Businesses Have 30 Days to Report a Security Breach of New Yorker’s Private Information

Organizations Should Plan Now to Avoid High-Cost Recovery Efforts Later

New York State Governor Hochul recently gave us a “pre” New Year’s gift: effective on December 21, 2024, any individuals or businesses possessing the “private information” of New Yorkers must notify them, and certain state agencies, of a security breach within thirty (30) days after discovery of the breach. The only exception is for the “legitimate needs” of law enforcement. As the original law did not contain a specific time limit, this change is significant. https://www.nysenate.gov/legislation/laws/GBS/899-AA.

What is Private Information?

The definition of private information is quite broad and can include:

1. Social Security number;
2. Driver’s license or ID card;
3. Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account;
4. Account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or
5. Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity

The types of information that qualify as private information will expand as of March 21, 2025, to include the following categories of information -

6. Medical information; or
7. Health insurance information; or
8. A user-name or e-mail address in combination with a password or security question and answer that would permit access to an online account

Important FAQ’s

What is a Security breach?

It “shall mean unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.”

What security issues trigger notification to New Yorkers?

If a laptop, phone, or other device is stolen, information is downloaded or copied by a bad actor, a fraudulent account is opened, or an employee or other person whose data is held by the business reports identity theft, the 30-day notification obligation is triggered. While these events are listed in the statute, other indications of a security breach will also trigger notification – such as those caused by stolen or compromised credentials, phishing, social engineering, or vulnerabilities in software or hardware. According to IBM, half of all security breaches are caused by human error or I.T. failures.

What must a business do once a breach is discovered?

The breached business must advise New Yorkers of the date of the breach, the types of private information that were or may have been acquired, a helpline number, and the names of state/federal agencies with identity theft resources. Email notification is typical, but the business must keep records and be sure that the affected person has given consent for such notification that is not “a condition of establishing any business relationship or engaging in any transaction.” (Section 5(b)).

Where must a business report the incident?

The State Attorney General, the Department of State, and the Division of State Police (one form may be used for all three here: NYSOAG SB Form) must be notified. The notification template must be included along with “the timing, content, and distribution of the notices and approximate number of affected persons.”

The New York Department of Financial Services must also be notified, but they are not included in the above form – one must use the DFS Portal via an existing account or establish one. (https://www.dfs.ny.gov/system/files/documents/2023/11/reporting-cybersecurity-incidents.pdf )

Takeaways and Planning Checklist

Businesses only have 30 days after discovering a security breach to report the incident. It is prudent to understand what can be prepared now to help mitigate high-cost recovery efforts later. Questions every business should ask themselves are:

• Has the business previously gained consent from potentially affected individuals?
• Does the business have an incident response team and written plan that it can follow even if systems are unavailable?
• Is there cyber insurance coverage? Does it include business interruption costs, experts to help fix vulnerabilities and recover lost data, and a dedicated breach coach?
• Has the business run security breach scenarios, including data recovery?

Preparation is key: businesses must have their game plans ready to help avoid negative consequences of data breach incidents within their organizations.

[View source.]