CMM Coverage News
IC Icon

New York Personal Information Protection

Posted on

Covered employers must comply with state law protecting personal information. A general overview of the New York law is presented below.

Definitions  Personal information is any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
 Private information is generally personal information consisting of any information combined with any 1 or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:Social Security number (SSN);Driver’s license number or non-driver identification card number; orAccount number or credit or debit card number, combined with any required security code, access code, or password that would permit access to an individual’s financial account.Personal identifying information includes a person’s:SSN;Home address or telephone number;Personal email address;Internet identification name or password;Parent’s surname before marriage; andDrivers’ license number.
Notification RequirementsAny employer that conducts business in New York, and which owns or licenses computerized data that includes private information must disclose any breach of system security following discovery or notification to any New York resident whose private information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure generally must be made in the most expedient time possible and without unreasonable delay.If any New York residents are to be notified, the employer must notify the state attorney general, the department of state, and the division of state police as to the timing, content, and distribution of the notices and approximate number of affected persons. Such notice must be made without delaying notice to affected New York residents.If more than 5,000 New York residents are to be notified at one time, the employer must also notify consumer reporting agencies as to the timing, content, and distribution of the notices and approximate number of affected persons. Such notice must be made without delaying notice to affected New York residents.Click here for the methods and contents of notice.
Additional RequirementsEmployers generally may not:
Publicly post or display an employee’s SSN;Visibly print an SSN on any identification badge or card (including any time card);Place an SSN in files with unrestricted access; orCommunicate an employee’s personal identifying information to the general public.Note : It is presumptive evidence that a violation of the law was knowing if the employer has not put in place any policies or procedures to safeguard against such violation (including procedures to notify relevant employees of these provisions).

Additional requirements and exceptions may apply. For more information, please contact the New York Attorney General’s Office.

Please Note: The state laws summaries featured on this site are for general informational purposes only. In addition to state law, certain municipalities may enact legislation that imposes different requirements. State and local laws change frequently and, as such, we cannot guarantee the accuracy or completeness of the information featured in the State Laws section. For more detailed information regarding state or local laws, please contact your state labor department or the appropriate local government agency.

Go Back