Organizations must complete breach notification to the State Attorney General, the Department of State and the Division of State Police for any breach incidents where consumer notification is sent to any New York residents. If the breach affects over 5,000 New York residents, breach notification must be given to consumer reporting agencies using a list of agencies provided by the Attorney General. Specific information must be included in the consumer and regulatory notifications. If it is determined that a breach incident will not result in misuse of information or harm to individuals, the Organization must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.

If a breach affects residents of other states, those individuals must be notified based on the breach notification laws of the state where they reside.

Penalties for knowingly or recklessly violating the notification requirements begin at $5,000 or up to $20.00 per the failed notification and can amount up to $250,000.

Entities governed by sector-specific state and federal regulations must still report to the Attorney General, Department of State, Division of State Police, and credit reporting agencies, pursuant to the data breach notification requirements. For entities subject to Health Insurance Portability and Accountability Act (HIPAA), notice to the State Attorney General is required within 5 business days of notification to the Secretary of Health and Human Services. Document destruction contractors must register with the New York Secretary of State and must renew the registration every 2 years. The Secretary of State will oversee and enforce the regulations for document destruction contractors

Organizations that own or license computerized data which includes the private information of New York residents must have specific safeguards in place for data protection and security of their information systems. Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect any personal information disclosed to the Vendor. Organization must ensure their destruction Vendors are compliant with the regulations. Each Vendor contract for document destruction must contain the Vendor’s registration number issued by the Secretary of State.

Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Disposal Vendors must be contracted with Organizations for security disposal of records containing personal information. Disposal Vendors must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.

If it is determined that a breach incident will not result in misuse f information or harm to individuals, the Organization must maintain written records of the incident and the determination for at least 5 years. For incidents involving more than 500 New York residents, the written determination must be sent to the Attorney General within 10 days after making the determination.