§ 208. Notification; person without valid authorization has acquired\nprivate information. 1. As used in this section, the following terms\nshall have the following meanings:\n (a) "Private information" shall mean either: (i) personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the data element or the combination\nof personal information plus the data element is not encrypted or\nencrypted with an encryption key that has also been accessed or\nacquired:\n (1) social security number;\n (2) driver's license number or non-driver identification card number;\n (3) account number, credit or debit card number, in combination with\nany required security code, access code, password or other information\nwhich would permit access to an individual's financial account;\n (4) account number, or credit or debit card number, if circumstances\nexist wherein such number could be used to access to an individual's\nfinancial account without additional identifying information, security\ncode, access code, or password; or\n (5) biometric information, meaning data generated by electronic\nmeasurements of an individual's unique physical characteristics, such as\nfingerprint, voice print, or retina or iris image, or other unique\nphysical representation or digital representation which are used to\nauthenticate or ascertain the individual's identity; or\n (ii) a user name or e-mail address in combination with a password or\nsecurity question and answer that would permit access to an online\naccount.\n "Private information" does not include publicly available information\nthat is lawfully made available to the general public from federal,\nstate, or local government records.\n (b) "Breach of the security of the system" shall mean unauthorized\nacquisition or acquisition without valid authorization of computerized\ndata which compromises the security, confidentiality, or integrity of\npersonal information maintained by a state entity. Good faith\nacquisition of personal information by an employee or agent of a state\nentity for the purposes of the agency is not a breach of the security of\nthe system, provided that the private information is not used or subject\nto unauthorized disclosure.\n In determining whether information has been acquired, or is reasonably\nbelieved to have been acquired, by an unauthorized person or a person\nwithout valid authorization, such state entity may consider the\nfollowing factors, among others:\n (1) indications that the information is in the physical possession and\ncontrol of an unauthorized person, such as a lost or stolen computer or\nother device containing information; or\n (2) indications that the information has been downloaded or copied; or\n (3) indications that the information was used by an unauthorized\nperson, such as fraudulent accounts opened or instances of identity\ntheft reported.\n (c) "State entity" shall mean any state board, bureau, division,\ncommittee, commission, council, department, public authority, public\nbenefit corporation, office or other governmental entity performing a\ngovernmental or proprietary function for the state of New York, except:\n (1) the judiciary; and\n (2) all cities, counties, municipalities, villages, towns, and other\nlocal agencies.\n (d) "Consumer reporting agency" shall mean any person which, for\nmonetary fees, dues, or on a cooperative nonprofit basis, regularly\nengages in whole or in part in the practice of assembling or evaluating\nconsumer credit information or other information on consumers for the\npurpose of furnishing consumer reports to third parties, and which uses\nany means or facility of interstate commerce for the purpose of\npreparing or furnishing consumer reports. A list of consumer reporting\nagencies shall be compiled by the state attorney general and furnished\nupon request to state entities required to make a notification under\nsubdivision two of
‹ Prev All New York sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.