New York State Information Security Breach and Notification Act, N.Y. Gen. Bus. Law §899-aa.
In the event that an unauthorized party has accessed "private information," defined as a name in combination with a Social Security Number, driver's license or an account or credit card number, the Act requires the business to notify affected customers and inform appropriate authorities. Disclosure must be made "in the most expedient time possible and without reasonable delay but subject and consistent with legitimate needs of law enforcement."
In addition, if there are more than five thousand (5,000) New York residents affected by the security breach at one time, the business must notify the consumer reporting agencies as to the timing, content and distribution of the notices.
The Act requires entities that experience security breaches to notify the state Attorney General's Office, Consumer Protection Board, and the state Office of Cyber Security in cases when New York residents must be notified.