US-New York

What information is covered under New York's data breach notification law?

45 days

Notification deadline

10+ people

Threshold for state AG notice

SSN

Covered data element

Biometric data

Covered data element

The Short Answer

New York's data breach notification law requires businesses to notify affected residents when private information is compromised, including names combined with SSNs, account numbers, or biometric data.

What the Law Says

New York’s data breach notification law is found in the General Business Law and defines what constitutes private information, when notification is required, and how quickly it must happen.

The law applies to any person or business that owns or licenses computerized data containing 'private information' of New York residents. Private information includes a person’s name in combination with any one of several sensitive data elements — such as Social Security number, driver’s license number, account number with access code, credit/debit card number with security code, or biometric information.

When a breach occurs involving private information, the business must notify affected New York residents without unreasonable delay — but no later than 45 days after discovering the breach. If more than 10 residents are affected, the business must also notify the New York State Attorney General, the Department of State, and the Division of Consumer Protection.

Businesses must also report breaches affecting over 5,000 New York residents to consumer reporting agencies.

Statutory Text
‘Private information’ means (i) a name, combined with any one or more of the following data elements: (A) social security number; (B) driver’s license number or non-driver identification card number; (C) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or (D) biometric information.
— N.Y. Gen. Bus. Law § 899-aa(1)(a) — Definitions

Statutory Text
Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach...
— N.Y. Gen. Bus. Law § 899-aa(2) — Duty to disclose

Statutory Text
Such disclosure shall be made without unreasonable delay and consistent with the legitimate needs of law enforcement... but not later than forty-five days after discovery of the breach.
— N.Y. Gen. Bus. Law § 899-aa(2)(a) — Timing of notice

Sources

statuteN.Y. Gen. Bus. Law § 899-aa — Data breach notification

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.