Ask Reggi Your Question Now
Can you summarize NYCL GBS Article 39-F?
General Business > Notification of Unauthorized Acquisition of Private Information; Data Security Protections
Short Summary
This legal document governs the notification of unauthorized acquisition of private information and data security protections. It applies to any person or business that owns or licenses computerized data containing private information. Private information includes personal information and specific data elements such as social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, and biometric information. The document requires the disclosure of any breach of the security of the system to affected residents of New York state in a timely manner. However, notification is not required for inadvertent disclosures by authorized persons if it is determined that there will likely be no misuse or harm. The document also outlines the methods of notification, including written notice, electronic notice, telephone notification, or substitute notice. Failure to comply with the notification requirements may result in civil penalties. The document also provides provisions for notifying relevant state and federal agencies, as well as consumer reporting agencies, in certain circumstances. Additionally, this legal document pertains to data security protections in the state of New York. It applies to any person or business that owns or licenses computerized data containing private information of a resident of New York. The document defines ‘compliant regulated entity’ as a person or business that is subject to and in compliance with specific data security requirements. It also defines ‘private information’ and ‘small business’. The document establishes a reasonable security requirement for the protection of private information, which includes the development, implementation, and maintenance of reasonable safeguards. Compliance can be achieved by being a compliant regulated entity or by implementing a data security program that includes administrative, technical, and physical safeguards. Small businesses are required to have security programs appropriate for their size and complexity. Non-compliance with this subdivision may result in civil penalties and enforcement actions by the attorney general.
Whom does it apply to?
Any person or business that owns or licenses computerized data containing private information
What does it govern?
Notification of unauthorized acquisition of private information and data security protections
What are exemptions?
Notification is not required for inadvertent disclosures by authorized persons if there will likely be no misuse or harm
What are the Penalties?
Civil penalties for failure to comply with the notification requirements
Jurisdiction
New York