The New York Information Security Breach and Notification Act enacted in 2005 requires any persons or entities doing business in New York that maintains computerized data to notify any New York resident when their private information was, or is reasonably believed to have been, released to unauthorized parties. This information can be stored on the hard drive of a computer or any other removable media.
What is “private information” as defined by this Act?
Any personal information (name or other personal identifier) plus one of the following:
- Social Security number
- Drivers license
- Non-driver ID
- Account numbers such as bank, credit or debit numbers
- Passwords that would permit access to a person’s financial accounts
How is it determined that there may have been a breach?
- The information has been lost or stolen and may be in the control of an unauthorized person.
- There is evidence that the information has been downloaded or copied.
- There is any evidence of unauthorized use of the information.
- How should the breach be disclosed?
- The affected individuals should be notified by written or electronic (only with permission) notice, or by telephone.
When should a breach be disclosed?
After the nature and scope of the breach has been determined, it should be disclosed as soon as possible. The only exception would be if law enforcement deems that by disclosing, it would impede a criminal investigation.
Should any other entities be notified?
Yes. The following entities should also be notified:
- New York State Attorney General
- New York State Officer of Cyber Security and Critical Infrastructure Coordination
- New York State Consumer Protection Board
- Also, if more than 5,000 residents are affected, credit reporting agencies must also be notified.
What are the punishments for violations?
- Loss of business reputation and client trust
If you wish to inquire about these shredding services, please fill in the form or call us at 212.279.4300.