Enterprise Information Security Office

Breach Notification

Share This

Breach Notification Law

Notice: With the passage of the 2013-14 NYS Executive Budget, the functions, powers, and duties of the Office of Cyber Security have been transferred to the Office of Information Technology Services (ITS).

NYS Breach Notification Law Changes

Provisions of the NYS Executive Budget amended section 899-aa of the General Business Law. As amended, section 899-aa now provides that persons or businesses conducting business in New York must disclose any breaches of computerized data which includes private information by notifying the offices of the New York Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.

Note: State entities subject to section 208 of the State Technology Law that experience breaches of computerized data which includes private information must file notices of with the New York Attorney General; Department of State's Division of Consumer Protection; and the Office of Information Technology Services' Enterprise Information Security Office.

NYS Information Security Breach and Notification Act

The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. Copies of these sections can be found below.

State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents (state entities are also required to notify non-residents, see Information Security Policy NYS-P03-002.)

For Persons or Businesses Conducting Business in New York

Under section 899-aa of the General Business Law, a person or business conducting business in New York must also notify three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.

Please download, complete and submit the completed form to all three entities as outlined below.

General Business Law Data Breach Form

NYS Information Security Breach and Notification Act Reporting Form under section 899-aa of the General Business Law - pdf or doc

Please fax or email to:

    • New York State Division of State Police

      New York State Intelligence Center

      Security Breach Notification


      31 Tech Valley Drive, Second Floor

      East Greenbush, NY 12061

      Fax: 518-786-9398

      Email:risk@nysic.ny.gov

 

    • New York State Attorney General's Office

      Consumer Frauds & Protection Bureau

      Security Breach Notification


      120 Broadway - 3rd Floor

      New York, NY 10271

      Fax: 212-416-6003

      Email:breach.security@ag.ny.gov

 

    • New York State Department of State

      Division of Consumer Protection

      Attention: Director of the Division of Consumer Protection

      Security Breach Notification


      99 Washington Avenue, Suite 650

      Albany, NY 12231

      Fax: 518-473-9055

      Email:security_breach_notification@dos.ny.gov

 

For State Entities:

Under section 208 of the State Technology Law, a state entity must also notify three (3) NYS offices: the NYS Attorney General (AG), the NYS Office of Information Technology Services' Enterprise Information Security Office, and the Department of State's Division of Consumer Protection.

Please download, complete and submit the form to all three entities as outlined below

State Technology Law Data Breach Form

NYS Information Security Breach and Notification Act Reporting form under section 208 of the

State Technology Law - pdf or doc

Please fax or email to:

    • New York State Office of Information Technology Services

      Enterprise Information Security Office

      Security Breach Notification


      1220 Washington Avenue

      State Office Campus

      Building 7A, 4th Floor

      Albany, NY 12242

      518-322-4976

      eiso@its.ny.gov

 

    • New York State Attorney General's Office

      Consumer Frauds & Protection Bureau

      Security Breach Notification


      120 Broadway - 3rd Floor

      New York, NY 10271

      Fax: 212-416-6003

      Email:breach.security@ag.ny.gov

 

    • New York State Department of State, Division of Consumer Protection

      Attention: Director of the Division of Consumer Protection

      Security Breach Notification


      99 Washington Avenue, Suite 650

      Albany, NY 12231

      fax: 518-473-9055

      Email: security_breach_notification@dos.ny.gov