Section 899-AA. Notification; person without valid authorization has acquired private information

Latest version.

1. As used in this section, the  following
  terms shall have the following meanings:
    (a)  "Personal  information"  shall  mean any information concerning a
  natural person which, because of name, number, personal mark,  or  other
  identifier, can be used to identify such natural person;
    (b)  "Private  information" shall mean personal information consisting
  of any information in combination with any one or more of the  following
  data  elements, when either the personal information or the data element
  is not encrypted, or encrypted with an encryption key that has also been
  acquired:
    (1) social security number;
    (2) driver's license number or non-driver identification card  number;
  or
    (3)  account  number, credit or debit card number, in combination with
  any required security code, access code, or password that  would  permit
  access to an individual's financial account;
    "Private  information" does not include publicly available information
  which is lawfully made available to the  general  public  from  federal,
  state, or local government records.
    (c)  "Breach  of  the  security of the system" shall mean unauthorized
  acquisition or acquisition without valid authorization  of  computerized
  data  that  compromises  the  security, confidentiality, or integrity of
  personal information maintained by a business. Good faith acquisition of
  personal information by an employee or agent of  the  business  for  the
  purposes  of the business is not a breach of the security of the system,
  provided that  the  private  information  is  not  used  or  subject  to
  unauthorized disclosure.
    In determining whether information has been acquired, or is reasonably
  believed  to  have  been acquired, by an unauthorized person or a person
  without valid authorization, such business may  consider  the  following
  factors, among others:
    (1) indications that the information is in the physical possession and
  control  of an unauthorized person, such as a lost or stolen computer or
  other device containing information; or
    (2) indications that the information has been downloaded or copied; or
    (3) indications that the  information  was  used  by  an  unauthorized
  person,  such  as  fraudulent  accounts  opened or instances of identity
  theft reported.
    (d) "Consumer reporting agency"  shall  mean  any  person  which,  for
  monetary  fees,  dues,  or  on  a cooperative nonprofit basis, regularly
  engages in whole or in part in the practice of assembling or  evaluating
  consumer  credit  information  or other information on consumers for the
  purpose of furnishing consumer reports to third parties, and which  uses
  any  means  or  facility  of  interstate  commerce  for  the  purpose of
  preparing or furnishing consumer reports. A list of  consumer  reporting
  agencies  shall  be compiled by the state attorney general and furnished
  upon request to any person or business required to make  a  notification
  under subdivision two of this section.
    2.  Any  person or business which conducts business in New York state,
  and which owns or licenses  computerized  data  which  includes  private
  information  shall  disclose  any  breach  of the security of the system
  following discovery or notification of the breach in the security of the
  system to any resident of New York state whose private information  was,
  or  is  reasonably  believed  to have been, acquired by a person without
  valid authorization. The disclosure shall be made in the most  expedient
  time  possible  and  without  unreasonable  delay,  consistent  with the
  legitimate needs of law enforcement, as provided in subdivision four  of

  this  section,  or  any measures necessary to determine the scope of the
  breach and restore the reasonable integrity of the system.
    3.  Any  person  or  business  which maintains computerized data which
  includes private information which such person or business does not  own
  shall  notify  the owner or licensee of the information of any breach of
  the security of the  system  immediately  following  discovery,  if  the
  private  information  was,  or  is  reasonably  believed  to  have been,
  acquired by a person without valid authorization.
    4. The notification required by this section may be delayed if  a  law
  enforcement  agency determines that such notification impedes a criminal
  investigation. The notification required by this section shall  be  made
  after such law enforcement agency determines that such notification does
  not compromise such investigation.
    5.  The  notice required by this section shall be directly provided to
  the affected persons by one of the following methods:
    (a) written notice;
    (b) electronic notice, provided that the  person  to  whom  notice  is
  required  has expressly consented to receiving said notice in electronic
  form and a log of each such  notification  is  kept  by  the  person  or
  business  who  notifies affected persons in such form; provided further,
  however, that in no case shall any person or business require  a  person
  to  consent  to  accepting  said  notice  in said form as a condition of
  establishing any business relationship or engaging in any transaction.
    (c)  telephone  notification  provided  that  a  log  of   each   such
  notification  is  kept  by  the person or business who notifies affected
  persons; or
    (d) Substitute  notice,  if  a  business  demonstrates  to  the  state
  attorney  general  that  the  cost  of providing notice would exceed two
  hundred fifty thousand dollars, or that the affected  class  of  subject
  persons  to  be notified exceeds five hundred thousand, or such business
  does not have sufficient contact information.  Substitute  notice  shall
  consist of all of the following:
    (1)  e-mail  notice  when  such business has an e-mail address for the
  subject persons;
    (2) conspicuous posting of the notice  on  such  business's  web  site
  page, if such business maintains one; and
    (3) notification to major statewide media.
    6.  (a)  whenever  the  attorney  general  shall believe from evidence
  satisfactory to him that there is a violation of  this  article  he  may
  bring  an action in the name and on behalf of the people of the state of
  New York, in  a  court  of  justice  having  jurisdiction  to  issue  an
  injunction,  to  enjoin and restrain the continuation of such violation.
  In  such  action,  preliminary  relief  may  be  granted  under  article
  sixty-three  of  the  civil  practice  law and rules. In such action the
  court may award damages for actual costs or losses incurred by a  person
  entitled  to  notice  pursuant  to this article, if notification was not
  provided  to  such  person   pursuant   to   this   article,   including
  consequential  financial  losses.  Whenever the court shall determine in
  such action that a person or business violated this article knowingly or
  recklessly, the court may impose a civil penalty of the greater of  five
  thousand   dollars   or  up  to  ten  dollars  per  instance  of  failed
  notification, provided that the  latter  amount  shall  not  exceed  one
  hundred fifty thousand dollars.
    (b)  the remedies provided by this section shall be in addition to any
  other lawful remedy available.
    (c) no action may be brought under  the  provisions  of  this  section
  unless  such  action is commenced within two years immediately after the
  date of the act complained of or the date of discovery of such act.

    7. Regardless of the method by which notice is provided,  such  notice
  shall  include contact information for the person or business making the
  notification and a description of the  categories  of  information  that
  were,  or  are  reasonably  believed  to have been, acquired by a person
  without  valid  authorization,  including  specification of which of the
  elements of personal information and private information  were,  or  are
  reasonably believed to have been, so acquired.
    8.  (a)  In  the event that any New York residents are to be notified,
  the person or business shall notify  the  state  attorney  general,  the
  consumer  protection  board,  and the state office of cyber security and
  critical infrastructure coordination  as  to  the  timing,  content  and
  distribution  of the notices and approximate number of affected persons.
  Such notice shall be made without delaying notice to affected  New  York
  residents.
    (b)  In  the event that more than five thousand New York residents are
  to be notified at one time, the person or  business  shall  also  notify
  consumer  reporting  agencies as to the timing, content and distribution
  of the notices and approximate number of affected persons.  Such  notice
  shall be made without delaying notice to affected New York residents.
    9. The provisions of this section shall be exclusive and shall preempt
  any  provisions  of  local law, ordinance or code, and no locality shall
  impose requirements that are inconsistent with or more restrictive  than
  those set forth in this section.

                    
                        var val = document.getElementById('citecontent').innerHTML;
                        art.dialog.defaults.title = window.location.href;
                        art.dialog.data('cite', val);
                        art.dialog.data('homeDemoPath', '/Scripts/plus/artDialog/');
                        art.dialog.open('/Scripts/plus/artDialog/citeiframe.html');