What constitutes a 'data breach' under New York law?

What the Law Says

New York defines 'data breach' primarily under the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which amended New York’s Information Security Breach and Notification Act.

A data breach occurs when there is 'unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of private information.' This includes both actual acquisition and reasonable evidence of acquisition — such as logs showing exfiltration or ransomware encryption with data exposure.

Private information is narrowly defined and includes any combination of: (i) a person’s name plus one or more of the following — social security number, driver’s license number, account number with security code, credit/debit card number with access code, biometric data, or user credentials for online accounts; or (ii) a username/email plus password or security question/answer that would permit access to an online account.

The law applies to any person or business owning or licensing computerized data containing private information of New York residents — regardless of whether the business operates in New York.

Statutory Text

‘Breach of the security of the system’ means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of private information maintained by a person or business.

— General Business Law § 899-aa(1)(a) — Definitions

Statutory Text

Any person or business that owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach...

— General Business Law § 899-aa(2) — Duty to notify

Sources