Jackson Lewis reports that the provision is designed to protect employees from identity theft. With a limited exception for an ongoing criminal investigation, any person or business which maintains “private information” on a computer system must notify the “owner or licensee” of such information of any system breach immediately following discovery.
The law states that private information includes social security numbers, drivers’ license or non-drivers’ identification numbers, and financial account numbers. Therefore the law would be aimed at almost every human resources information system of New York employers, according to Jackson Lewis.
If a New York employer believes that an unauthorized employee or third party has breached the security of a computer system containing any private information, the employer must immediately notify all affected employees of the breach and can no longer wait until it has investigated the scope of the breach.
Failure to comply with the law can result in injunctive relief and liability for actual losses suffered by an employee who did not receive notice. In addition, if a court finds an employer knowingly or recklessly failed to provide notice, a civil penalty of up to $150,000 could be imposed.