Contact Us

(845) 202-7087
31 Mountain Lane
PO Box 1255
Beacon, NY 12508

hello@
hudsonvalleypublic
relations.com

Data Breach: New York State Breach Notification Laws

Most state notification statutes have similar components, New York State does have some important differences. This document provides guidelines on compliance and notification laws in New York State in the event of a data security cyber-attack.

Continual collaborative efforts from your people, processes and technology will deliver a robust data security framework. 

How Do Breaches Occur

 

Source: Department of Homeland Security | Data Breach Investigations Report

State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents.

NYS Information Security Breach and Notification Act
The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. Copies of these sections can be found below.

Section 208 of the State Technology Law
Section 899-aa of the General Business Law

State entities are also required to notify non-residents, see Information Security Policy P03-002 V3.4 Part 12.

Who's Perpetuating Breaches

Source: Department of Homeland Security | Data Breach Investigations Report

 

NYS Information Security Breach and Notification Act
Persons or Businesses Conducting Business in New York

(Section 899-aa of the General Business Law) MUST notify three (3) NYS offices:

  1. NYS Attorney General;
  2. NYS Division of State Police;
  3. Department of State’s Division of Consumer Protection.

Breach Notification Law. NOTE: State entities subject to section 208 of the State Technology Law that experience breaches of computerized data which includes private information must file notices of with the New York Attorney General; Department of State’s Division of Consumer Protection; and the Office of Information Technology Services’ Enterprise Information Security Office.

Description of Breach (select all that apply):

Loss or theft of device or media
(e.g., computer, laptop, external hard drive, thumb drive, CD, tape);
Internal system breach;
Insider wrongdoing;
External system breach (e.g., hacking);
Inadvertent disclosure;
Other specify): ________________________

BASIC STEPS TO COMPLIANCE AND NOTIFICATION

Detection of a threat is solid security. Take steps to analyze and evaluate your organization’s threat landscape:

Eliminate non-essential data;
Ensure that critical security policies and procedures are being put into practice;
Collect and analyze incident data to drive ongoing security effectiveness.

The New York State Office of CyberSecurity(OCS) assists local governments and school districts through integrated training events and through its audit function to:

    1. Develop IT policies, including breach notification procedures;
    2. Limit and restrict access rights to systems and equipment;
    3. Develop and test disaster recovery plans;
    4. Configure strong access controls on firewalls;
    5. Provide information security awareness training to all personnel;
    6. Regularly tracking/monitoring system activity (all remote access);
    7. Provide for secured off-site storage of back up data;
    8. Maintain an up-to-date inventory of software and equipment; and
    9. Maintain up-to-date virus protection.
New York State Breach Notification Forms

New York State Breach Notification Forms http://www.dhses.ny.gov/ocs/

 

 

 

 

 

 

 

 

Source: 

The Department of Homeland Security (DHS)  www.dhs.gov/cyber.
https://www.llis.dhs.gov/content/2013-data-breach-investigations-report
http://www.dhses.ny.gov/ocs/breach-notification/

To report a cyber incident: https://forms.us-cert.gov/report/ or (888) 282-0870.

Summary
Data Breach: New York State Breach Notification Laws
Article Name
Data Breach: New York State Breach Notification Laws
Description
New York State Breach Notification Laws provides guidelines on compliance and notification laws in New York State in the event of a cyber-attack.
Author
Publisher Name
Hudson Valley Public Relations
Publisher Logo