New York-2019-A02374-Introduced



                STATE OF NEW YORK
        ________________________________________________________________________
                                          2374
                               2019-2020 Regular Sessions
                   IN ASSEMBLY
                                    January 22, 2019
                                       ___________
        Introduced  by M. of A. DINOWITZ, BUCHWALD, GOTTFRIED, SIMON, SEAWRIGHT,
          SIMOTAS, BARRON, THIELE, FAHY, WRIGHT, GUNTHER, SOLAGES, ORTIZ, BRAUN-
          STEIN, WILLIAMS, OTIS, L. ROSENTHAL, SANTABARBARA, GALEF -- read  once
          and referred to the Committee on Consumer Affairs and Protection
        AN  ACT  to  amend  the general business law, in relation to requiring a
          consumer credit reporting agency to offer  identity  theft  prevention
          and  mitigation  services  in  the case of a breach of the security of
          such agency's system
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section  1.  Subdivision  (n) of section 380-t of the general business
     2  law is amended by adding a new paragraph 3 to read as follows:
     3    (3)(i) Upon a breach of the security of the system of a consumer cred-
     4  it reporting agency which includes  any  social  security  number,  such
     5  agency shall offer to each consumer, whose information, including social
     6  security  number,  was  breached  or is reasonably believed to have been
     7  breached, reasonable identity theft prevention services and, if applica-
     8  ble, identify theft mitigation services for a period not to exceed  five
     9  years at no cost to such consumers. Such agency shall provide all infor-
    10  mation necessary for such consumers to enroll in such services and shall
    11  include information on how such consumers can request a security freeze.
    12  A  consumer  credit reporting agency shall not be required to offer such
    13  services if, after an appropriate investigation, the  agency  reasonably
    14  determines  that the breach of security is unlikely to result in harm to
    15  the consumers whose information has been breached.
    16    (ii) "Breach of the security of the system" as used in this  paragraph
    17  shall have the same definition as in paragraph (c) of subdivision one of
    18  section eight hundred ninety-nine-aa of this chapter.
    19    §  2.    This act shall take effect on the sixtieth day after it shall
    20  have become a law and shall apply to any breach of the security  of  the
    21  system  of a consumer credit reporting agency that occurred no more than
    22  three years prior to the effective date of this act.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01262-01-9