a. Any city agency that owns, leases, or licenses data that includes private information shall promptly disclose to the chief privacy officer, office of cyber command and department of information technology and telecommunications any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach if such private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.
b. Subsequent to compliance with the provisions set forth in subdivision a of this section, any city agency that owns, leases, or licenses data that includes private information shall disclose, in accordance with the procedures set forth in subdivisions d, e and f of this section, any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to any individual whose private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.
c. Any city agency that maintains but does not own, lease, or license data that includes private information shall disclose any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to the owner, lessor or licensor of the data if the private information was, or is reasonably believed to have been, accessed, acquired, disclosed, or used by an unauthorized person.
d. The disclosures required by subdivisions b and c of this section shall be made as soon as practicable by a method reasonable under the circumstances, provided said method is not inconsistent with the legitimate needs of law enforcement or any other investigative or protective measures necessary to restore the integrity of the data system. Disclosures required by subdivision b of this section shall be made to each affected individual by at least one of the following means:
1. Written notice; or
2. Telephonic notification, provided that a log of each such notification is maintained by the agency that notifies the affected individuals; or
3. Electronic notification, provided that the affected individual has expressly consented to receiving such notification in electronic form and a log of each such notification is maintained by the agency that notifies affected individuals in such form; provided further, however, that in no case shall any city agency, individual, or business require an individual to consent to accepting notification in such form as a condition of establishing any relationship or engaging in any transaction.
e. Should disclosure pursuant to paragraph one, two or three of subdivision d be impracticable or inappropriate given the circumstances of the breach and the identity of the victim, such disclosure shall be made by a mechanism that is reasonably targeted to the individual in a manner that does not further compromise the integrity of the private information.
f. In the event that five thousand or more New York residents are to be notified at one time pursuant to this section, the agency shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected individuals. Such notice shall be made without delaying notice to affected New York residents.
g. Notice to affected individuals under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the agency reasonably determines, in accordance with the protocols established pursuant to subdivision i of this section, that such exposure will not likely result in misuse of such information, or financial, personal, or reputational harm to the affected individuals. Such a determination must be documented in writing and maintained for at least five years.
h. If notice of a breach of security is made to affected individuals pursuant to any law or rule of the state of New York, or pursuant to a law described in paragraph b of subdivision 2 of section 208 of the state technology law, nothing in this section shall require any additional notice to those affected individuals, but notice still shall be provided pursuant to subdivision a of this section.
i. The office of cyber command, in consultation with the chief privacy officer and the department of information technology and telecommunications, shall issue protocols for agency coordination and recordkeeping for any breach of security and any incident that is not a breach of security but involves the good faith or inadvertent access, acquisition, disclosure, or use of any private information by an employee or agent of an agency for the legitimate purposes of the agency. Such protocols may apply to all agencies or a subset thereof.
j. Notifications made pursuant to this section may overlap with notifications required pursuant to chapter 12 of title 23, including the regulations, policies and protocols issued by the chief privacy officer pursuant to such chapter. Nothing in this section or such chapter shall require duplicate notifications, as long as any notice provided meets any applicable requirements of both this law and such chapter.
(Am. L.L. 2021/151, 12/11/2021, eff. 4/10/2022)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2005/045.