STATE OF NEW YORK
        ________________________________________________________________________
                                         1104--A
            Cal. No. 250
                               2017-2018 Regular Sessions
                    IN SENATE
                                     January 6, 2017
                                       ___________
        Introduced  by  Sen. VALESKY -- read twice and ordered printed, and when
          printed to be committed to the Committee  on  Consumer  Protection  --
          reported  favorably  from  said committee, ordered to first and second
          report, ordered to a third reading,  amended  and  ordered  reprinted,
          retaining its place in the order of third reading
        AN  ACT to amend the general business law, in relation to the timeliness
          of disclosure of a breach of the security of a system  which  contains
          private information
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Subdivision 2 of section 899-aa  of  the  general  business
     2  law,  as added by chapter 442 of the laws of 2005, is amended to read as
     3  follows:
     4    2. Any person or business which conducts business in New  York  state,
     5  and  which  owns  or  licenses  computerized data which includes private
     6  information shall disclose any breach of  the  security  of  the  system
     7  following discovery or notification of the breach in the security of the
     8  system  to any resident of New York state whose private information was,
     9  or is reasonably believed to have been, acquired  by  a  person  without
    10  valid authorization. The disclosure shall be made [in the most expedient
    11  time  possible  and]  without  unreasonable  delay,  consistent with the
    12  legitimate needs of law enforcement, as provided in subdivision four  of
    13  this  section,  or  any measures necessary to determine the scope of the
    14  breach and restore the reasonable integrity of  the  system.  Reasonable
    15  delay under this subdivision shall not exceed forty-five days, except as
    16  provided  in  subdivision  four  of this section or unless the person or
    17  business seeking additional time demonstrates to  the  attorney  general
    18  that  additional  time is reasonably necessary to determine the scope of
    19  the breach of the security system, prevent further disclosures,  conduct
    20  the risk assessment, and restore the reasonable integrity of the securi-
    21  ty  system.  If the attorney general determines that additional delay is
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD06866-03-7
        S. 1104--A                          2
     1  necessary the agency may extend the time  period  for  notification  for
     2  additional  periods  of  up  to forty-five days each. Any such extension
     3  shall be provided in writing.
     4    §  2.  This  act shall take effect on the ninetieth day after it shall
     5  have become a law.