such as\na fingerprint, voice print, retina or iris image, or other unique\nphysical representation or digital representation of biometric data\nwhich are used to authenticate or ascertain the individual's identity;\nor\n (6) medical information, meaning any information regarding an\nindividual's medical history, mental or physical condition, or medical\ntreatment or diagnosis by a health care professional; or\n (7) health insurance information, meaning an individual's health\ninsurance policy number or subscriber identification number, any unique\nidentifier used by a health insurer to identify the individual or any\ninformation in an individual's application and claims history, including\nbut not limited to, appeals history; or\n (ii) a user name or e-mail address in combination with a password or\nsecurity question and answer that would permit access to an online\naccount.\n "Private information" does not include publicly available information\nwhich is lawfully made available to the general public from federal,\nstate, or local government records.\n (c) "Breach of the security of the system" shall mean unauthorized\naccess to or acquisition of, or access to or acquisition without valid\nauthorization, of computerized data that compromises the security,\nconfidentiality, or integrity of private information maintained by a\nbusiness. Good faith access to, or acquisition of, private information\nby an employee or agent of the business for the purposes of the business\nis not a breach of the security of the system, provided that the private\ninformation is not used or subject to unauthorized disclosure.\n In determining whether information has been accessed, or is reasonably\nbelieved to have been accessed, by an unauthorized person or a person\nwithout valid authorization, such business may consider, among other\nfactors, indications that the information was viewed, communicated with,\nused, or altered by a person without valid authorization or by an\nunauthorized person.\n In determining whether information has been acquired, or is reasonably\nbelieved to have been acquired, by an unauthorized person or a person\nwithout valid authorization, such business may consider the following\nfactors, among others:\n (1) indications that the information is in the physical possession and\ncontrol of an unauthorized person, such as a lost or stolen computer or\nother device containing information; or\n (2) indications that the information has been downloaded or copied; or\n (3) indications that the information was used by an unauthorized\nperson, such as fraudulent accounts opened or instances of identity\ntheft reported.\n (d) "Consumer reporting agency" shall mean any person which, for\nmonetary fees, dues, or on a cooperative nonprofit basis, regularly\nengages in whole or in part in the practice of assembling or evaluating\nconsumer credit information or other information on consumers for the\npurpose of furnishing consumer reports to third parties, and which uses\nany means or facility of interstate commerce for the purpose of\npreparing or furnishing consumer reports. A list of consumer reporting\nagencies shall be compiled by the state attorney general and furnished\nupon request to any person or business required to make a notification\nunder subdivision two of this section.\n 2. Any person or business which owns or licenses computerized data\nwhich includes private information shall disclose any breach of the\nsecurity of the system following discovery or notification of the breach\nin the security of the system to any resident of New York state whose\nprivate information was, or is reasonably believed to have been,\naccessed or acquired by a person without valid authorization. The\ndisclosure shall be made in the most expedient time possible and without\nunreasonable delay, provided that such notification shall be made within\nthirty days after the breach has been discovered, except for the\nlegitimate needs of law enforcement, as provided in subdivision four of\nthis section.\n (a) Notice to affected persons under this section is not required if\nthe exposure of private information was an inadvertent disclosure by\npersons authorized to access private information, and the person or\nbusiness reasonably determines such exposure will not likely result in\nmisuse of such information, or financial harm to the affected persons or\nemotional harm in the case of unknown disclosure of online credentials\nas found in subparagraph (ii) of paragraph (b) of subdivision one of\nthis section. Such a determination must be documented in writing and\nmaintained for at least five years. If the incident affects over five\nhundred residents of New York, the person or business shall provide the\nwritten determination to the state attorney general within ten days\nafter the determination.\n (b) If notice of the breach of the security of the system is made to\naffected persons pursuant to the breach notification requirements under\nany of the following laws, nothing in this section shall require any\nadditional notice to those affected persons, but notice still shall be\nprovided to the state attorney general, the department of state and the\ndivision of state police pursuant to paragraph (a) of subdivision eight\nof this section and to consumer reporting agencies pursuant to paragraph\n(b) of subdivision eight of this section:\n (i) regulations promulgated pursuant to Title V of the federal\nGramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to\ntime;\n (ii) regulations implementing the Health Insurance Portability and\nAccountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended\nfrom time to time, and the Health Information Technology for Economic\nand Clinical Health Act, as amended from time to time;\n (iii) part five hundred of title twenty-three of the official\ncompilation of codes, rules and regulations of the state of New York, as\namended from time to time; or\n (iv) any other data security rules and regulations of, and the\nstatutes administered by, any official department, division, commission\nor agency of the federal or New York state government as such rules,\nregulations or statutes are interpreted by such department, division,\ncommission or agency or by the federal or New York state courts.\n 3. Any person or business which maintains computerized data which\nincludes private information which such person or business does not own\nshall notify the owner or licensee of the information of any breach of\nthe security of the system immediately, provided that such notification\nshall be made within thirty days following discovery, if the private\ninformation was, or is reasonably believed to have been, accessed or\nacquired by a person without valid authorization.\n 4. The notification required by this section may be delayed if a law\nenforcement agency determines that such notification impedes a criminal\ninvestigation. The notification required by this section shall be made\nafter such law enforcement agency determines that such notification does\nnot compromise such investigation.\n 5. The notice required by this section shall be directly provided to\nthe affected persons by one of the following methods:\n (a) written notice;\n (b) electronic notice, provided that the person to whom notice is\nrequired has expressly consented to receiving said notice in electronic\nform and a log of each such notification is kept by the person or\nbusiness who notifies affected persons in such form; provided further,\nhowever, that in no case shall any person or business require a person\nto consent to accepting said notice in said form as a condition of\nestablishing any business relationship or engaging in any transaction.\n (c) telephone notification provided that a log of each such\nnotification is kept by the person or business who notifies affected\npersons; or\n (d) substitute notice, if a business demonstrates to the state\nattorney general that the cost of providing notice would exceed two\nhundred fifty thousand dollars, or that the affected class of subject\npersons to be notified exceeds five hundred thousand, or such business\ndoes not have sufficient contact information. Substitute notice shall\nconsist of all of the following:\n (1) e-mail notice when such business has an e-mail address for the\nsubject persons, except if the breached information includes an e-mail\naddress in combination with a password or security question and answer\nthat would permit access to the online account, in which case the person\nor business shall instead provide clear and conspicuous notice delivered\nto the consumer online when the consumer is connected to the online\naccount from an internet protocol address or from an online location\nwhich the person or business knows the consumer customarily uses to\naccess the online account;\n (2) conspicuous posting of the notice on such business's web site\npage, if such business maintains one; and\n (3) notification to major statewide media.\n 6. (a) whenever the attorney general shall believe from evidence\nsatisfactory to him or her that there is a violation of this article he\nor she may bring an action in the name and on behalf of the people of\nthe state of New York, in a court of justice having jurisdiction to\nissue an injunction, to enjoin and restrain the continuation of such\nviolation. In such action, preliminary relief may be granted under\narticle sixty-three of the civil practice law and rules. In such action\nthe court may award damages for actual costs or losses incurred by a\nperson entitled to notice pursuant to this article, if notification was\nnot provided to such person pursuant to this article, including\nconsequential financial losses. Whenever the court shall determine in\nsuch action that a person or business violated this article knowingly or\nrecklessly, the court may impose a civil penalty of the greater of five\nthousand dollars or up to twenty dollars per instance of failed\nnotification, provided that the latter amount shall not exceed two\nhundred fifty thousand dollars.\n (b) the remedies provided by this section shall be in addition to any\nother lawful remedy available.\n (c) no action may be brought under the provisions of this section\nunless such action is commenced within three years after either the date\non which the attorney general became aware of the violation, or the date\nof notice sent pursuant to paragraph (a) of subdivision eight of this\nsection, whichever occurs first. In no event shall an action be brought\nafter six years from the date of discovery of the breach of private\ninformation by the company unless the company took steps to hide the\nbreach.\n 7. Regardless of the method by which notice is provided, such notice\nshall include contact information for the person or business making the\nnotification, the telephone numbers and websites of the relevant state\nand federal agencies that provide information regarding security breach\nresponse and identity theft prevention and protection information, and a\ndescription of the categories of information that were, or are\nreasonably believed to have been, accessed or acquired by a person\nwithout valid authorization, including specification of which of the\nelements of personal information and private information were, or are\nreasonably believed to have been, so accessed or acquired.\n 8. (a) In the event that any New York residents are to be notified,\nthe person or business shall notify the state attorney general, the\ndepartment of state, the division of state police, and the department of\nfinancial services as to the timing, content and distribution of the\nnotices and approximate number of affected persons and shall provide a\ncopy of the template of the notice sent to affected persons; provided,\nhowever, that notice to the department of financial services shall only\nbe required if the person or business is a covered entity, as defined in\n23 NYCRR 500.1, and provided further that such notice shall be provided\nto the department of financial services in compliance with 23 NYCRR\n500.17. Such notice shall be made without delaying notice to affected\nNew York residents.\n (b) In the event that more than five thousand New York residents are\nto be notified at one time, the person or business shall also notify\nconsumer reporting agencies as to the timing, content and distribution\nof the notices and approximate number of affected persons. Such notice\nshall be made without delaying notice to affected New York residents.\n 9. Any covered entity required to provide notification of a breach,\nincluding breach of information that is not "private information" as\ndefined in paragraph (b) of subdivision one of this section, to the\nsecretary of health and human services pursuant to the Health Insurance\nPortability and Accountability Act of 1996 or the Health Information\nTechnology for Economic and Clinical Health Act, as amended from time to\ntime, shall provide such notification to the state attorney general\nwithin five business days of notifying the secretary.\n 10. The provisions of this section shall be exclusive and shall\npreempt any provisions of local law, ordinance or code, and no locality\nshall impose requirements that are inconsistent with or more restrictive\nthan those set forth in this section.\n