Any Town entity that owns or licenses computerized data that includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York State whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in § 149-5 of this chapter, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

The Town entity shall consult with the State Office of Cyber Security and Critical Information Coordination to determine the scope of the breach and restoration measures.

Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the Town entity reasonably determines such exposure will not likely result in misuse of such information, or financial or emotional harm, to the affected persons. Such a determination must be documented in writing and maintained for at least five years. If the incidents affected over 500 residents of New York, the Town shall provide the written determination to the New York State Attorney General within 10 days after the determination.

If notice of the breach of the security of the system is made to affected persons pursuant to the breach notification requirements under any of the following laws, nothing in this section shall require any additional notice to those affected persons, but notice shall be provided to the New York State Attorney General, the Department of State and the Office of Information Technology Services pursuant to § 149-8 hereof and to consumer reporting agencies pursuant to § 149-8 hereof.

Written notice;

Electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the Town entity who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction;

Telephone notification, provided that a log of each telephone notification is kept by the Town entity which notifies the affected parties; or

Substitute notice, if a Town entity demonstrates to the New York State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds $500,000, or such entity does not have sufficient contact information, substitute notice shall consist of all of the following:

In the event that any New York residents are to be notified at one time, the Town entity shall notify the New York State Attorney General, the Consumer Protection Board, and the State Office of Cyber Security and Critical Infrastructure Coordination as to the timing, content and distribution of the notices and approximate number of affected persons and provide a copy of the template of the notice sent to affected persons. Such notice shall be made without delaying notice to affected New York residents.

In the event that more than 5,000 New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents.