New York Cybersecurity Regulations (FAQs)

This cyber-world we live in is chock full of blurred lines, unanswered questions and escalating threats. As an organizational leader, you have a responsibility to help uphold the law. In our first "Compliance" blog, and those following, we will share with you guidance on regulatory compliance for cybersecurity for various states and industries, alongside legal resources for the most credible and timely information available.

Let us begin with the great State of New York.

Who is obligated to report a data breach in New York State?

Any person or business conducting business in New York State (NYS). Note there are additional regulations applicable to State Entities (SE) including their outsourced third parties who access or manage SE information. (1, 2)

What data breaches require reporting in NY?

Any time the private information of a person has been acquired by a person without valid authorization. Private information is personal information in combination with one or more of the following elements, and which is unencrypted or encrypted but the key has also been disclosed: (a) social security number, (b) driver’s license/non-drivers ID card number, or (c) account number in conjunction with information which permits access to an individual's financial account.

What is your responsibility to report a breach in New  York?

Upon discovery or notification of the unauthorized acquisition of private information, and in the most expedient manner, provide Notice to affected persons, or the owner(s)/licensee(s) of the private information.You must also notify the NYS Attorney General, the NYS Division of State Police, and the Department of State’s Division of Consumer Protection.

Notice to affected persons can be accomplished by any one of the following:

• Written notice, or Electronic notice if approved by recipient (and tracked and logged), or Telephone notice (tracked and logged), or Substitute notice*.Subsection 7 of NYS General Business Law §899-aa details the content of the Notice.
• Substitute notice in detail: Applicable if it can be demonstrated that the cost to complete notice would exceed $250,000; or more than 500,000 persons are affected; or you possess insufficient contact information for persons affected.
• To complete Substitute Notice, you shall send an email, and post notice conspicuously on your website, and notify the major statewide media.
• If persons affected are NYS residents, then in addition to the previously noted requirements, you must also notify The NYS Attorney General; and The Consumer Protection Board; and The State Office of Cybersecurity & Critical Infrastructure.You must include the timing, content, and distribution of notices, and the approximate number of affected persons.
• If more than 5,000 NYS residents are affected, then in addition to the previously noted requirements, you must also notify consumer reporting agencies, and include the same information as just noted.

Cybersecurity Forms

1. Business Data Breach Form
2. NYS Information Security Office – State Data Breach Form
3. Information Security Policy NYS-P03-002, (rev. June 20, 2014)
4. NYS General Business Law §899-aa
5. NYS Technology Law §208
6. NYS Office of Information Technology Services: Breach Notification

Please refer to the above links for detailed information regarding cyber compliance in New York State.