3 min read

New York Businesses Must Now Report a Breach Even if Private Data Was Merely ‘Viewed’

Filip Truta

July 31, 2019

New York Businesses Must Now Report a Breach Even if Private Data Was Merely ‘Viewed’

New York is joining other US states in expanding its definition of a data breach to include unauthorized “viewing” of data. The amendment also expands the definition of private information.

The updated breach notification and data security law (S5575B) expands the definition of a “breach of the security of the system” to include the simple act of “accessing” data that would otherwise be off limits. This goes in addition to unauthorized “acquisition” of the data. When such an event occurs, businesses collecting and processing customer data have to file a data breach report to the authorities.

The notification amendments take effect on October 23, 2019, while new security requirements will be imposed from March 21, 2020. The amendment states:

“In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

New York legislators are further expanding the definitions of private information and personal information to include biometric data, and account number or credit and debit card numbers “if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information.” The definition now also includes a user name or e-mail address in combination with a password or answer to a security question that would permit access to an online account.

While most notification requirements remain intact, the bill creates three new exceptions where businesses may not have to file a data breach report. For example, a business may not have to report a breach for inadvertent disclosure by an “authorized” person if the business determines that it will not likely result in misuse of the information, or financial or emotional harm to those affected.

tags


Author


Filip Truta

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.

View all posts

You might also like

Bookmarks


loader