Bill Text: NY S02540 | 2019-2020 | General Assembly | Introduced
Bill Title: Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
Spectrum: Partisan Bill (Democrat 8-0)
Status: (Introduced - Dead) 2020-01-08 - REFERRED TO INTERNET AND TECHNOLOGY [S02540 Detail]
Download: New_York-2019-S02540-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 2540 2019-2020 Regular Sessions IN SENATE January 28, 2019 ___________ Introduced by Sens. COMRIE, ADDABBO, BAILEY, BROOKS, FELDER, KENNEDY, KRUEGER -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT to amend the general business law, in relation to notification of a data breach The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi- 2 ness law, as added by chapter 442 of the laws of 2005, are amended to 3 read as follows: 4 2. Any person or business which conducts business in New York state, 5 and which owns or licenses computerized data which includes private 6 information shall disclose any breach of the security of the system 7 following discovery or notification of the breach in the security of the 8 system to any resident of New York state whose private information was, 9 or is reasonably believed to have been, acquired by a person without 10 valid authorization. The disclosure shall be made in the most expedient 11 time possible and without unreasonable delay, [consistent with] and 12 shall be made within fifteen days after the breach has been discovered, 13 except for the legitimate needs of law enforcement, as provided in 14 subdivision four of this section[, or any measures necessary to deter-15mine the scope of the breach and restore the reasonable integrity of the16system]. 17 3. Any person or business which maintains computerized data which 18 includes private information which such person or business does not own 19 shall notify the owner or licensee of the information of any breach of 20 the security of the system immediately and within fifteen days following 21 discovery, if the private information was, or is reasonably believed to 22 have been, acquired by a person without valid authorization. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD08659-01-9S. 2540 2 1 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general 2 business law, as amended by section 6 of part N of chapter 55 of the 3 laws of 2013, is amended to read as follows: 4 (a) In the event that any New York residents are to be notified, the 5 person or business shall notify the state attorney general, the depart- 6 ment of state [and], the division of state police and the state depart- 7 ment of financial services as to the timing, content and distribution of 8 the notices and approximate number of affected persons. Such notice 9 shall be made without delaying notice to affected New York residents. 10 § 3. This act shall take effect immediately.