Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws from $5,000 or up to $10 per instance, to $150,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If the breach affects over 5,000 NY residents, notification must be given to the consumer reporting agencies using a list of applicable agencies provided by the attorney general.
  • Breach reporting must be given to the State Attorney General, the Department of State and the Division of State Police, each on a breach reporting form.
  • Specific information must be included in the notifications.
  • There are separate laws protecting personal data and data disposal, with civil penalties for violations.
  • There is a separate law overseeing document destruction contractors.
  • If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

Statutes and Laws

  • NY Gen. Bus. Law § 899-aa  Notification; person without valid authorization has acquired private information (2005)

    NY Gen. Bus. Law §§ 899-aaa – 899-bbb Document destruction contractors (2008)

    NY Gen. Bus. Law § 399-ddd  Confidentiality of social security account number (2008)

    NY Gen. Bus. Laws § 399-ddd*2  Disclosure of social security number (2008)

    NY Gen. Bus. Law § 399-h  Disposal of records containing personal identifying information (2006)

    23 NYCRR 500 §§ 500.00 – 500.23  Cybersecurity Requirements for Financial Services Companies (2017)

BAck to map