New York Consumer Privacy Law

Primary law

The SHIELD Act requires any person or business that owns or licenses computerized data including the private information of a New York resident to develop, implement, and maintain reasonable safeguards — with no in-state-presence, revenue, or volume threshold.

Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.

See N.Y. Gen. Bus. Law § 899-bb(2)(a).

Primary law

Breach notice to affected New York residents must be made in the most expedient time possible and without unreasonable delay, and in no event more than thirty days after the breach is discovered, subject only to law-enforcement needs.

The disclosure shall be made in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered, except for the legitimate needs of law enforcement, as provided in subdivision four of this section.

See N.Y. Gen. Bus. Law § 899-aa(2).

Primary law

The Child Data Protection Act bars an operator from processing — or letting a processor or third-party operator collect — a covered user's personal data unless a COPPA, strict-necessity, or informed-consent pathway applies.

Except as provided for in subdivision six of this section and section eight hundred ninety-nine-jj of this article, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (a) the covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (b) the covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in subdivision two of this section, or informed consent has been obtained as set forth in subdivision three of this section.

See N.Y. Gen. Bus. Law § 899-ff(1).

Primary law

New York employers may not publicly post Social Security numbers, print them on badges or time cards, leave them in unrestricted files, or communicate employee personal identifying information to the general public.

An employer shall not unless otherwise required by law: (a) Publicly post or display an employee's social security number; (b) Visibly print a social security number on any identification badge or card, including any time card; (c) Place a social security number in files with unrestricted access; or (d) Communicate an employee's personal identifying information to the general public.

See N.Y. Lab. Law § 203-d(1).

Primary law

A business is deemed compliant with the safeguards duty if it is a compliant regulated entity or implements a data-security program with the statute's enumerated administrative safeguards — coordinator, risk identification, sufficiency assessment, training, service-provider contracts, and program adjustment.

A person or business shall be deemed to be in compliance with paragraph (a) of this subdivision if it either: (i) is a compliant regulated entity as defined in subdivision one of this section; or (ii) implements a data security program that includes the following: (A) reasonable administrative safeguards such as the following, in which the person or business: (1) designates one or more employees to coordinate the security program; (2) identifies reasonably foreseeable internal and external risks; (3) assesses the sufficiency of safeguards in place to control the identified risks; (4) trains and manages employees in the security program practices and procedures; (5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and (6) adjusts the security program in light of business changes or new circumstances

See N.Y. Gen. Bus. Law § 899-bb(2)(b).

Primary law

A SHIELD-compliant data-security program includes technical safeguards covering network and software design, information processing, transmission, storage, attack and system-failure response, and testing and monitoring.

reasonable technical safeguards such as the following, in which the person or business: (1) assesses risks in network and software design; (2) assesses risks in information processing, transmission and storage; (3) detects, prevents and responds to attacks or system failures; and (4) regularly tests and monitors the effectiveness of key controls, systems and procedures

See N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(B).

Primary law

A SHIELD-compliant data-security program includes physical safeguards covering storage and disposal risk, intrusion response, protection during collection, transport, and destruction, and timely secure disposal.

reasonable physical safeguards such as the following, in which the person or business: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

See N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C).

Primary law

A small business under the SHIELD Act is one with fewer than fifty employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.

"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.

See N.Y. Gen. Bus. Law § 899-bb(1)(c).

Primary law

A small business complies if its security program contains reasonable administrative, technical, and physical safeguards appropriate to its size, complexity, activities, and the sensitivity of the personal information it collects.

A small business as defined in paragraph (c) of subdivision one of this section complies with subparagraph (ii) of paragraph (b) of subdivision two of this section if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.

See N.Y. Gen. Bus. Law § 899-bb(2)(c).

Primary law

A failure to comply with the safeguards duty is deemed a violation of GBL § 349, and the Attorney General may sue to enjoin violations and obtain civil penalties under GBL § 350-d.

Any person or business that fails to comply with this subdivision shall be deemed to have violated section three hundred forty-nine of this chapter, and the attorney general may bring an action in the name and on behalf of the people of the state of New York to enjoin such violations and to obtain civil penalties under section three hundred fifty-d of this chapter.

See N.Y. Gen. Bus. Law § 899-bb(2)(d).

Primary law

The civil penalty for an act or practice unlawful under GBL article 22-A — the hook through which safeguards failures are penalized — is up to $5,000 per violation, recoverable by the Attorney General.

Any person, firm, corporation or association or agent or employee thereof who engages in any of the acts or practices stated in this article to be unlawful shall be liable to a civil penalty of not more than five thousand dollars for each violation, which shall accrue to the state of New York and may be recovered in a civil action brought by the attorney general.

See N.Y. Gen. Bus. Law § 350-d(a).

Primary law

GBL § 349 declares unfair, deceptive, or abusive acts or practices in the conduct of any business, trade, or commerce in New York unlawful — which reaches a privacy policy that misstates a business's actual data practices.

Unfair, deceptive, or abusive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful.

See N.Y. Gen. Bus. Law § 349(a).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which independently reaches privacy-policy misstatements by businesses serving New Yorkers.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

Subject to subdivision six and § 899-jj, the Child Data Protection Act prohibits processing a covered user's personal data unless COPPA permits it (12 and under) or the processing is strictly necessary or done with informed consent (13 and older).

Except as provided for in subdivision six of this section and section eight hundred ninety-nine-jj of this article, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (a) the covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (b) the covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in subdivision two of this section, or informed consent has been obtained as set forth in subdivision three of this section.

See N.Y. Gen. Bus. Law § 899-ff(1).

Primary law

A covered user is a New York user of a website, online service, app, or connected device whom the operator actually knows to be a minor, or any user of a service primarily directed to minors.

"Covered user" shall mean a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the state of New York who is: (a) actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or (b) using a website, online service, online application, mobile application, or connected device primarily directed to minors.

See N.Y. Gen. Bus. Law § 899-ee(1).

Primary law

A minor under the Child Data Protection Act is a natural person under the age of eighteen — the act protects teenagers, not just children under 13.

"Minor" shall mean a natural person under the age of eighteen.

See N.Y. Gen. Bus. Law § 899-ee(2).

Primary law

Except as provided in § 899-jj, an operator may not purchase or sell a covered user's personal data, or allow a processor or third-party operator to do so.

Except as provided for in section eight hundred ninety-nine-jj of this article, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user.

See N.Y. Gen. Bus. Law § 899-ff(5).

Primary law

A request for informed consent must be separate from other transactions, avoid design mechanisms that obscure or impair choice, clearly state that processing is not strictly necessary and may be declined without losing the service, and present refusal as the most prominent option.

Requests for such informed consent shall: (i) be made separately from any other transaction or part of a transaction; (ii) be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) clearly present an option to refuse to provide consent as the most prominent option.

See N.Y. Gen. Bus. Law § 899-ff(3)(a).

Primary law

Informed consent must be freely revocable and at least as easy to revoke as to provide, and after a covered user declines or revokes consent the operator may not request that processing again for the following calendar year.

Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (c) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.

See N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c).

Primary law

If a covered user's device communicates or signals that the user declines informed consent for processing, the operator may not request informed consent for that processing.

If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of subdivision two of section eight hundred ninety-nine-ii of this article, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.

See N.Y. Gen. Bus. Law § 899-ff(3)(d).

Primary law

Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower quality, or increase price because consent was not obtained.

Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under subdivision three of this section.

See N.Y. Gen. Bus. Law § 899-ff(4).

Primary law

Within thirty days of determining or being informed that a user is covered, the operator must delete and direct processors to delete the covered user's personal data unless COPPA, strict necessity, or informed consent permits continued processing.

Within thirty days of determining or being informed that a user is a covered user, an operator shall: (a) dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in subdivision two of this section, or informed consent is obtained as set forth in subdivision three of this section

See N.Y. Gen. Bus. Law § 899-ff(6).

Primary law

The Attorney General enforces the Child Data Protection Act through actions for injunctions, restitution, disgorgement (including destruction of unlawfully obtained data), damages, and civil penalties of up to $5,000 per violation.

Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this article, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of New York to enjoin any violation of this article, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.

See N.Y. Gen. Bus. Law § 899-mm.

Primary law

For covered users under the CDPA, informed-consent requests must be separate from other transactions, avoid design mechanisms that obscure or impair choice, clearly state that processing is not strictly necessary and may be declined without losing the service, and present refusal as the most prominent option.

Requests for such informed consent shall: (i) be made separately from any other transaction or part of a transaction; (ii) be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) clearly present an option to refuse to provide consent as the most prominent option.

See N.Y. Gen. Bus. Law § 899-ff(3)(a).

Primary law

Except as provided in § 899-jj, an operator may not purchase or sell a covered user's personal data, or allow a processor or third-party operator to do so.

Except as provided for in section eight hundred ninety-nine-jj of this article, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user.

See N.Y. Gen. Bus. Law § 899-ff(5).

Primary law

Informed consent must be freely revocable and at least as easy to revoke as to provide, and after a covered user declines or revokes consent the operator may not request that processing again for the following calendar year.

Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (c) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.

See N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c).

Primary law

If a covered user's device communicates or signals that the user declines informed consent for processing, the operator may not request informed consent for that processing.

If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of subdivision two of section eight hundred ninety-nine-ii of this article, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.

See N.Y. Gen. Bus. Law § 899-ff(3)(d).

Primary law

GBL § 349(h) gives an injured person a private action for deceptive acts or practices, including actual damages or $50, possible treble damages up to $1,000, and attorney's fees.

In addition to the right of action granted to the attorney general pursuant to this section, any person who has been injured by reason of any deceptive act or deceptive practice made unlawful by this section may bring an action in such person's own name to enjoin such deceptive act or deceptive practice, an action to recover such person's actual damages or fifty dollars, whichever is greater, or both such actions. The court may, in its discretion, increase the award of damages to an amount not to exceed three times the actual damages up to one thousand dollars, if the court finds the defendant willfully or knowingly violated this section. The court may award reasonable attorney's fees to a prevailing plaintiff.

See N.Y. Gen. Bus. Law § 349(h).

Primary law

A SHIELD-compliant security program includes selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract.

selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract

See N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(A)(5).

Primary law

No operator or processor may disclose a covered user's personal data to a third party, or allow a third party to process it, without a written, binding agreement setting out processing and disclosure instructions and the parties' rights and obligations.

Except as provided for in section eight hundred ninety-nine-jj of this article, no operator or processor shall disclose the personal data of a covered user to a third party, or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties.

See N.Y. Gen. Bus. Law § 899-gg(1).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a business-associate contract to establish permitted uses and disclosures of protected health information and bind the business associate to safeguards, breach reporting, and subcontractor flow-down restrictions.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information

See 45 C.F.R. § 164.504(e).

Primary law

A business owning or licensing computerized private information must notify affected New York residents of a breach in the most expedient time possible and without unreasonable delay, and no later than thirty days after discovery.

Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered, except for the legitimate needs of law enforcement, as provided in subdivision four of this section.

See N.Y. Gen. Bus. Law § 899-aa(2).

Primary law

A breach of the security of the system includes unauthorized access to private information, not just its acquisition.

"Breach of the security of the system" shall mean unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.

See N.Y. Gen. Bus. Law § 899-aa(1)(c).

Primary law

Private information includes Social Security, driver's license, financial-account, biometric, medical-information, and health-insurance-information data elements, plus online credentials.

(1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (6) medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (7) health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual's application and claims history, including but not limited to, appeals history; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

See N.Y. Gen. Bus. Law § 899-aa(1)(b).

Primary law

A person or business that maintains computerized private information it does not own must notify the owner or licensee immediately, and no later than thirty days after discovery, if the private information was or is reasonably believed to have been accessed or acquired without valid authorization.

Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately, provided that such notification shall be made within thirty days following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

See N.Y. Gen. Bus. Law § 899-aa(3).

Primary law

Breach notice to affected persons may be written, electronic with express consent and a log, telephone with a log, or substitute notice if the statutory cost, class-size, or contact-information conditions are met.

The notice required by this section shall be directly provided to the affected persons by one of the following methods: (a) written notice; (b) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. (c) telephone notification provided that a log of each such notification is kept by the person or business who notifies affected persons; or (d) substitute notice, if a business demonstrates to the state attorney general that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or such business does not have sufficient contact information.

See N.Y. Gen. Bus. Law § 899-aa(5).

Primary law

Notice is not required for an inadvertent disclosure by authorized persons if the business reasonably determines the exposure is unlikely to result in misuse, financial harm, or online-credential emotional harm, documents that determination for at least five years, and submits it to the Attorney General within ten days if more than 500 residents are affected.

Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials as found in subparagraph (ii) of paragraph (b) of subdivision one of this section. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.

See N.Y. Gen. Bus. Law § 899-aa(2)(a).

Primary law

Whenever New York residents are notified of a breach, the business must also notify the Attorney General, the Department of State, the State Police, and (for covered entities under 23 NYCRR 500.1) the Department of Financial Services, with a copy of the notice template.

In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state, the division of state police, and the department of financial services as to the timing, content and distribution of the notices and approximate number of affected persons and shall provide a copy of the template of the notice sent to affected persons

See N.Y. Gen. Bus. Law § 899-aa(8)(a).

Primary law

If more than 5,000 New York residents are notified at one time, the business must also notify the consumer reporting agencies of the timing, content, and distribution of the notices.

In the event that more than five thousand New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons.

See N.Y. Gen. Bus. Law § 899-aa(8)(b).

Primary law

In an Attorney General action for breach-notice violations, the court may award damages for actual costs or losses, including consequential financial losses, incurred by persons entitled to notice who did not receive it.

In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses.

See N.Y. Gen. Bus. Law § 899-aa(6)(a).

Primary law

For knowing or reckless notification failures, the court may impose a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, capped at $250,000.

Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per instance of failed notification, provided that the latter amount shall not exceed two hundred fifty thousand dollars.

See N.Y. Gen. Bus. Law § 899-aa(6)(a).

Primary law

A covered entity that must notify HHS of a HIPAA/HITECH breach must provide that notification to the New York Attorney General within five business days of notifying HHS.

Any covered entity required to provide notification of a breach, including breach of information that is not "private information" as defined in paragraph (b) of subdivision one of this section, to the secretary of health and human services pursuant to the Health Insurance Portability and Accountability Act of 1996 or the Health Information Technology for Economic and Clinical Health Act, as amended from time to time, shall provide such notification to the state attorney general within five business days of notifying the secretary.

See N.Y. Gen. Bus. Law § 899-aa(9).

Primary law

The SHIELD Act's data-security section expressly creates no private right of action.

Nothing in this section shall create a private right of action.

See N.Y. Gen. Bus. Law § 899-bb(2)(e).

Primary law

Consumer redress for notification failures runs through the Attorney General's action, in which the court may award damages for actual costs or losses — including consequential financial losses — of persons entitled to notice who did not receive it.

whenever the attorney general shall believe from evidence satisfactory to him or her that there is a violation of this article he or she may bring an action in the name and on behalf of the people of the state of New York, in a court of justice having jurisdiction to issue an injunction, to enjoin and restrain the continuation of such violation. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses.

See N.Y. Gen. Bus. Law § 899-aa(6)(a).

Primary law

GBL § 349(h) gives any person injured by a deceptive act or practice a private action for actual damages or $50 (whichever is greater), discretionary treble damages up to $1,000 for willful or knowing violations, and attorney's fees.

In addition to the right of action granted to the attorney general pursuant to this section, any person who has been injured by reason of any deceptive act or deceptive practice made unlawful by this section may bring an action in such person's own name to enjoin such deceptive act or deceptive practice, an action to recover such person's actual damages or fifty dollars, whichever is greater, or both such actions. The court may, in its discretion, increase the award of damages to an amount not to exceed three times the actual damages up to one thousand dollars, if the court finds the defendant willfully or knowingly violated this section. The court may award reasonable attorney's fees to a prevailing plaintiff.

See N.Y. Gen. Bus. Law § 349(h).

Primary law

The Commissioner of Labor may impose a civil penalty of up to $500 for a knowing violation of the employee personal-identifying-information rules, and a violation is presumptively knowing if the employer has no safeguard policies or procedures.

The commissioner may impose a civil penalty of up to five hundred dollars on any employer for any knowing violation of this section. It shall be presumptive evidence that a violation of this section was knowing if the employer has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions.

See N.Y. Lab. Law § 203-d(3).