Bill Text: NY A10486 | 2017-2018 | General Assembly | Amended
Bill Title: Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Vetoed) 2018-12-07 - tabled [A10486 Detail]
Download: New_York-2017-A10486-Amended.html
STATE OF NEW YORK ________________________________________________________________________ 10486--B R. R. 122 IN ASSEMBLY April 30, 2018 ___________ Introduced by M. of A. CAHILL, LUPARDO, LIFTON -- read once and referred to the Committee on Insurance -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee -- reported and referred to the Committee on Rules -- amended on the special order of third reading, ordered reprinted as amended, retain- ing its place on the special order of third reading AN ACT to amend the insurance law, in relation to authorizing continuing care retirement communities to adopt a written cybersecurity policy The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 1119 of the insurance law is amended by adding a 2 new subsection (d) to read as follows: 3 (d) Such organization may adopt a written cybersecurity policy that is 4 designed to protect the confidentiality, integrity and security of 5 nonpublic information and is in compliance with: (i) the Health Informa- 6 tion Technology for Economic and Clinical Health Act ("HITECH"), the 7 Health Insurance Portability and Accountability Act ("HIPAA"), the 8 Gramm-Leach-Bliley Act; and (ii) all other applicable cybersecurity and 9 privacy protections governing nursing homes, adult care facilities and 10 assisted living residences to the extent the protections govern those 11 components of such organization's operations. The cybersecurity policy 12 shall be self-certified by such organization and such self-certified 13 cybersecurity policy shall be filed with the superintendent. The self- 14 certification shall attest that the policy provides sufficient 15 protections of nonpublic information in a manner which is not inconsist- 16 ent with the goals of the cybersecurity policies adopted by financial 17 services companies pursuant to regulations promulgated by the super- 18 intendent. Such self-certification shall be deemed compliant with such 19 regulations applicable to financial services companies. The superinten- 20 dent shall review the accuracy and reasonableness of the attestation. 21 Unless the superintendent objects to the attestation within sixty days 22 from the date it is submitted, such attestation shall be deemed 23 approved. 24 § 2. This act shall take effect immediately. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD15486-10-8