US-New YorkDoes New York require companies to notify me if my data is breached?
Yes, New York law requires companies to notify you within a reasonable time after discovering a data breach involving your private information.
What the Law Says
New York’s data breach notification law is found in the General Business Law and applies to any person or business that owns or licenses computerized data containing private information of New York residents.
Under New York law, a 'breach of the security of the system' means unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of private information. If such a breach occurs, the business must notify affected New York residents without unreasonable delay.
The law defines 'private information' narrowly: it includes a combination of (1) a person’s name plus (2) at least one of the following: social security number, driver’s license number, account number with access code or password, credit/debit card number with access code or password, biometric information, or user name/email with password or security question/answer.
Notification must be made in writing, by email (if the person has consented), or by substitute notice (e.g., web posting + media notice) if direct notice is not feasible or costs exceed $250,000, affects more than 500,000 people, or the business lacks sufficient contact information.
Statutory TextAny person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the most expedient time possible and without unreasonable delay.
— N.Y. Gen. Bus. Law § 899-aa(2) — Notification of breach of computerized data
Statutory TextPrivate information shall mean: (i) a natural person's first name or first initial and last name in combination with any one or more of the following data elements... (a) social security number; (b) driver's license number or non-driver identification card number...
— N.Y. Gen. Bus. Law § 899-aa(1)(a) — Definition of private information
What to Do
Check your mail, email, and phone for official breach notices from the company.
Review the notice for what information was exposed and what steps the company is offering (e.g., free credit monitoring).
Place a fraud alert or credit freeze with the three major bureaus (Equifax, Experian, TransUnion).
Monitor your bank and credit accounts closely for suspicious activity for at least 12 months.
If you believe your identity was misused, file a report with the NYS Attorney General’s Office and the FTC.
Sources
Same Question, Other Jurisdictions
Canada
Australia
Ireland
Singapore
European Union
India
South Korea
UK
US-California
JapanNot legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.