New York Businesses Must Now Report a Breach Even if Private Data Was Merely ‘Viewed’

New York is joining other US states in expanding its definition of a data breach to include unauthorized “viewing” of data. The amendment also expands the definition of private information.

The updated breach notification and data security law (S5575B) expands the definition of a “breach of the security of the system” to include the simple act of “accessing” data that would otherwise be off limits. This goes in addition to unauthorized “acquisition” of the data. When such an event occurs, businesses collecting and processing customer data have to file a data breach report to the authorities.

The notification amendments take effect on October 23, 2019, while new security requirements will be imposed from March 21, 2020. The amendment states:

“In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

New York legislators are further expanding the definitions of private information and personal information to include biometric data, and account number or credit and debit card numbers “if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information.” The definition now also includes a user name or e-mail address in combination with a password or answer to a security question that would permit access to an online account.

While most notification requirements remain intact, the bill creates three new exceptions where businesses may not have to file a data breach report. For example, a business may not have to report a breach for inadvertent disclosure by an “authorized” person if the business determines that it will not likely result in misuse of the information, or financial or emotional harm to those affected.