US-New York

How quickly must a company notify me of a data breach in New York?

10 days

Notification deadline

72 hours

Report to AG

$5,000

Per violation fine

18 U.S.C. § 103

Federal reference

The Short Answer

A company must notify you of a data breach in New York within 10 days after discovering the breach, unless law enforcement requests a delay.

What the Law Says

New York’s data breach notification law mandates strict timelines and reporting requirements for businesses that experience unauthorized access to private information.

Under New York’s Information Security Breach and Notification Act (GBL § 899-aa), any person or business that owns or licenses computerized data containing private information must notify affected New York residents following the discovery of a breach.

The law defines 'private information' as personal information combined with sensitive data like Social Security numbers, driver’s license numbers, account numbers with access codes, or biometric information.

Notification must be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement" — but no later than 10 business days after discovery, unless a law enforcement agency determines that notification will impede a criminal investigation.

In addition, the business must report the breach to the New York State Attorney General, the Department of State, and the Division of Consumer Protection within 72 hours of determining that private information was accessed or acquired by an unauthorized person.

Statutory Text
Any person or business that owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system...
— Gen. Bus. Law § 899-aa(2) — Notification requirement

Statutory Text
Such disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...
— Gen. Bus. Law § 899-aa(2)(a) — Timing standard

Statutory Text
The notice shall be provided to the affected persons within ten business days after the discovery of the breach...
— Gen. Bus. Law § 899-aa(2)(a) — 10-business-day deadline

Statutory Text
The person or business shall also give notice to the attorney general, the state department of state, and the division of consumer protection within seventy-two hours...
— Gen. Bus. Law § 899-aa(2)(b) — 72-hour reporting duty

Sources

statuteGen. Bus. Law § 899-aa — Information Security Breach and Notification Act regulationN.Y. Comp. Codes R. & Regs. tit. 9, § 500.17 — Cybersecurity Requirements for Financial Services Companies

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.