Login    Sites MenuBlueStep
 
Home
PrintPrint
July 2005 | NYS Security Breach Law

New York Legislature Passes Security Breach Law

 

 

New York State has joined a growing number of jurisdictions, including New York City (more on that later),  that have passed laws that require businesses and state entities to notify anyone whose “private information” has been acquired by a “person without valid authorization” (the “Information Security Breach and Notification Act”). Businesses must send the notice to affected persons as expeditiously as possible when they discover a breach of security. The governor is expected to sign the bill into law. 

 

“Private information” means a person’s name or personal identifier, together with unencrypted information such as a social security number, driver’s license number, account number, or a credit or debit card number in combination with any required access code. 

 

Businesses can notify affected persons by one of the following methods:

§         written notice

§         electronic notice (but only if the individual whose information was stolen has already agreed to receive that type of notice and the business keeps a log)

§         telephone call (but, again, the business must keep a log)

 

Notices must contain the following:

  • the contact information from the person or business who is required to make the notification, and
  • a description of the categories of information which were believed to have been stolen

 

Penalties:  The Attorney General may bring an action for damages for actual costs or losses incurred.  Whenever a court determines that the failure to notify was done knowingly or recklessly, the court may impose a civil penalty of the greater of $5,000 or up to $10 per instance of failed notification, not to exceed $150,000.

 

The legislation also requires the person or business making such notification to notify the Attorney General, the Consumer Protection Board and the “State Office of Cyber Security and Critical Infrastructure Coordination”.  If the business must notify more than 5,000 New York residents, it must also notify consumer reporting agencies (such as Experian, Trans Union, Equifax, etc.). Notices to the consumer reporting agencies should include the nature and timing of the notice.


 

 New York City has also enacted new laws concerning privacy safeguards.  According to a recently enacted local law, beginning September 2005, businesses that are licensed by the Department of Consumer Affairs (“DCA”) would have to notify DCA if a security breach results in unauthorized access to consumers’ private information.

 

However, the state’s Information Security Breach and Notification Act contains language that provides that it is “exclusive” and that it preempts all local laws that are inconsistent or are more restrictive than the state law.  It would appear that at least part of the New York City security breach law, requiring businesses to report security breaches to DCA could be preempted by the subsequently enacted state law (assuming the governor signs it).

 

City enactments that could escape preemption include a law that authorizes DCA to revoke or deny a license to any business that is convicted of identity theft.  However, it is unclear whether other provisions of that law will survive preemption.  Specifically, the law includes provisions  that require licensed businesses to immediately report security breaches concerning personal information to DCA if there is a court judgment against the business for ID theft, or if there is a criminal conviction of the business (or any employee who was using the business’ resources) for ID theft or unlawful possession of personal information. 

 

The City has also adopted a rule that requires proper destruction of records that contain personal information.