AB7232 Summary:

BILL NOA07232A
 
SAME ASSAME AS S01104-A
 
SPONSOROtis
 
COSPNSR
 
MLTSPNSR
 
Amd §899-aa, Gen Bus L
 
Relates to the timeliness of disclosure of a breach of the security of a system which contains private information.
Go to top    

AB7232 Actions:

BILL NOA07232A
 
04/12/2017referred to consumer affairs and protection
05/24/2017amend and recommit to consumer affairs and protection
05/24/2017print number 7232a
06/05/2017reported referred to codes
01/03/2018referred to codes
Go to top

AB7232 Committee Votes:

CONSUMER AFFAIRS AND PROTECTION Chair:Kavanagh DATE:06/05/2017AYE/NAY:16/0 Action: Favorable refer to committee Codes
KavanaghAyePalumboAye
AbbateAyeMcDonoughAye
QuartAyeMcKevittAye
BuchwaldAyeStecAye
SolagesAye
SimonAye
DilanAye
SeawrightAye
RozicAye
NiouAye
Pheffer AmatoAye
WilliamsAye

Go to top

AB7232 Floor Votes:

There are no votes for this bill in this legislative session.
Go to top

AB7232 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A7232A
 
SPONSOR: Otis
  TITLE OF BILL: An act to amend the general business law, in relation to the timeliness of disclosure of a breach of the security of a system which contains private information   PURPOSE OR GENERAL IDEA OF BILL: To update New York's data breach law to include a definitive timetable for notification to consumers of a security breach.   SUMMARY OF PROVISIONS: Section 1: Amends subdivision 2 of section 899-aa of the general busi- ness law by adding a definitive timetable for notification to consumers' that a breach of their personal information has occurred. Under the current law, consumers must be notified in the most expedient time possible and without unreasonable day. This bill maintains that consum- ers must be notified in the most expedient time possible but adds a requirement that notification must occur within 45 days. Additionally, this bill defines reasonable delay includes determining the scope of the breach, preventing further disclosures, conducting a risk assessment, and restoring the integrity of the security system. If the Attorney General determines that additional time is necessary, notification may be delayed for another period of 45 days. Section 2: Establishes the effective date.   DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE): New effective date.   JUSTIFICATION: New York's current data breach notification law must be updated to keep pace with the changing landscape of technology and data storage. The consequences of a breach can include identity theft, financial exploita- tion and other acts which jeopardize consumers. By adding a 45 day notification period New York joins Connecticut, Florida, Maine, Ohio, Rhode Island, Vermont, Washington, and Wisconsin in establishing a time- table for notification. Adding a timetable for notification will help consumers protect themselves.   PRIOR LEGISLATIVE HISTORY: S7347-A (2015) Consumer Protection Committee   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: Ninety Days
Go to top

AB7232 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         7232--A
 
                               2017-2018 Regular Sessions
 
                   IN ASSEMBLY
 
                                     April 12, 2017
                                       ___________
 
        Introduced  by  M. of A. OTIS -- read once and referred to the Committee
          on Consumer Affairs  and  Protection  --  committee  discharged,  bill
          amended,  ordered reprinted as amended and recommitted to said commit-
          tee
 
        AN ACT to amend the general business law, in relation to the  timeliness
          of  disclosure  of a breach of the security of a system which contains
          private information
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section  1.  Subdivision  2  of section 899-aa of the general business
     2  law, as added by chapter 442 of the laws of 2005, is amended to read  as
     3  follows:
     4    2.  Any  person or business which conducts business in New York state,
     5  and which owns or licenses  computerized  data  which  includes  private
     6  information  shall  disclose  any  breach  of the security of the system
     7  following discovery or notification of the breach in the security of the
     8  system to any resident of New York state whose private information  was,
     9  or  is  reasonably  believed  to have been, acquired by a person without
    10  valid authorization. The disclosure shall be made [in the most expedient
    11  time possible and]  without  unreasonable  delay,  consistent  with  the
    12  legitimate  needs of law enforcement, as provided in subdivision four of
    13  this section, or any measures necessary to determine the  scope  of  the
    14  breach  and  restore  the reasonable integrity of the system. Reasonable
    15  delay under this subdivision shall not exceed forty-five days, except as
    16  provided in subdivision four of this section or  unless  the  person  or
    17  business  seeking  additional  time demonstrates to the attorney general
    18  that additional time is reasonably necessary to determine the  scope  of
    19  the  breach of the security system, prevent further disclosures, conduct
    20  the risk assessment, and restore the reasonable integrity of the securi-
    21  ty system. If the attorney general determines that additional  delay  is
    22  necessary  the  agency  may  extend the time period for notification for
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD06866-02-7

        A. 7232--A                          2
 
     1  additional periods of up to forty-five days  each.  Any  such  extension
     2  shall be provided in writing.
     3    §  2.  This  act shall take effect on the ninetieth day after it shall
     4  have become a law.
Go to top