Government and Data Privacy Law in New York State

N.Y. State Tech. Law § 201 to 207 is an internet security and data privacy law that was enacted in New York State in 2019. N.Y. State Tech. Law § 201 to 207 sets forth the steps and measures that state agencies within New York State must follow when collecting personal information from citizens across the state. Furthermore, the law also establishes the privacy regulations that state agencies must adopt in order to ensure that the personal information of New York State residents is protected from unauthorized access, use, modification, destruction, and disclosure. Such regulations include technological and privacy requirements, among other things.

How is a state agency defined under the law?

Under N.Y. State Tech. Law § 201 to 207, a state agency is defined as “any department, board, bureau, commission, division, office, council, committee or officer of the state. Such term shall not include the legislature or judiciary.” Alternatively, the law defines technology as “a good, service, or good and service that results in a digital, electronic or similar technical method of achieving a practical purpose or in improvements in productivity, including but not limited to information management, equipment, software, operating systems, interface systems, interconnected systems, telecommunications, data management, networks, and network management, consulting, supplies, facilities, maintenance, and training.”

What are the duties of state agencies under the law?

N.Y. State Tech. Law § 201 to 207 mandates that state agencies develop and implement a privacy policy that will ensure that the personally identifiable information of residents within New York State remains secure and confidential at all times. Such privacy policies must contain the following elements:

• A statement detailing the information that the state agency will collect from consumers, as well as what this information will be used for.
• The circumstances under which the personal information of New York State residents will be disclosed.
• Whether any personal information will be retained by the agency, as the period of time under which such information will be retained.
• The procedures that consumers must follow when looking to access personal information pertaining to them that has been submitted for collection.
• The means and methods that the agency will use to collect personal information, as well as whether or not such collection will occur actively or passively.
• Whether the agency requires the collection of personal information, if such collection is voluntary, and the consequences that consumers stand to face for reusing to provide an agency with their personal information.
• The steps that the agency will take to protect the confidentiality and integrity of the personal information they collect.

What categories of personal data are protected by the law?

The categories of personal data pertaining to citizens within New York State that are legally protected from unauthorized disclosure under the provisions of N.Y. State Tech. Law § 201 to 207 include but are not limited to the following:

• Online user names.
• Email addresses.
• Social security numbers.
• Driver’s license numbers.
• State identification cards.
• Passport numbers.
• Financial account numbers.
• Credit and debit card numbers.
• Biometric data.
• First and last names.
• Telephone numbers.
• Mother’s maiden name.
• Demographic information.
• Geolocation data.

Data breach notifications

In addition to personal privacy protections and regulations, the provisions of N.Y. State Tech. Law § 201 to 207 also mandates that state agencies provide data breach notifications to all applicable parties in instances where such an event occurs. These notifications must be made in the most expedient manner possible and without unreasonable delay. Additionally, state agencies are also required to provide affected parties with information concerning the scope and severity of the breach, the data elements that were disclosed as a result of the breach, and any measures the agency is taking to remedy the breach, among other pertinent provisions.

As it pertains to protecting the personal data that New York State residents submit to government agencies, N.Y. State Tech. Law § 201 to 207 ensures that this information does not fall into the wrong hands. Through the sections of the law, state agencies have a number of duties with respect to safeguarding the personally identifiable information that they collect, manage, and disclose. As such, citizens within New York State can have the peace of mind that their local government agencies are doing everything possible to protect their personal data and privacy.