§ 208. Notification; person without valid authorization has acquired\nprivate information. 1. As used in this section, the following terms\nshall have the following meanings:\n (a) "Private information" shall mean either:
(i)personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted or\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's license number or non-driver identification card number;\n (3) account number, credit or debit card number, in combination with\nany required security code, access code, password or other information\nwhich woul
Free access — add to your briefcase to read the full text and ask questions with AI
§ 208. Notification; person without valid authorization has acquired\nprivate information. 1. As used in this section, the following terms\nshall have the following meanings:\n (a) "Private information" shall mean either: (i) personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted or\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's license number or non-driver identification card number;\n (3) account number, credit or debit card number, in combination with\nany required security code, access code, password or other information\nwhich would permit access to an individual's financial account;\n (4) account number, or credit or debit card number, if circumstances\nexist wherein such number could be used to access to an individual's\nfinancial account without additional identifying information, security\ncode, access code, or password; or\n (5) biometric information, meaning data generated by electronic\nmeasurements of an individual's unique physical characteristics, such as\nfingerprint, voice print, or retina or iris image, or other unique\nphysical representation or digital representation which are used to\nauthenticate or ascertain the individual's identity; or\n (ii) a user name or e-mail address in combination with a password or\nsecurity question and answer that would permit access to an online\naccount.\n "Private information" does not include publicly available information\nthat is lawfully made available to the general public from federal,\nstate, or local government records.\n (b) "Breach of the security of the system" shall mean unauthorized\nacquisition or acquisition without valid authorization of computerized\ndata which compromises the security, confidentiality, or integrity of\npersonal information maintained by a state entity. Good faith\nacquisition of personal information by an employee or agent of a state\nentity for the purposes of the agency is not a breach of the security of\nthe system, provided that the private information is not used or subject\nto unauthorized disclosure.\n In determining whether information has been acquired, or is reasonably\nbelieved to have been acquired, by an unauthorized person or a person\nwithout valid authorization, such state entity may consider the\nfollowing factors, among others:\n (1) indications that the information is in the physical possession and\ncontrol of an unauthorized person, such as a lost or stolen computer or\nother device containing information; or\n (2) indications that the information has been downloaded or copied; or\n (3) indications that the information was used by an unauthorized\nperson, such as fraudulent accounts opened or instances of identity\ntheft reported.\n (c) "State entity" shall mean any state board, bureau, division,\ncommittee, commission, council, department, public authority, public\nbenefit corporation, office or other governmental entity performing a\ngovernmental or proprietary function for the state of New York, except:\n (1) the judiciary; and\n (2) all cities, counties, municipalities, villages, towns, and other\nlocal agencies.\n (d) "Consumer reporting agency" shall mean any person which, for\nmonetary fees, dues, or on a cooperative nonprofit basis, regularly\nengages in whole or in part in the practice of assembling or evaluating\nconsumer credit information or other information on consumers for the\npurpose of furnishing consumer reports to third parties, and which uses\nany means or facility of interstate commerce for the purpose of\npreparing or furnishing consumer reports. A list of consumer reporting\nagencies shall be compiled by the state attorney general and furnished\nupon request to state entities required to make a notification under\nsubdivision two of this section.\n 2. Any state entity that owns or licenses computerized data that\nincludes private information shall disclose any breach of the security\nof the system following discovery or notification of the breach in the\nsecurity of the system to any resident of New York state whose private\ninformation was, or is reasonably believed to have been, accessed or\nacquired by a person without valid authorization. The disclosure shall\nbe made in the most expedient time possible and without unreasonable\ndelay, consistent with the legitimate needs of law enforcement, as\nprovided in subdivision four of this section, or any measures necessary\nto determine the scope of the breach and restore the integrity of the\ndata system. The state entity shall consult with the state office of\ninformation technology services to determine the scope of the breach and\nrestoration measures. Within ninety days of the notice of the breach,\nthe office of information technology services shall deliver a report on\nthe scope of the breach and recommendations to restore and improve the\nsecurity of the system to the state entity.\n (a) Notice to affected persons under this section is not required if\nthe exposure of private information was an inadvertent disclosure by\npersons authorized to access private information, and the state entity\nreasonably determines such exposure will not likely result in misuse of\nsuch information, or financial or emotional harm to the affected\npersons. Such a determination must be documented in writing and\nmaintained for at least five years. If the incident affected over five\nhundred residents of New York, the state entity shall provide the\nwritten determination to the state attorney general within ten days\nafter the determination.\n (b) If notice of the breach of the security of the system is made to\naffected persons pursuant to the breach notification requirements under\nany of the following laws, nothing in this section shall require any\nadditional notice to those affected persons, but notice still shall be\nprovided to the state attorney general, the department of state and the\noffice of information technology services pursuant to paragraph (a) of\nsubdivision seven of this section and to consumer reporting agencies\npursuant to paragraph (b) of subdivision seven of this section:\n (i) regulations promulgated pursuant to Title V of the federal\nGramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to\ntime;\n (ii) regulations implementing the Health Insurance Portability and\nAccountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended\nfrom time to time, and the Health Information Technology for Economic\nand Clinical Health Act, as amended from time to time;\n (iii) part five hundred of title twenty-three of the official\ncompilation of codes, rules and regulations of the state of New York, as\namended from time to time; or\n (iv) any other data security rules and regulations of, and the\nstatutes administered by, any official department, division, commission\nor agency of the federal or New York state government as such rules,\nregulations or statutes are interpreted by such department, division,\ncommission or agency or by the federal or New York state courts.\n 3. Any state entity that maintains computerized data that includes\nprivate information which such agency does not own shall notify the\nowner or licensee of the information of any breach of the security of\nthe system immediately following discovery, if the private information\nwas, or is reasonably believed to have been, accessed or acquired by a\nperson without valid authorization.\n 4. The notification required by this section may be delayed if a law\nenforcement agency determines that such notification impedes a criminal\ninvestigation. The notification required by this section shall be made\nafter such law enforcement agency determines that such notification does\nnot compromise such investigation.\n 5. The notice required by this section shall be directly provided to\nthe affected persons by one of the following methods:\n (a) written notice;\n (b) electronic notice, provided that the person to whom notice is\nrequired has expressly consented to receiving said notice in electronic\nform and a log of each such notification is kept by the state entity who\nnotifies affected persons in such form; provided further, however, that\nin no case shall any person or business require a person to consent to\naccepting said notice in said form as a condition of establishing any\nbusiness relationship or engaging in any transaction;\n (c) telephone notification provided that a log of each such\nnotification is kept by the state entity who notifies affected persons;\nor\n (d) Substitute notice, if a state entity demonstrates to the state\nattorney general that the cost of providing notice would exceed two\nhundred fifty thousand dollars, or that the affected class of subject\npersons to be notified exceeds five hundred thousand, or such agency\ndoes not have sufficient contact information. Substitute notice shall\nconsist of all of the following:\n (1) e-mail notice when such state entity has an e-mail address for the\nsubject persons;\n (2) conspicuous posting of the notice on such state entity's web site\npage, if such agency maintains one; and\n (3) notification to major statewide media.\n 6. Regardless of the method by which notice is provided, such notice\nshall include contact information for the state entity making the\nnotification, the telephone numbers and websites of the relevant state\nand federal agencies that provide information regarding security breach\nresponse and identity theft prevention and protection information and a\ndescription of the categories of information that were, or are\nreasonably believed to have been, accessed or acquired by a person\nwithout valid authorization, including specification of which of the\nelements of personal information and private information were, or are\nreasonably believed to have been, so accessed or acquired.\n 7. (a) In the event that any New York residents are to be notified,\nthe state entity shall notify the state attorney general, the department\nof state and the state office of information technology services as to\nthe timing, content and distribution of the notices and approximate\nnumber of affected persons and provide a copy of the template of the\nnotice sent to affected persons. Such notice shall be made without\ndelaying notice to affected New York residents.\n (b) In the event that more than five thousand New York residents are\nto be notified at one time, the state entity shall also notify consumer\nreporting agencies as to the timing, content and distribution of the\nnotices and approximate number of affected persons. Such notice shall be\nmade without delaying notice to affected New York residents.\n 8. The state office of information technology services shall develop,\nupdate and provide regular training to all state entities relating to\nbest practices for the prevention of a breach of the security of the\nsystem.\n 9. Any covered entity required to provide notification of a breach,\nincluding breach of information that is not "private information" as\ndefined in paragraph (a) of subdivision one of this section, to the\nsecretary of health and human services pursuant to the Health Insurance\nPortability and Accountability Act of 1996 or the Health Information\nTechnology for Economic and Clinical Health Act, as amended from time to\ntime, shall provide such notification to the state attorney general\nwithin five business days of notifying the secretary.\n 10. Any entity listed in subparagraph two of paragraph (c) of\nsubdivision one of this section shall adopt a notification policy no\nmore than one hundred twenty days after the effective date of this\nsection. Such entity may develop a notification policy which is\nconsistent with this section or alternatively shall adopt a local law\nwhich is consistent with this section.\n