§ 899-aa. Notification; person without valid authorization has\nacquired private information. 1. As used in this section, the following\nterms shall have the following meanings:\n (a) "Personal information" shall mean any information concerning a\nnatural person which, because of name, number, personal mark, or other\nidentifier, can be used to identify such natural person;\n (b) "Private information" shall mean either: (i) personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted, or is\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's license number or non-driver identification card number;\n (3) account number, credit or debit card number, in combination with\nany required security code, access code, password or other information\nthat would permit access to an individual's financial account;\n (4) account number, credit or debit card number, if circumstances\nexist wherein such number could be used to access an individual's\nfinancial account without additional identifying information, security\ncode, access code, or password; or\n (5) biometric information, meaning data generated by electronic\nmeasurements of an individual's unique physical characteristics, such as\na fingerprint, voice print, retina or iris image, or other unique\nphysical representation or digital representation of biometric data\nwhich are used to authenticate or ascertain the individual's identity;\nor\n (6) medical information, meaning any information regarding an\nindividual's medical history, mental or physical condition, or medical\ntreatment or diagnosis by a health care professional; or\n (7) health insurance information, meaning an individual's health\ninsurance policy number or subscriber identification number, any unique\nidentifier used by a health insurer to identify the individual or any\ninformation in an individual's application and claims history, including\nbut not limited to, appeals history; or\n (ii) a user name or e-mail address in combination with a password or\nsecurity question and answer that would permit access to an online\naccount.\n "Private information" does not include publicly available information\nwhich is lawfully made available to the general public from federal,\nstate, or local government records.\n (c) "Breach of the security of the system" shall mean unauthorized\naccess to or acquisition of, or access to or acquisition without valid\nauthorization, of computerized data that compromises the security,\nconfidentiality, or integrity of private information maintained by a\nbusiness. Good faith access to, or acquisition of, private information\nby an employee or agent of the business for the purposes of the business\nis not a breach of the security of the system, provided that the private\ninformation is not used or subject to unauthorized disclosure.\n In determining whether information has been accessed, or is reasonably\nbelieved to have been accessed, by an unauthorized person or a person\nwithout valid authorization, such business may consider, among other\nfactors, indications that the information was viewed, communicated with,\nused, or altered by a person without valid authorization or by an\nunauthorized person.\n In determining whether information has been acquired, or is reasonably\nbelieved to have been acquired, by an unauthorized person or a person\nwithout valid authorization, such business may consider the following\nfactors, among others:\n (1) indications that the information is in the physical possession and\ncontrol of an unauthorized person, such as a lost or stolen computer or\nother device containing information; or\n (2) indications that the information has been downloaded or copied; or\n (3) indications that the information was used
‹ Prev All New York sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.