Bill Text: NY S04887 | 2015-2016 | General Assembly | Introduced
Bill Title: Relates to the data security act.
Spectrum: Bipartisan Bill
Status: (Introduced - Dead) 2016-01-06 - REFERRED TO CONSUMER PROTECTION [S04887 Detail]
Download: New_York-2015-S04887-Introduced.html
S T A T E O F N E W Y O R K ________________________________________________________________________ 4887 2015-2016 Regular Sessions I N S E N A T E April 22, 2015 ___________ Introduced by Sen. VENDITTO -- (at request of the Attorney General) -- read twice and ordered printed, and when printed to be committed to the Committee on Consumer Protection AN ACT to amend the general business law and the state technology law, in relation to the data security act THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: 1 Section 1. This act shall be known and may be cited as the "data secu- 2 rity act". 3 S 2. The opening paragraph and paragraph (b) of subdivision 1 of 4 section 899-aa of the general business law, as added by chapter 442 of 5 the laws of 2005, are amended to read as follows: 6 As used in this section, AND SECTION EIGHT HUNDRED NINETY-NINE-BB OF 7 THIS ARTICLE, the following terms shall have the following meanings: 8 (b) "Private information" shall mean EITHER: (I) personal information 9 consisting of any information in combination with any one or more of the 10 following data elements, when either the personal information or the 11 data element is not encrypted, or encrypted with an encryption key that 12 has also been acquired: 13 (1) social security number; 14 (2) driver's license number or non-driver identification card number; 15 [or] 16 (3) account number, credit or debit card number, in combination with 17 any required security code, access code, or password that would permit 18 access to an individual's financial account; OR 19 (4) BIOMETRIC INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS- 20 UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED BY 21 THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY; 22 (II) A USER NAME OR EMAIL ADDRESS IN COMBINATION WITH A PASSWORD OR 23 SECURITY QUESTION AND ANSWER THAT WOULD PERMIT ACCESS TO AN ONLINE 24 ACCOUNT; OR 25 (III) ANY UNSECURED PROTECTED HEALTH INFORMATION AS DEFINED IN THE 26 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (45 C.F.R. 27 PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME. EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD08145-09-5 S. 4887 2 1 "Private information" does not include publicly available information 2 which is lawfully made available to the general public from federal, 3 state, or local government records. 4 S 3. Subdivisions 4 and 5 of section 899-aa of the general business 5 law, as added by chapter 442 of the laws of 2005, are amended to read as 6 follows: 7 4. (A) The notification required by this section may be delayed if a 8 law enforcement agency determines that such notification impedes a crim- 9 inal investigation. The notification required by this section shall be 10 made after such law enforcement agency determines that such notification 11 does not compromise such investigation. 12 (B) THE PRODUCTION OF FORENSIC REPORTS TO LOCAL AND STATE LAW ENFORCE- 13 MENT AGENCIES FOR THE PURPOSES OF INVESTIGATING AND IDENTIFYING THOSE 14 RESPONSIBLE FOR A BREACH OF THE SECURITY OF THE SYSTEM SHALL NOT CONSTI- 15 TUTE A WAIVER OF ANY APPLICABLE PRIVILEGE OR PROTECTION PROVIDED BY LAW, 16 INCLUDING TRADE SECRET PROTECTION, AND FORENSIC REPORTS SO PRODUCED 17 SHALL NOT BE SUBJECT TO DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFI- 18 CERS LAW. 19 5. The notice required by this section shall be directly provided to 20 the affected persons by one of the following methods: 21 (a) written notice; 22 (b) electronic notice, provided that the person to whom notice is 23 required has expressly consented to receiving said notice in electronic 24 form and a log of each such notification is kept by the person or busi- 25 ness who notifies affected persons in such form; provided further, 26 however, that in no case shall any person or business require a person 27 to consent to accepting said notice in said form as a condition of 28 establishing any business relationship or engaging in any 29 transaction[.]; 30 (c) telephone notification provided that a log of each such notifica- 31 tion is kept by the person or business who notifies affected persons; or 32 (d) Substitute notice, if a business demonstrates to the state attor- 33 ney general that the cost of providing notice would exceed two hundred 34 fifty thousand dollars, or that the affected class of subject persons to 35 be notified exceeds five hundred thousand, or such business does not 36 have sufficient contact information. Substitute notice shall consist of 37 all of the following: 38 (1) e-mail notice when such business has an e-mail address for the 39 subject persons; 40 (2) conspicuous posting of the notice on such business's web site 41 page, if such business maintains one; and 42 (3) notification to major statewide media. 43 (E) IN THE CASE OF A BREACH OF THE SECURITY OF THE SYSTEM INVOLVING A 44 USER NAME, AND PASSWORD OR SECURITY QUESTION AND ANSWER WHICH WOULD 45 PERMIT ACCESS TO AN ONLINE ACCOUNT, AS PROVIDED IN SUBPARAGRAPH (II) OF 46 PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION, AND NO OTHER PRIVATE 47 INFORMATION DEFINED IN SUCH PARAGRAPH (B), THE PERSON OR BUSINESS MAY 48 COMPLY WITH THIS SECTION BY PROVIDING NOTIFICATION IN ELECTRONIC OR 49 OTHER FORM THAT DIRECTS THE PERSON WHOSE PRIVATE INFORMATION HAS BEEN 50 BREACHED PROMPTLY TO CHANGE HIS OR HER PASSWORD AND SECURITY QUESTION OR 51 ANSWER, AS APPLICABLE, OR TO TAKE OTHER STEPS APPROPRIATE TO PROTECT THE 52 ONLINE ACCOUNT WITH THE PERSON OR BUSINESS AND ALL OTHER ONLINE ACCOUNTS 53 FOR WHICH THE PERSON WHOSE PRIVATE INFORMATION HAS BEEN BREACHED USES 54 THE SAME INFORMATION. 55 (F) IN THE CASE OF A BREACH OF THE SECURITY OF THE SYSTEM INVOLVING 56 THE LOGIN CREDENTIALS OF AN EMAIL ACCOUNT FURNISHED BY THE PERSON OR S. 4887 3 1 BUSINESS AS PROVIDED IN SUBPARAGRAPH (II) OF PARAGRAPH (B) OF SUBDIVI- 2 SION ONE OF THIS SECTION, THE PERSON OR BUSINESS SHALL NOT COMPLY WITH 3 THIS SECTION BY PROVIDING THE SECURITY BREACH NOTIFICATION TO THAT EMAIL 4 ADDRESS, BUT SHALL, INSTEAD, COMPLY WITH THIS SECTION BY PROVIDING 5 NOTICE BY ANOTHER METHOD DESCRIBED IN THIS SUBDIVISION OR BY CLEAR AND 6 CONSPICUOUS NOTICE DELIVERED TO THE RESIDENT ONLINE WHEN THE RESIDENT IS 7 CONNECTED TO THE ONLINE ACCOUNT FROM AN INTERNET PROTOCOL ADDRESS OR 8 ONLINE LOCATION FROM WHICH THE PERSON OR BUSINESS KNOWS THE RESIDENT 9 CUSTOMARILY ACCESSES THE ACCOUNT. 10 S 4. Paragraph (a) of subdivision 6 of section 899-aa of the general 11 business law, as amended by chapter 491 of the laws of 2005, is amended 12 to read as follows: 13 (a) whenever the attorney general shall believe from evidence satis- 14 factory to him OR HER that there is a violation of this [article] 15 SECTION he OR SHE may bring an action in the name and on behalf of the 16 people of the state of New York, in a court of justice having jurisdic- 17 tion to issue an injunction, to enjoin and restrain the continuation of 18 such violation. In such action, preliminary relief may be granted under 19 article sixty-three of the civil practice law and rules. In such action 20 the court may award damages for actual costs or losses incurred by a 21 person entitled to notice pursuant to this [article] SECTION, if notifi- 22 cation was not provided to such person pursuant to this [article] 23 SECTION, including consequential financial losses. Whenever the court 24 shall determine in such action that a person or business violated this 25 [article] SECTION knowingly or recklessly, the court may impose a civil 26 penalty of the greater of five thousand dollars or up to ten dollars per 27 instance of failed notification, provided that the latter amount shall 28 not exceed one [hundred fifty thousand] MILLION dollars. 29 S 5. Paragraph (a) of subdivision 1 of section 208 of the state tech- 30 nology law, as added by chapter 442 of the laws of 2005, is amended to 31 read as follows: 32 (a) "Private information" shall mean EITHER: (I) personal information 33 in combination with any one or more of the following data elements, when 34 either the personal information or the data element is not encrypted or 35 encrypted with an encryption key that has also been acquired: 36 (1) social security number; 37 (2) driver's license number or non-driver identification card number; 38 or 39 (3) account number, credit or debit card number, in combination with 40 any required security code, access code, or password which would permit 41 access to an individual's financial account; 42 (II) A USER NAME OR EMAIL ADDRESS IN COMBINATION WITH A PASSWORD OR 43 SECURITY QUESTION AND ANSWER THAT WOULD PERMIT ACCESS TO AN ONLINE 44 ACCOUNT; OR 45 (III) ANY UNSECURED PROTECTED HEALTH INFORMATION AS DEFINED IN THE 46 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (45 C.F.R. 47 PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME. 48 "Private information" does not include publicly available information 49 that is lawfully made available to the general public from federal, 50 state, or local government records. 51 S 6. The general business law is amended by adding a new section 899- 52 bb to read as follows: 53 S 899-BB. DATA SECURITY REQUIREMENTS. 1. REASONABLE SAFEGUARDS. (A) 54 ANY PERSON OR BUSINESS THAT CONDUCTS BUSINESS IN NEW YORK STATE, AND 55 OWNS OR LICENSES COMPUTERIZED DATA WHICH INCLUDES PRIVATE INFORMATION OF 56 A RESIDENT OF NEW YORK SHALL DEVELOP, IMPLEMENT AND MAINTAIN REASONABLE S. 4887 4 1 SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE 2 PRIVATE INFORMATION, INCLUDING DISPOSAL OF DATA. 3 (B) THE FOLLOWING SHALL BE DEEMED TO BE IN COMPLIANCE WITH PARAGRAPH 4 (A) OF THIS SUBDIVISION: 5 (I) A PERSON OR BUSINESS THAT COMPLIES WITH A STATE OR FEDERAL LAW 6 PROVIDING GREATER PROTECTION TO PRIVATE INFORMATION THAN THAT PROVIDED 7 BY THIS SECTION; 8 (II) A PERSON OR BUSINESS THAT IS SUBJECT TO AND COMPLIES WITH REGU- 9 LATIONS PROMULGATED PURSUANT TO TITLE V OF THE GRAMM-LEACH-BLILEY ACT OF 10 1999 (15 U.S.C. 6801 TO 6809); 11 (III) A PERSON OR BUSINESS THAT COMPLIES WITH CURRENT INTERNATIONAL 12 STANDARDS ORGANIZATION STANDARDS FOR INFORMATION SECURITY; 13 (IV) A PERSON OR BUSINESS THAT IS SUBJECT TO AND COMPLIES WITH REGU- 14 LATIONS IMPLEMENTING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 15 ACT OF 1996 (45 C.F.R. PARTS 160 AND 164) AND THE HEALTH INFORMATION 16 TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, AS AMENDED FROM TIME TO 17 TIME; 18 (V) A PERSON OR BUSINESS THAT COMPLIES WITH CURRENT NATIONAL INSTITUTE 19 OF STANDARDS AND TECHNOLOGY STANDARDS AS REFERENCED IN SUBDIVISION THREE 20 OF THIS SECTION; OR 21 (VI) A PERSON OR BUSINESS THAT IMPLEMENTS AN INFORMATION SECURITY 22 PROGRAM THAT INCLUDES THE FOLLOWING: 23 (A) ADMINISTRATIVE SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE 24 PERSON OR BUSINESS: 25 (I) DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE THE SECURITY 26 PROGRAM; 27 (II) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS; 28 (III) ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE 29 IDENTIFIED RISKS; 30 (IV) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES 31 AND PROCEDURES; 32 (V) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE- 33 GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; 34 (VI) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW 35 CIRCUMSTANCES; AND 36 (B) TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR 37 BUSINESS: 38 (I) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN; 39 (II) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STOR- 40 AGE; 41 (III) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES; 42 (IV) REGULARLY TESTS AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS, 43 SYSTEMS AND PROCEDURES; AND 44 (C) PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR 45 BUSINESS: 46 (I) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL; 47 (II) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS; 48 (III) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFOR- 49 MATION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND DESTRUCTION OR 50 DISPOSAL OF THE INFORMATION; AND 51 (IV) DISPOSES OF PRIVATE INFORMATION AFTER IT IS NO LONGER NEEDED FOR 52 BUSINESS PURPOSES BY ERASING ELECTRONIC MEDIA SO THAT THE INFORMATION 53 CANNOT BE READ OR RECONSTRUCTED. 54 2. REBUTTABLE PRESUMPTION. A PERSON OR BUSINESS THAT OBTAINS AN INDE- 55 PENDENT, THIRD-PARTY AUDIT AND CERTIFICATION ANNUALLY UNDER THE DATA 56 SECURITY STANDARD LISTED IN PARAGRAPH (B) OF SUBDIVISION ONE OF THIS S. 4887 5 1 SECTION SHALL RECEIVE A REBUTTABLE PRESUMPTION THAT IT MAINTAINED 2 REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND 3 INTEGRITY OF THE PRIVATE INFORMATION. 4 3. CERTIFICATION AUTHORITY AND REGULATION. THE DEPARTMENT OF FINAN- 5 CIAL SERVICES SHALL PROMULGATE REGULATIONS REGARDING INDEPENDENT, 6 THIRD-PARTY LICENSED INSURERS RESPONSIBLE FOR CERTIFYING ENTITIES THAT 7 MEET THE REASONABLE DATA SECURITY REQUIREMENTS SET FORTH IN SUBPARAGRAPH 8 (VI) OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION. 9 4. SAFE HARBOR. ANY PERSON OR BUSINESS THAT COMPLIES WITH THE MOST UP 10 TO DATE VERSION OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 SPECIAL PUBLICATION 800-53 SHALL BE IMMUNE FROM LIABILITY IN A CIVIL 12 ACTION, INCLUDING BUT NOT LIMITED TO AN ACTION BROUGHT BY THE ATTORNEY 13 GENERAL, RESULTING FROM UNAUTHORIZED ACCESS TO PRIVATE INFORMATION BY A 14 THIRD-PARTY ABSENT EVIDENCE OF WILLFUL MISCONDUCT, BAD FAITH OR GROSS 15 NEGLIGENCE. COMPLIANCE MUST BE CERTIFIED ANNUALLY BY AN INDEPENDENT, 16 THIRD-PARTY LICENSED INSURER, AUTHORIZED BY THE NATIONAL INSTITUTE OF 17 STANDARDS AND TECHNOLOGY. 18 5. ENFORCEMENT. (A) WHENEVER THE ATTORNEY GENERAL SHALL BELIEVE FROM 19 EVIDENCE SATISFACTORY TO HIM OR HER THAT THERE IS A VIOLATION OF THIS 20 SECTION HE OR SHE MAY BRING AN ACTION IN THE NAME AND ON BEHALF OF THE 21 PEOPLE OF THE STATE OF NEW YORK, IN A COURT OF JUSTICE HAVING JURISDIC- 22 TION TO ISSUE AN INJUNCTION, TO ENJOIN AND RESTRAIN THE CONTINUATION OF 23 SUCH VIOLATION. IN SUCH ACTION, PRELIMINARY RELIEF MAY BE GRANTED UNDER 24 ARTICLE SIXTY-THREE OF THE CIVIL PRACTICE LAW AND RULES. IN SUCH ACTION, 25 THE COURT MAY AWARD DAMAGES FOR ACTUAL COSTS OR LOSSES INCURRED BY A 26 PERSON AS A RESULT OF THE FAILURE BY A PERSON OR BUSINESS TO COMPLY WITH 27 THE DATA SECURITY REQUIREMENTS SET FORTH IN THIS SECTION, INCLUDING 28 CONSEQUENTIAL FINANCIAL LOSSES, AS WELL AS A CIVIL PENALTY OF UP TO TWO 29 HUNDRED FIFTY DOLLARS, WHICH PENALTY MAY BE INCREASED BY A FACTOR LESS 30 THAN OR EQUAL TO THE NUMBER OF PERSONS WHOSE PRIVATE INFORMATION WAS 31 COMPROMISED; PROVIDED HOWEVER, THAT THE AGGREGATE AMOUNT OF ANY CIVIL 32 PENALTIES SO IMPOSED SHALL NOT EXCEED TEN MILLION DOLLARS. WHENEVER THE 33 COURT SHALL DETERMINE THAT A PERSON OR BUSINESS VIOLATED THIS SECTION 34 KNOWINGLY OR RECKLESSLY, THE COURT MAY, IN LIEU OF IMPOSING A CIVIL 35 PENALTY AS SET FORTH ABOVE, INSTEAD IMPOSE A CIVIL PENALTY OF UP TO ONE 36 THOUSAND DOLLARS, WHICH PENALTY MAY BE INCREASED BY A FACTOR LESS THAN 37 OR EQUAL TO THE NUMBER OF PERSONS WHOSE PRIVATE INFORMATION WAS COMPRO- 38 MISED; PROVIDED HOWEVER, THAT THE AGGREGATE AMOUNT OF ANY CIVIL PENAL- 39 TIES SO IMPOSED SHALL NOT EXCEED THE GREATER OF FIFTY MILLION DOLLARS OR 40 THREE TIMES THE AGGREGATE AMOUNT OF ANY ACTUAL COSTS AND LOSSES AS 41 DETERMINED BY THE COURT. A COURT MAY AWARD A CIVIL PENALTY PURSUANT TO 42 THIS PARAGRAPH WITHOUT A SHOWING OF FINANCIAL LOSS. 43 (B) THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY 44 OTHER LAWFUL REMEDY AVAILABLE. 45 (C) NO ACTION MAY BE BROUGHT UNDER THE PROVISIONS OF THIS SECTION 46 UNLESS SUCH ACTION IS COMMENCED WITHIN THREE YEARS IMMEDIATELY AFTER THE 47 DATE OF THE ACT OR OMISSION COMPLAINED OF OR THE DATE OF DISCOVERY OF 48 SUCH ACT OR OMISSION. 49 S 7. Section 208 of the state technology law is amended by adding a 50 new subdivision 9 to read as follows: 51 9. DATA SECURITY REQUIREMENTS. (A) ANY STATE ENTITY THAT OWNS, MAIN- 52 TAINS, OR OTHERWISE POSSESSES PRIVATE INFORMATION SHALL DEVELOP, IMPLE- 53 MENT AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFI- 54 DENTIALITY AND INTEGRITY OF THE PRIVATE INFORMATION, INCLUDING DISPOSAL 55 OF DATA. S. 4887 6 1 (B) THE FOLLOWING SHALL BE DEEMED TO BE IN COMPLIANCE WITH PARAGRAPH 2 (A) OF THIS SUBDIVISION: 3 (I) A STATE ENTITY THAT COMPLIES WITH A STATE OR FEDERAL LAW PROVIDING 4 GREATER PROTECTION TO PRIVATE INFORMATION THAN THAT PROVIDED BY THIS 5 SECTION; 6 (II) A STATE ENTITY THAT IS SUBJECT TO AND COMPLIES WITH REGULATIONS 7 PROMULGATED PURSUANT TO TITLE V OF THE GRAMM-LEACH-BLILEY ACT OF 1999 8 (15 U.S.C. 6801 TO 6809); 9 (III) A STATE ENTITY THAT COMPLIES WITH THE MOST CURRENT INTERNATIONAL 10 STANDARDS ORGANIZATION STANDARDS FOR INFORMATION SECURITY; 11 (IV) A STATE ENTITY THAT IS SUBJECT TO AND COMPLIES WITH REGULATIONS 12 IMPLEMENTING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 13 1996 (45 C.F.R. PARTS 160 AND 164) AND THE HEALTH INFORMATION TECHNOLOGY 14 FOR ECONOMIC AND CLINICAL HEALTH ACT, AS AMENDED FROM TIME TO TIME; 15 (V) A STATE ENTITY THAT COMPLIES WITH CURRENT NATIONAL INSTITUTE OF 16 STANDARDS AND TECHNOLOGY STANDARDS; OR 17 (VI) A STATE ENTITY THAT IMPLEMENTS AN INFORMATION SECURITY PROGRAM 18 THAT INCLUDES THE FOLLOWING: 19 (A) ADMINISTRATIVE SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE 20 STATE ENTITY: 21 (I) DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE THE SECURITY 22 PROGRAM; 23 (II) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS; 24 (III) ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE 25 IDENTIFIED RISKS; 26 (IV) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES 27 AND PROCEDURES; 28 (V) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE- 29 GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; AND 30 (VI) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW 31 CIRCUMSTANCES; 32 (B) TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE STATE 33 ENTITY: 34 (I) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN; 35 (II) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STOR- 36 AGE; 37 (III) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES; 38 AND 39 (IV) REGULARLY TESTS AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS, 40 SYSTEMS AND PROCEDURES; AND 41 (C) PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE STATE 42 ENTITY: 43 (I) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL; 44 (II) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS; 45 (III) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFOR- 46 MATION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND DESTRUCTION OR 47 DISPOSAL OF THE INFORMATION; AND 48 (IV) DISPOSES OF PRIVATE INFORMATION AFTER IT IS NO LONGER NEEDED FOR 49 BUSINESS PURPOSES OR AS REQUIRED BY LOCAL, STATE OR FEDERAL LAW BY ERAS- 50 ING ELECTRONIC MEDIA SO THAT THE INFORMATION CANNOT BE READ OR RECON- 51 STRUCTED. 52 S 8. This act shall take effect January 1, 2016.