Bill Text: NY A09797 | 2019-2020 | General Assembly | Introduced


Bill Title: Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services in the list of entities that must be notified of a data breach that affects any New York resident.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2020-02-13 - referred to consumer affairs and protection [A09797 Detail]

Download: New_York-2019-A09797-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                          9797

                   IN ASSEMBLY

                                    February 13, 2020
                                       ___________

        Introduced  by M. of A. HYNDMAN -- read once and referred to the Commit-
          tee on Consumer Affairs and Protection

        AN ACT to amend the general business law, in relation to notification of
          a data breach

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi-
     2  ness  law, as amended by chapter 117 of the laws of 2019, are amended to
     3  read as follows:
     4    2. Any person or business which owns  or  licenses  computerized  data
     5  which  includes  private  information  shall  disclose any breach of the
     6  security of the system following discovery or notification of the breach
     7  in the security of the system to any resident of New  York  state  whose
     8  private  information  was,  or  is  reasonably  believed  to  have been,
     9  accessed or acquired  by  a  person  without  valid  authorization.  The
    10  disclosure shall be made in the most expedient time possible and without
    11  unreasonable  delay,  [consistent with] and shall be made within fifteen
    12  days after the breach has been discovered,  except  for  the  legitimate
    13  needs  of  law  enforcement,  as  provided  in  subdivision four of this
    14  section[, or any measures necessary to determine the scope of the breach
    15  and restore the integrity of the system].
    16    (a) Notice to affected persons under this section is not  required  if
    17  the  exposure  of  private  information was an inadvertent disclosure by
    18  persons authorized to access private  information,  and  the  person  or
    19  business  reasonably  determines such exposure will not likely result in
    20  misuse of such information, or financial harm to the affected persons or
    21  emotional harm in the case of unknown disclosure of  online  credentials
    22  as  found  in  subparagraph  (ii) of paragraph (b) of subdivision one of
    23  this section.  Such a determination must be documented  in  writing  and
    24  maintained  for  at  least five years. If the incident affects over five
    25  hundred residents of New York, the person or business shall provide  the
    26  written  determination  to  the  state  attorney general within ten days
    27  after the determination.

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD08659-04-0

        A. 9797                             2

     1    (b) If notice of the breach of the security of the system is  made  to
     2  affected  persons pursuant to the breach notification requirements under
     3  any of the following laws, nothing in this  section  shall  require  any
     4  additional  notice  to those affected persons, but notice still shall be
     5  provided  to  the state attorney general, the department of state [and],
     6  the division of state police and the department  of  financial  services
     7  pursuant  to  paragraph  (a) of subdivision eight of this section and to
     8  consumer reporting agencies pursuant to  paragraph  (b)  of  subdivision
     9  eight of this section:
    10    (i)  regulations promulgated pursuant to Title V of the federal Gramm-
    11  Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time;
    12    (ii) regulations implementing the  Health  Insurance  Portability  and
    13  Accountability  Act  of  1996  (45 C.F.R. parts 160 and 164), as amended
    14  from time to time, and the Health Information  Technology  for  Economic
    15  and Clinical Health Act, as amended from time to time;
    16    (iii) part five hundred of title twenty-three of the official compila-
    17  tion  of  codes,  rules  and  regulations  of  the state of New York, as
    18  amended from time to time; or
    19    (iv) any other data security rules and regulations of, and  the  stat-
    20  utes  administered  by, any official department, division, commission or
    21  agency of the federal or New York state government as such rules,  regu-
    22  lations  or  statutes  are  interpreted  by  such  department, division,
    23  commission or agency or by the federal or New York state courts.
    24    3. Any person or business  which  maintains  computerized  data  which
    25  includes  private information which such person or business does not own
    26  shall notify the owner or licensee of the information of any  breach  of
    27  the security of the system immediately and within fifteen days following
    28  discovery,  if the private information was, or is reasonably believed to
    29  have been, accessed or acquired by a person without valid authorization.
    30    § 2. Paragraph (a) of subdivision 8 of section 899-aa of  the  general
    31  business  law, as amended by chapter 117 of the laws of 2019, is amended
    32  to read as follows:
    33    (a) In the event that any New York residents are to be  notified,  the
    34  person  or business shall notify the state attorney general, the depart-
    35  ment of state [and], the division of state police and the department  of
    36  financial  services  as  to  the timing, content and distribution of the
    37  notices and approximate number of affected persons and shall  provide  a
    38  copy of the template of the notice sent to affected persons. Such notice
    39  shall be made without delaying notice to affected New York residents.
    40    § 3. This act shall take effect immediately.
feedback