Bill Text: NY A09797 | 2019-2020 | General Assembly | Introduced
Bill Title: Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services in the list of entities that must be notified of a data breach that affects any New York resident.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2020-02-13 - referred to consumer affairs and protection [A09797 Detail]
Download: New_York-2019-A09797-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 9797 IN ASSEMBLY February 13, 2020 ___________ Introduced by M. of A. HYNDMAN -- read once and referred to the Commit- tee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to notification of a data breach The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi- 2 ness law, as amended by chapter 117 of the laws of 2019, are amended to 3 read as follows: 4 2. Any person or business which owns or licenses computerized data 5 which includes private information shall disclose any breach of the 6 security of the system following discovery or notification of the breach 7 in the security of the system to any resident of New York state whose 8 private information was, or is reasonably believed to have been, 9 accessed or acquired by a person without valid authorization. The 10 disclosure shall be made in the most expedient time possible and without 11 unreasonable delay, [consistent with] and shall be made within fifteen 12 days after the breach has been discovered, except for the legitimate 13 needs of law enforcement, as provided in subdivision four of this 14 section[, or any measures necessary to determine the scope of the breach15and restore the integrity of the system]. 16 (a) Notice to affected persons under this section is not required if 17 the exposure of private information was an inadvertent disclosure by 18 persons authorized to access private information, and the person or 19 business reasonably determines such exposure will not likely result in 20 misuse of such information, or financial harm to the affected persons or 21 emotional harm in the case of unknown disclosure of online credentials 22 as found in subparagraph (ii) of paragraph (b) of subdivision one of 23 this section. Such a determination must be documented in writing and 24 maintained for at least five years. If the incident affects over five 25 hundred residents of New York, the person or business shall provide the 26 written determination to the state attorney general within ten days 27 after the determination. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD08659-04-0A. 9797 2 1 (b) If notice of the breach of the security of the system is made to 2 affected persons pursuant to the breach notification requirements under 3 any of the following laws, nothing in this section shall require any 4 additional notice to those affected persons, but notice still shall be 5 provided to the state attorney general, the department of state [and], 6 the division of state police and the department of financial services 7 pursuant to paragraph (a) of subdivision eight of this section and to 8 consumer reporting agencies pursuant to paragraph (b) of subdivision 9 eight of this section: 10 (i) regulations promulgated pursuant to Title V of the federal Gramm- 11 Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time; 12 (ii) regulations implementing the Health Insurance Portability and 13 Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended 14 from time to time, and the Health Information Technology for Economic 15 and Clinical Health Act, as amended from time to time; 16 (iii) part five hundred of title twenty-three of the official compila- 17 tion of codes, rules and regulations of the state of New York, as 18 amended from time to time; or 19 (iv) any other data security rules and regulations of, and the stat- 20 utes administered by, any official department, division, commission or 21 agency of the federal or New York state government as such rules, regu- 22 lations or statutes are interpreted by such department, division, 23 commission or agency or by the federal or New York state courts. 24 3. Any person or business which maintains computerized data which 25 includes private information which such person or business does not own 26 shall notify the owner or licensee of the information of any breach of 27 the security of the system immediately and within fifteen days following 28 discovery, if the private information was, or is reasonably believed to 29 have been, accessed or acquired by a person without valid authorization. 30 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general 31 business law, as amended by chapter 117 of the laws of 2019, is amended 32 to read as follows: 33 (a) In the event that any New York residents are to be notified, the 34 person or business shall notify the state attorney general, the depart- 35 ment of state [and], the division of state police and the department of 36 financial services as to the timing, content and distribution of the 37 notices and approximate number of affected persons and shall provide a 38 copy of the template of the notice sent to affected persons. Such notice 39 shall be made without delaying notice to affected New York residents. 40 § 3. This act shall take effect immediately.