Bill Text: NY S04887 | 2015-2016 | General Assembly | Introduced
Bill Title: Relates to the data security act.
Spectrum: Bipartisan Bill
Status: (Introduced - Dead) 2016-01-06 - REFERRED TO CONSUMER PROTECTION [S04887 Detail]
Download: New_York-2015-S04887-Introduced.html
S T A T E O F N E W Y O R K
________________________________________________________________________
4887
2015-2016 Regular Sessions
I N S E N A T E
April 22, 2015
___________
Introduced by Sen. VENDITTO -- (at request of the Attorney General) --
read twice and ordered printed, and when printed to be committed to
the Committee on Consumer Protection
AN ACT to amend the general business law and the state technology law,
in relation to the data security act
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
1 Section 1. This act shall be known and may be cited as the "data secu-
2 rity act".
3 S 2. The opening paragraph and paragraph (b) of subdivision 1 of
4 section 899-aa of the general business law, as added by chapter 442 of
5 the laws of 2005, are amended to read as follows:
6 As used in this section, AND SECTION EIGHT HUNDRED NINETY-NINE-BB OF
7 THIS ARTICLE, the following terms shall have the following meanings:
8 (b) "Private information" shall mean EITHER: (I) personal information
9 consisting of any information in combination with any one or more of the
10 following data elements, when either the personal information or the
11 data element is not encrypted, or encrypted with an encryption key that
12 has also been acquired:
13 (1) social security number;
14 (2) driver's license number or non-driver identification card number;
15 [or]
16 (3) account number, credit or debit card number, in combination with
17 any required security code, access code, or password that would permit
18 access to an individual's financial account; OR
19 (4) BIOMETRIC INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS-
20 UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED BY
21 THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
22 (II) A USER NAME OR EMAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
23 SECURITY QUESTION AND ANSWER THAT WOULD PERMIT ACCESS TO AN ONLINE
24 ACCOUNT; OR
25 (III) ANY UNSECURED PROTECTED HEALTH INFORMATION AS DEFINED IN THE
26 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (45 C.F.R.
27 PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD08145-09-5
S. 4887 2
1 "Private information" does not include publicly available information
2 which is lawfully made available to the general public from federal,
3 state, or local government records.
4 S 3. Subdivisions 4 and 5 of section 899-aa of the general business
5 law, as added by chapter 442 of the laws of 2005, are amended to read as
6 follows:
7 4. (A) The notification required by this section may be delayed if a
8 law enforcement agency determines that such notification impedes a crim-
9 inal investigation. The notification required by this section shall be
10 made after such law enforcement agency determines that such notification
11 does not compromise such investigation.
12 (B) THE PRODUCTION OF FORENSIC REPORTS TO LOCAL AND STATE LAW ENFORCE-
13 MENT AGENCIES FOR THE PURPOSES OF INVESTIGATING AND IDENTIFYING THOSE
14 RESPONSIBLE FOR A BREACH OF THE SECURITY OF THE SYSTEM SHALL NOT CONSTI-
15 TUTE A WAIVER OF ANY APPLICABLE PRIVILEGE OR PROTECTION PROVIDED BY LAW,
16 INCLUDING TRADE SECRET PROTECTION, AND FORENSIC REPORTS SO PRODUCED
17 SHALL NOT BE SUBJECT TO DISCLOSURE UNDER ARTICLE SIX OF THE PUBLIC OFFI-
18 CERS LAW.
19 5. The notice required by this section shall be directly provided to
20 the affected persons by one of the following methods:
21 (a) written notice;
22 (b) electronic notice, provided that the person to whom notice is
23 required has expressly consented to receiving said notice in electronic
24 form and a log of each such notification is kept by the person or busi-
25 ness who notifies affected persons in such form; provided further,
26 however, that in no case shall any person or business require a person
27 to consent to accepting said notice in said form as a condition of
28 establishing any business relationship or engaging in any
29 transaction[.];
30 (c) telephone notification provided that a log of each such notifica-
31 tion is kept by the person or business who notifies affected persons; or
32 (d) Substitute notice, if a business demonstrates to the state attor-
33 ney general that the cost of providing notice would exceed two hundred
34 fifty thousand dollars, or that the affected class of subject persons to
35 be notified exceeds five hundred thousand, or such business does not
36 have sufficient contact information. Substitute notice shall consist of
37 all of the following:
38 (1) e-mail notice when such business has an e-mail address for the
39 subject persons;
40 (2) conspicuous posting of the notice on such business's web site
41 page, if such business maintains one; and
42 (3) notification to major statewide media.
43 (E) IN THE CASE OF A BREACH OF THE SECURITY OF THE SYSTEM INVOLVING A
44 USER NAME, AND PASSWORD OR SECURITY QUESTION AND ANSWER WHICH WOULD
45 PERMIT ACCESS TO AN ONLINE ACCOUNT, AS PROVIDED IN SUBPARAGRAPH (II) OF
46 PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION, AND NO OTHER PRIVATE
47 INFORMATION DEFINED IN SUCH PARAGRAPH (B), THE PERSON OR BUSINESS MAY
48 COMPLY WITH THIS SECTION BY PROVIDING NOTIFICATION IN ELECTRONIC OR
49 OTHER FORM THAT DIRECTS THE PERSON WHOSE PRIVATE INFORMATION HAS BEEN
50 BREACHED PROMPTLY TO CHANGE HIS OR HER PASSWORD AND SECURITY QUESTION OR
51 ANSWER, AS APPLICABLE, OR TO TAKE OTHER STEPS APPROPRIATE TO PROTECT THE
52 ONLINE ACCOUNT WITH THE PERSON OR BUSINESS AND ALL OTHER ONLINE ACCOUNTS
53 FOR WHICH THE PERSON WHOSE PRIVATE INFORMATION HAS BEEN BREACHED USES
54 THE SAME INFORMATION.
55 (F) IN THE CASE OF A BREACH OF THE SECURITY OF THE SYSTEM INVOLVING
56 THE LOGIN CREDENTIALS OF AN EMAIL ACCOUNT FURNISHED BY THE PERSON OR
S. 4887 3
1 BUSINESS AS PROVIDED IN SUBPARAGRAPH (II) OF PARAGRAPH (B) OF SUBDIVI-
2 SION ONE OF THIS SECTION, THE PERSON OR BUSINESS SHALL NOT COMPLY WITH
3 THIS SECTION BY PROVIDING THE SECURITY BREACH NOTIFICATION TO THAT EMAIL
4 ADDRESS, BUT SHALL, INSTEAD, COMPLY WITH THIS SECTION BY PROVIDING
5 NOTICE BY ANOTHER METHOD DESCRIBED IN THIS SUBDIVISION OR BY CLEAR AND
6 CONSPICUOUS NOTICE DELIVERED TO THE RESIDENT ONLINE WHEN THE RESIDENT IS
7 CONNECTED TO THE ONLINE ACCOUNT FROM AN INTERNET PROTOCOL ADDRESS OR
8 ONLINE LOCATION FROM WHICH THE PERSON OR BUSINESS KNOWS THE RESIDENT
9 CUSTOMARILY ACCESSES THE ACCOUNT.
10 S 4. Paragraph (a) of subdivision 6 of section 899-aa of the general
11 business law, as amended by chapter 491 of the laws of 2005, is amended
12 to read as follows:
13 (a) whenever the attorney general shall believe from evidence satis-
14 factory to him OR HER that there is a violation of this [article]
15 SECTION he OR SHE may bring an action in the name and on behalf of the
16 people of the state of New York, in a court of justice having jurisdic-
17 tion to issue an injunction, to enjoin and restrain the continuation of
18 such violation. In such action, preliminary relief may be granted under
19 article sixty-three of the civil practice law and rules. In such action
20 the court may award damages for actual costs or losses incurred by a
21 person entitled to notice pursuant to this [article] SECTION, if notifi-
22 cation was not provided to such person pursuant to this [article]
23 SECTION, including consequential financial losses. Whenever the court
24 shall determine in such action that a person or business violated this
25 [article] SECTION knowingly or recklessly, the court may impose a civil
26 penalty of the greater of five thousand dollars or up to ten dollars per
27 instance of failed notification, provided that the latter amount shall
28 not exceed one [hundred fifty thousand] MILLION dollars.
29 S 5. Paragraph (a) of subdivision 1 of section 208 of the state tech-
30 nology law, as added by chapter 442 of the laws of 2005, is amended to
31 read as follows:
32 (a) "Private information" shall mean EITHER: (I) personal information
33 in combination with any one or more of the following data elements, when
34 either the personal information or the data element is not encrypted or
35 encrypted with an encryption key that has also been acquired:
36 (1) social security number;
37 (2) driver's license number or non-driver identification card number;
38 or
39 (3) account number, credit or debit card number, in combination with
40 any required security code, access code, or password which would permit
41 access to an individual's financial account;
42 (II) A USER NAME OR EMAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
43 SECURITY QUESTION AND ANSWER THAT WOULD PERMIT ACCESS TO AN ONLINE
44 ACCOUNT; OR
45 (III) ANY UNSECURED PROTECTED HEALTH INFORMATION AS DEFINED IN THE
46 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (45 C.F.R.
47 PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME.
48 "Private information" does not include publicly available information
49 that is lawfully made available to the general public from federal,
50 state, or local government records.
51 S 6. The general business law is amended by adding a new section 899-
52 bb to read as follows:
53 S 899-BB. DATA SECURITY REQUIREMENTS. 1. REASONABLE SAFEGUARDS. (A)
54 ANY PERSON OR BUSINESS THAT CONDUCTS BUSINESS IN NEW YORK STATE, AND
55 OWNS OR LICENSES COMPUTERIZED DATA WHICH INCLUDES PRIVATE INFORMATION OF
56 A RESIDENT OF NEW YORK SHALL DEVELOP, IMPLEMENT AND MAINTAIN REASONABLE
S. 4887 4
1 SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
2 PRIVATE INFORMATION, INCLUDING DISPOSAL OF DATA.
3 (B) THE FOLLOWING SHALL BE DEEMED TO BE IN COMPLIANCE WITH PARAGRAPH
4 (A) OF THIS SUBDIVISION:
5 (I) A PERSON OR BUSINESS THAT COMPLIES WITH A STATE OR FEDERAL LAW
6 PROVIDING GREATER PROTECTION TO PRIVATE INFORMATION THAN THAT PROVIDED
7 BY THIS SECTION;
8 (II) A PERSON OR BUSINESS THAT IS SUBJECT TO AND COMPLIES WITH REGU-
9 LATIONS PROMULGATED PURSUANT TO TITLE V OF THE GRAMM-LEACH-BLILEY ACT OF
10 1999 (15 U.S.C. 6801 TO 6809);
11 (III) A PERSON OR BUSINESS THAT COMPLIES WITH CURRENT INTERNATIONAL
12 STANDARDS ORGANIZATION STANDARDS FOR INFORMATION SECURITY;
13 (IV) A PERSON OR BUSINESS THAT IS SUBJECT TO AND COMPLIES WITH REGU-
14 LATIONS IMPLEMENTING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
15 ACT OF 1996 (45 C.F.R. PARTS 160 AND 164) AND THE HEALTH INFORMATION
16 TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, AS AMENDED FROM TIME TO
17 TIME;
18 (V) A PERSON OR BUSINESS THAT COMPLIES WITH CURRENT NATIONAL INSTITUTE
19 OF STANDARDS AND TECHNOLOGY STANDARDS AS REFERENCED IN SUBDIVISION THREE
20 OF THIS SECTION; OR
21 (VI) A PERSON OR BUSINESS THAT IMPLEMENTS AN INFORMATION SECURITY
22 PROGRAM THAT INCLUDES THE FOLLOWING:
23 (A) ADMINISTRATIVE SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE
24 PERSON OR BUSINESS:
25 (I) DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE THE SECURITY
26 PROGRAM;
27 (II) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS;
28 (III) ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE
29 IDENTIFIED RISKS;
30 (IV) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES
31 AND PROCEDURES;
32 (V) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE-
33 GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT;
34 (VI) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW
35 CIRCUMSTANCES; AND
36 (B) TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR
37 BUSINESS:
38 (I) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN;
39 (II) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STOR-
40 AGE;
41 (III) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES;
42 (IV) REGULARLY TESTS AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS,
43 SYSTEMS AND PROCEDURES; AND
44 (C) PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE PERSON OR
45 BUSINESS:
46 (I) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL;
47 (II) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS;
48 (III) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFOR-
49 MATION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND DESTRUCTION OR
50 DISPOSAL OF THE INFORMATION; AND
51 (IV) DISPOSES OF PRIVATE INFORMATION AFTER IT IS NO LONGER NEEDED FOR
52 BUSINESS PURPOSES BY ERASING ELECTRONIC MEDIA SO THAT THE INFORMATION
53 CANNOT BE READ OR RECONSTRUCTED.
54 2. REBUTTABLE PRESUMPTION. A PERSON OR BUSINESS THAT OBTAINS AN INDE-
55 PENDENT, THIRD-PARTY AUDIT AND CERTIFICATION ANNUALLY UNDER THE DATA
56 SECURITY STANDARD LISTED IN PARAGRAPH (B) OF SUBDIVISION ONE OF THIS
S. 4887 5
1 SECTION SHALL RECEIVE A REBUTTABLE PRESUMPTION THAT IT MAINTAINED
2 REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND
3 INTEGRITY OF THE PRIVATE INFORMATION.
4 3. CERTIFICATION AUTHORITY AND REGULATION. THE DEPARTMENT OF FINAN-
5 CIAL SERVICES SHALL PROMULGATE REGULATIONS REGARDING INDEPENDENT,
6 THIRD-PARTY LICENSED INSURERS RESPONSIBLE FOR CERTIFYING ENTITIES THAT
7 MEET THE REASONABLE DATA SECURITY REQUIREMENTS SET FORTH IN SUBPARAGRAPH
8 (VI) OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION.
9 4. SAFE HARBOR. ANY PERSON OR BUSINESS THAT COMPLIES WITH THE MOST UP
10 TO DATE VERSION OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
11 SPECIAL PUBLICATION 800-53 SHALL BE IMMUNE FROM LIABILITY IN A CIVIL
12 ACTION, INCLUDING BUT NOT LIMITED TO AN ACTION BROUGHT BY THE ATTORNEY
13 GENERAL, RESULTING FROM UNAUTHORIZED ACCESS TO PRIVATE INFORMATION BY A
14 THIRD-PARTY ABSENT EVIDENCE OF WILLFUL MISCONDUCT, BAD FAITH OR GROSS
15 NEGLIGENCE. COMPLIANCE MUST BE CERTIFIED ANNUALLY BY AN INDEPENDENT,
16 THIRD-PARTY LICENSED INSURER, AUTHORIZED BY THE NATIONAL INSTITUTE OF
17 STANDARDS AND TECHNOLOGY.
18 5. ENFORCEMENT. (A) WHENEVER THE ATTORNEY GENERAL SHALL BELIEVE FROM
19 EVIDENCE SATISFACTORY TO HIM OR HER THAT THERE IS A VIOLATION OF THIS
20 SECTION HE OR SHE MAY BRING AN ACTION IN THE NAME AND ON BEHALF OF THE
21 PEOPLE OF THE STATE OF NEW YORK, IN A COURT OF JUSTICE HAVING JURISDIC-
22 TION TO ISSUE AN INJUNCTION, TO ENJOIN AND RESTRAIN THE CONTINUATION OF
23 SUCH VIOLATION. IN SUCH ACTION, PRELIMINARY RELIEF MAY BE GRANTED UNDER
24 ARTICLE SIXTY-THREE OF THE CIVIL PRACTICE LAW AND RULES. IN SUCH ACTION,
25 THE COURT MAY AWARD DAMAGES FOR ACTUAL COSTS OR LOSSES INCURRED BY A
26 PERSON AS A RESULT OF THE FAILURE BY A PERSON OR BUSINESS TO COMPLY WITH
27 THE DATA SECURITY REQUIREMENTS SET FORTH IN THIS SECTION, INCLUDING
28 CONSEQUENTIAL FINANCIAL LOSSES, AS WELL AS A CIVIL PENALTY OF UP TO TWO
29 HUNDRED FIFTY DOLLARS, WHICH PENALTY MAY BE INCREASED BY A FACTOR LESS
30 THAN OR EQUAL TO THE NUMBER OF PERSONS WHOSE PRIVATE INFORMATION WAS
31 COMPROMISED; PROVIDED HOWEVER, THAT THE AGGREGATE AMOUNT OF ANY CIVIL
32 PENALTIES SO IMPOSED SHALL NOT EXCEED TEN MILLION DOLLARS. WHENEVER THE
33 COURT SHALL DETERMINE THAT A PERSON OR BUSINESS VIOLATED THIS SECTION
34 KNOWINGLY OR RECKLESSLY, THE COURT MAY, IN LIEU OF IMPOSING A CIVIL
35 PENALTY AS SET FORTH ABOVE, INSTEAD IMPOSE A CIVIL PENALTY OF UP TO ONE
36 THOUSAND DOLLARS, WHICH PENALTY MAY BE INCREASED BY A FACTOR LESS THAN
37 OR EQUAL TO THE NUMBER OF PERSONS WHOSE PRIVATE INFORMATION WAS COMPRO-
38 MISED; PROVIDED HOWEVER, THAT THE AGGREGATE AMOUNT OF ANY CIVIL PENAL-
39 TIES SO IMPOSED SHALL NOT EXCEED THE GREATER OF FIFTY MILLION DOLLARS OR
40 THREE TIMES THE AGGREGATE AMOUNT OF ANY ACTUAL COSTS AND LOSSES AS
41 DETERMINED BY THE COURT. A COURT MAY AWARD A CIVIL PENALTY PURSUANT TO
42 THIS PARAGRAPH WITHOUT A SHOWING OF FINANCIAL LOSS.
43 (B) THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
44 OTHER LAWFUL REMEDY AVAILABLE.
45 (C) NO ACTION MAY BE BROUGHT UNDER THE PROVISIONS OF THIS SECTION
46 UNLESS SUCH ACTION IS COMMENCED WITHIN THREE YEARS IMMEDIATELY AFTER THE
47 DATE OF THE ACT OR OMISSION COMPLAINED OF OR THE DATE OF DISCOVERY OF
48 SUCH ACT OR OMISSION.
49 S 7. Section 208 of the state technology law is amended by adding a
50 new subdivision 9 to read as follows:
51 9. DATA SECURITY REQUIREMENTS. (A) ANY STATE ENTITY THAT OWNS, MAIN-
52 TAINS, OR OTHERWISE POSSESSES PRIVATE INFORMATION SHALL DEVELOP, IMPLE-
53 MENT AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFI-
54 DENTIALITY AND INTEGRITY OF THE PRIVATE INFORMATION, INCLUDING DISPOSAL
55 OF DATA.
S. 4887 6
1 (B) THE FOLLOWING SHALL BE DEEMED TO BE IN COMPLIANCE WITH PARAGRAPH
2 (A) OF THIS SUBDIVISION:
3 (I) A STATE ENTITY THAT COMPLIES WITH A STATE OR FEDERAL LAW PROVIDING
4 GREATER PROTECTION TO PRIVATE INFORMATION THAN THAT PROVIDED BY THIS
5 SECTION;
6 (II) A STATE ENTITY THAT IS SUBJECT TO AND COMPLIES WITH REGULATIONS
7 PROMULGATED PURSUANT TO TITLE V OF THE GRAMM-LEACH-BLILEY ACT OF 1999
8 (15 U.S.C. 6801 TO 6809);
9 (III) A STATE ENTITY THAT COMPLIES WITH THE MOST CURRENT INTERNATIONAL
10 STANDARDS ORGANIZATION STANDARDS FOR INFORMATION SECURITY;
11 (IV) A STATE ENTITY THAT IS SUBJECT TO AND COMPLIES WITH REGULATIONS
12 IMPLEMENTING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
13 1996 (45 C.F.R. PARTS 160 AND 164) AND THE HEALTH INFORMATION TECHNOLOGY
14 FOR ECONOMIC AND CLINICAL HEALTH ACT, AS AMENDED FROM TIME TO TIME;
15 (V) A STATE ENTITY THAT COMPLIES WITH CURRENT NATIONAL INSTITUTE OF
16 STANDARDS AND TECHNOLOGY STANDARDS; OR
17 (VI) A STATE ENTITY THAT IMPLEMENTS AN INFORMATION SECURITY PROGRAM
18 THAT INCLUDES THE FOLLOWING:
19 (A) ADMINISTRATIVE SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE
20 STATE ENTITY:
21 (I) DESIGNATES ONE OR MORE EMPLOYEES TO COORDINATE THE SECURITY
22 PROGRAM;
23 (II) IDENTIFIES REASONABLY FORESEEABLE INTERNAL AND EXTERNAL RISKS;
24 (III) ASSESSES THE SUFFICIENCY OF SAFEGUARDS IN PLACE TO CONTROL THE
25 IDENTIFIED RISKS;
26 (IV) TRAINS AND MANAGES EMPLOYEES IN THE SECURITY PROGRAM PRACTICES
27 AND PROCEDURES;
28 (V) SELECTS SERVICE PROVIDERS CAPABLE OF MAINTAINING APPROPRIATE SAFE-
29 GUARDS, AND REQUIRES THOSE SAFEGUARDS BY CONTRACT; AND
30 (VI) ADJUSTS THE SECURITY PROGRAM IN LIGHT OF BUSINESS CHANGES OR NEW
31 CIRCUMSTANCES;
32 (B) TECHNICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE STATE
33 ENTITY:
34 (I) ASSESSES RISKS IN NETWORK AND SOFTWARE DESIGN;
35 (II) ASSESSES RISKS IN INFORMATION PROCESSING, TRANSMISSION AND STOR-
36 AGE;
37 (III) DETECTS, PREVENTS AND RESPONDS TO ATTACKS OR SYSTEM FAILURES;
38 AND
39 (IV) REGULARLY TESTS AND MONITORS THE EFFECTIVENESS OF KEY CONTROLS,
40 SYSTEMS AND PROCEDURES; AND
41 (C) PHYSICAL SAFEGUARDS SUCH AS THE FOLLOWING, IN WHICH THE STATE
42 ENTITY:
43 (I) ASSESSES RISKS OF INFORMATION STORAGE AND DISPOSAL;
44 (II) DETECTS, PREVENTS AND RESPONDS TO INTRUSIONS;
45 (III) PROTECTS AGAINST UNAUTHORIZED ACCESS TO OR USE OF PRIVATE INFOR-
46 MATION DURING OR AFTER THE COLLECTION, TRANSPORTATION AND DESTRUCTION OR
47 DISPOSAL OF THE INFORMATION; AND
48 (IV) DISPOSES OF PRIVATE INFORMATION AFTER IT IS NO LONGER NEEDED FOR
49 BUSINESS PURPOSES OR AS REQUIRED BY LOCAL, STATE OR FEDERAL LAW BY ERAS-
50 ING ELECTRONIC MEDIA SO THAT THE INFORMATION CANNOT BE READ OR RECON-
51 STRUCTED.
52 S 8. This act shall take effect January 1, 2016.
