Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach; exempts businesses under financial hardship.
STATE OF NEW YORK
________________________________________________________________________
1374
2025-2026 Regular Sessions
IN ASSEMBLY
January 9, 2025
___________
Introduced by M. of A. DINOWITZ, DAVILA, SIMON, GLICK -- read once and
referred to the Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to requiring
certain businesses to offer identity theft prevention and mitigation
services in the case of a security breach
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 10 of section 899-aa of the general business
2 law, as renumbered by chapter 117 of the laws of 2019, is renumbered to
3 be subdivision 11 and a new subdivision 10 is added to read as follows:
4 10. (a) Where a security breach from a person or business other than a
5 consumer credit reporting agency includes a social security number, and
6 that person or business is required to provide notice under subdivision
7 two of this section, that person or business shall offer each resident
8 of this state whose social security number was disclosed in the breach
9 of security or is reasonably believed to have been disclosed in the
10 breach of security, reasonable credit report monitoring, identity theft
11 prevention services and, if applicable, identity theft mitigation
12 services at no cost to said resident for a period of not less than twen-
13 ty-four months. The disclosure required by subdivision two of this
14 section shall include information for any resident of New York state
15 whose social security number was disclosed as a result of a data breach
16 to obtain free, reasonable credit report monitoring, identity theft
17 prevention services and, if applicable, identity theft mitigation
18 services as described in this section.
19 (b) The requirement to provide twenty-four months of identity theft
20 mitigation services shall not apply to any individual person or small
21 business as defined in section one hundred thirty-one of the economic
22 development law that can demonstrate a financial hardship directly owing
23 to such compliance. A request for a financial hardship waiver shall be
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03152-01-5
A. 1374 2
1 made to the commissioner of the department of financial services on a
2 form prescribed by the department of financial services.
3 § 2. This act shall take effect on the one hundred eightieth day after
4 it shall have become a law. Effective immediately, the addition, amend-
5 ment and/or repeal of any rule or regulation necessary for the implemen-
6 tation of this act on its effective date are authorized to be made and
7 completed on or before such effective date.
