Provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A3913
SPONSOR: Fahy
 
TITLE OF BILL:
An act to amend the general business law, in relation to credit monitor-
ing services
 
PURPOSE::
To require that companies that suffer a data breach provide free credit
monitoring services to effected persons for up to one year following the
breach.
 
SUMMARY OF PROVISIONS::
Section 1 - Requires that companies that suffer a data breach provide
free credit monitoring services to effected persons for up to one year
following the breach.
Section 2 - Effective date.
 
JUSTIFICATION::
Recent headlines have been dominated by a massive data breach that
impacted the largest credit-reporting firm in the United States. This
breach is estimated to have effected 143 million Americans, or 44t of
the population. Millions suddenly found that their birthdates, home
addresses, telephone numbers, and, in some cases, even their social
security numbers and drivers license numbers had been leaked.
The implications of such a large scale and egregious breach of consumer
data security are serious. Millions have been exposed to the possibility
of becoming victims of identity theft. This can lead to ongoing credit
problems and major costs to consumers to remedy the damage done. We must
do more to make sure that data breaches are prevented. But just as
important, is making sure consumers and law enforcement have the tools
available to mitigate damage as soon as a breach occurs. This bill, part
of a larger package that will target consumer data breaches at every
stage, will provide one of those tools.
This bill will require that companies that suffer a breach provide free
credit monitoring services to victims for up to one year following the
discovery of the breach. Credit monitoring is key to identifying the
occurrence of identity theft. This bill is a significant step toward
putting power back in the hands of the consumer.
 
LEGISLATIVE HISTORY::
A2868 2019-20
A3119 2021-22
 
FISCAL IMPLICATIONS::
None to the state.
 
EFFECTIVE DATE::
Immediately.
STATE OF NEW YORK
________________________________________________________________________
3913
2023-2024 Regular Sessions
IN ASSEMBLY
February 8, 2023
___________
Introduced by M. of A. FAHY -- read once and referred to the Committee
on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to credit monitor-
ing services
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 7 of section 899-aa of the general business
2 law, as amended by chapter 117 of the laws of 2019, is amended to read
3 as follows:
4 7. Regardless of the method by which notice is provided, such notice
5 shall include contact information for the person or business making the
6 notification, the telephone numbers and websites of the relevant state
7 and federal agencies that provide information regarding security breach
8 response and identity theft prevention and protection information, and a
9 description of the categories of information that were, or are reason-
10 ably believed to have been, accessed or acquired by a person without
11 valid authorization, including specification of which of the elements of
12 personal information and private information were, or are reasonably
13 believed to have been, so accessed or acquired. If the person or busi-
14 ness providing the notification was the source of the breach, an offer
15 to provide appropriate identity theft prevention and mitigation
16 services, shall be provided at no cost to the affected person for not
17 less than twelve months, along with all information necessary to take
18 advantage of the offer to any person whose information was or may have
19 been breached if the breach exposed or may have exposed personal infor-
20 mation as defined in subdivision one of this section.
21 § 2. This act shall take effect immediately.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03540-01-3