|Security Breach Law|
|CITATION||New York General Business Law § 899-aa|
|SUMMARY||The law requires any person or business that conducts business in New York state and which owns or licenses computerized data that includes private information, to disclose a breach. The notice can be delayed if a law enforcement agency determines that notification will impede a criminal investigation.|
The law covers "Personal Information" which is defined as any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person;
"Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
|INDUSTRY||Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information.|
The Attorney General may file a suit to obtain an injunction or to recover damages for actual costs or losses incurred by a person entitled to notice.
Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars ($5,000) or up to ten dollars ($10) per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars ($150,000).