Statute includes factors to consider when determining whether personal information has been accessed or acquired, excluding certain good faith access or acquisitions.
The statute does not apply to encrypted information, so long as the encryption key was not accessed or acquired. Notification is not required if the breach was an inadvertent disclosure by persons authorized to access the information, and the entity reasonably determines the breach will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credential. This determination must be documented in writing and maintained for at least five years.
If the incident affects over residents, the entity must provide the written determination to the Attorney General within ten days after the determination. Timing : Must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
Method : By written notice, electronic notice to residents who have expressly consented to receive notice electronically, or by telephone. An entity must keep a log of each notification when notice is made electronically or by telephone. In such action, the court may award damages to consumers for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. The Office of Attorney General's website is provided in English. However, the "Google Translate" option may assist you in reading it in other languages.
Google Translate cannot translate all types of documents, and it may not give you an exact translation all the time. Anyone relying on information obtained from Google Translate does so at his or her own risk.
The Office of Attorney General does not make any promises, assurances, or guarantees as to the accuracy of the translations provided. A copy of this disclaimer can also be found on our Disclaimer page. Skip to main content. You are here Home. Local Menu. What is the significance of this law?
What types of security breaches are covered by this law? What type of information is covered by this law? What are the obligations of businesses or state agencies when a breach occurs?
The Information Security Breach and Notification Act requires that the state entity or business notify: 1 Affected consumers following discovery of the breach in the security of its computer data system.
Are there any exceptions to the notification requirements? Immigration Services Fraud Initiative. Land Bank Community Revitalization. NY Open Government. Pennies for Charity. Source of Income Discrimination. Taxpayer Protection Initiative.
Contact Us. Under the law, a security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of private information.
The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical and physical safeguards. Certain safeguards are listed but it is not meant to be an exhaustive list.
Reasonable administrative safeguards: designates one or more employees to coordinate the security program; identifies reasonably foreseeable internal and external risks; assesses the sufficiency of safeguards in place to control the identified risks; trains and manages employees in the security program practices and procedures; selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and adjusts the security program in light of business changes or new circumstances.
Reasonable technical safeguards: assesses risks in network and software design; assesses risks in information processing, transmission and storage; detects, prevents and responds to attacks or system failures; and regularly tests and monitors the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards: assesses risks of information storage and disposal; detects, prevents and responds to intrusions; protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The law requires that the person or business notify the affected consumers following discovery of the breach in the security of its computer data system affecting private information. The disclosure must be made in the most expedient time possible consistent with legitimate needs of law enforcement agencies. The person or business must also notify consumer reporting agencies if more than 5, New York residents are to be notified.
The contact information for the three nationwide consumer reporting agencies is as follows:.
0コメント