M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

New York Data Breach Laws: Notification Requirements

New York businesses that experience a harmful data breach must notify affected New York residents as soon as possible by mail, phone, or email. If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, businesses can use public service announcements instead. A breach that affects more than 5,000 people needs to be reported to all credit-reporting agencies. Whenever New York residents are notified about their compromised data, the state attorney general, Department of State, and Office of Information Technology Services must also be informed.

Name of Law / Statute


Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes, but instead of just name + data, any identifying info/mark + data works

Who Is Subject to Law?

Any person or business conducting business in the state who licenses or owns PI

Notification of Consumers?


By what means?

Written, phone, or electronic; if >5,000 residents, must notify consumer reporting agencies; specific info must be included in notice

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?

Yes (multiple regulators)

By what means?

Required reporting form

Regulatory Fines

Greater of $5,000 or $10/resident (capped at $150k)

Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?


Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised)

Link to complete law


Read the full text of New York’s data breach law.

70% of businesses raise prices or cut hiring when sued