2006 New York Code - Licensee Disclosure Of Security Breach; Notification Requirements.

 
    §   20-117.  Licensee  disclosure  of  security  breach;  notification
  requirements.
    a. Definitions. For the purposes of this section,
    1. The term "personal identifying information" shall mean any person's
  date  of  birth,  social  security  number,  driver's  license   number,
  non-driver  photo identification card number, financial services account
  number or code, savings account number or code, checking account  number
  or code, brokerage account number or code, credit card account number or
  code,  debit  card  number  or  code, automated teller machine number or
  code, personal identification number,  mother's  maiden  name,  computer
  system password, electronic signature or unique biometric data that is a
  fingerprint, voice print, retinal image or iris image of another person.
  This  term  shall  apply to all such data, notwithstanding the method by
  which such information is maintained.
    2. The term "breach of security" shall mean unauthorized possession of
  personal  identifying  information  that   compromises   the   security,
  confidentiality   or  integrity  of  such  information.  Good  faith  or
  inadvertent possession of any personal  identifying  information  by  an
  employee  or  agent  of  the licensee for the legitimate purposes of the
  business of the licensee shall not constitute a breach of security.
    b. Any person required to be licensed pursuant to chapter two of  this
  title,   or  pursuant  to  provisions  of  state  law  enforced  by  the
  department, that owns or leases data that includes personal  identifying
  information  and  any person required to be licensed pursuant to chapter
  two of this title, or pursuant to provisions of state  law  enforced  by
  the  department,  that  maintains  but  does  not own data that includes
  personal identifying  information  shall  immediately  disclose  to  the
  department and to the police department any breach of security following
  discovery  by  a  supervisor  or manager, or following notification to a
  supervisor or manager, of  such  breach  if  such  personal  identifying
  information   is  reasonably  believed  to  have  been  acquired  by  an
  unauthorized person.
    c.  Subsequent  to  compliance  with  the  provisions  set  forth   in
  subdivision  b  of  this  section,  any  person  required to be licensed
  pursuant to chapter two of this title,  or  pursuant  to  provisions  of
  state  law  enforced  by  the  department, that owns or leases data that
  includes personal identifying information shall disclose, in  accordance
  with  the  procedures  set  forth  in subdivision e of this section, any
  breach of security following discovery by a supervisor  or  manager,  or
  following notification to a supervisor or manager, of such breach to any
  person  whose  personal  identifying  information  was, or is reasonably
  believed to have been, acquired by an unauthorized person.
    d.  Subsequent  to  compliance  with  the  provisions  set  forth   in
  subdivision  b  of  this  section,  any  person  required to be licensed
  pursuant to chapter two of this title,  or  pursuant  to  provisions  of
  state  law  enforced  by the department, that maintains but does not own
  data that includes personal identifying information shall  disclose,  in
  accordance  with  the  procedures  set  forth  in  subdivision e of this
  section, any breach of security following discovery by a  supervisor  or
  manager,  or  following notification to a supervisor or manager, of such
  breach to the owner, lessor or licensor of  the  data  if  the  personal
  identifying  information  was,  or  is reasonably believed to have been,
  acquired by an unauthorized person.
    e. The disclosures required by subdivisions c and d  of  this  section
  shall  be  made  as soon as practicable by a method reasonable under the
  circumstances.  Provided  said  method  is  not  inconsistent  with  the
  legitimate  needs  of  law  enforcement  or  any  other investigative or
  protective measures necessary to restore the reasonable integrity of the


  data system, disclosure shall be made by at least one of  the  following
  means:
    1.  Written notice to the individual at his or her last known address;
  or
    2. Verbal notification to the individual by telephonic  communication;
  or
    3.  Electronic notification to the individual at his or her last known
  e-mail address.
    f. Should disclosure pursuant to  paragraphs  one,  two  or  three  of
  subdivision  e be impracticable or inappropriate given the circumstances
  of the breach and the identity of the victim, such disclosure  shall  be
  made  by a mechanism of the licensee's choosing, provided such mechanism
  is reasonably targeted to the individual  in  a  manner  that  does  not
  further  compromise  the integrity of the personal information disclosed
  and has been approved, or is in compliance with  rules  promulgated,  by
  the Commissioner.
    g.  Any person required to be licensed pursuant to chapter two of this
  title,  or  pursuant  to  provisions  of  state  law  enforced  by   the
  department,  that  discards  any  records  of  an  individual's personal
  identifying information shall do so in  a  manner  intended  to  prevent
  retrieval of the information contained therein or thereon.
    h.  Any person required to be licensed pursuant to chapter two of this
  title,  or  pursuant  to  provisions  of  state  law  enforced  by   the
  department,  who  shall  violate  any of the provisions of this section,
  upon conviction thereof, shall be punishable by a fine of not more  than
  five  hundred  dollars ($500) and shall be liable for a civil penalty of
  one hundred dollars ($100) for each violation.