NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A7232A
SPONSOR: Otis
 
TITLE OF BILL: An act to amend the general business law, in relation
to the timeliness of disclosure of a breach of the security of a system
which contains private information
 
PURPOSE OR GENERAL IDEA OF BILL:
To update New York's data breach law to include a definitive timetable
for notification to consumers of a security breach.
 
SUMMARY OF PROVISIONS:
Section 1: Amends subdivision 2 of section 899-aa of the general busi-
ness law by adding a definitive timetable for notification to consumers'
that a breach of their personal information has occurred. Under the
current law, consumers must be notified in the most expedient time
possible and without unreasonable day. This bill maintains that consum-
ers must be notified in the most expedient time possible but adds a
requirement that notification must occur within 45 days. Additionally,
this bill defines reasonable delay includes determining the scope of the
breach, preventing further disclosures, conducting a risk assessment,
and restoring the integrity of the security system. If the Attorney
General determines that additional time is necessary, notification may
be delayed for another period of 45 days.
Section 2: Establishes the effective date.
 
DIFFERENCE BETWEEN ORIGINAL AND AMENDED VERSION (IF APPLICABLE):
New effective date.
 
JUSTIFICATION:
New York's current data breach notification law must be updated to keep
pace with the changing landscape of technology and data storage. The
consequences of a breach can include identity theft, financial exploita-
tion and other acts which jeopardize consumers. By adding a 45 day
notification period New York joins Connecticut, Florida, Maine, Ohio,
Rhode Island, Vermont, Washington, and Wisconsin in establishing a time-
table for notification. Adding a timetable for notification will help
consumers protect themselves.
 
PRIOR LEGISLATIVE HISTORY:
S7347-A (2015) Consumer Protection Committee
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
 
EFFECTIVE DATE:
Ninety Days
STATE OF NEW YORK
________________________________________________________________________
7232--A
2017-2018 Regular Sessions
IN ASSEMBLY
April 12, 2017
___________
Introduced by M. of A. OTIS -- read once and referred to the Committee
on Consumer Affairs and Protection -- committee discharged, bill
amended, ordered reprinted as amended and recommitted to said commit-
tee
AN ACT to amend the general business law, in relation to the timeliness
of disclosure of a breach of the security of a system which contains
private information
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 2 of section 899-aa of the general business
2 law, as added by chapter 442 of the laws of 2005, is amended to read as
3 follows:
4 2. Any person or business which conducts business in New York state,
5 and which owns or licenses computerized data which includes private
6 information shall disclose any breach of the security of the system
7 following discovery or notification of the breach in the security of the
8 system to any resident of New York state whose private information was,
9 or is reasonably believed to have been, acquired by a person without
10 valid authorization. The disclosure shall be made [in the most expedient
11 time possible and] without unreasonable delay, consistent with the
12 legitimate needs of law enforcement, as provided in subdivision four of
13 this section, or any measures necessary to determine the scope of the
14 breach and restore the reasonable integrity of the system. Reasonable
15 delay under this subdivision shall not exceed forty-five days, except as
16 provided in subdivision four of this section or unless the person or
17 business seeking additional time demonstrates to the attorney general
18 that additional time is reasonably necessary to determine the scope of
19 the breach of the security system, prevent further disclosures, conduct
20 the risk assessment, and restore the reasonable integrity of the securi-
21 ty system. If the attorney general determines that additional delay is
22 necessary the agency may extend the time period for notification for
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06866-02-7
A. 7232--A 2
1 additional periods of up to forty-five days each. Any such extension
2 shall be provided in writing.
3 § 2. This act shall take effect on the ninetieth day after it shall
4 have become a law.