STATE OF NEW YORK
________________________________________________________________________
6866
2015-2016 Regular Sessions
IN ASSEMBLY
April 8, 2015
___________
Introduced by M. of A. DINOWITZ -- (at request of the Department of Law)
-- read once and referred to the Committee on Consumer Affairs and
Protection
AN ACT to amend the general business law and the state technology law,
in relation to the data security act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "data secu-
2 rity act".
3 § 2. The opening paragraph and paragraph (b) of subdivision 1 of
4 section 899-aa of the general business law, as added by chapter 442 of
5 the laws of 2005, are amended to read as follows:
6 As used in this section, and section eight hundred ninety-nine-bb of
7 this article, the following terms shall have the following meanings:
8 (b) "Private information" shall mean either: (i) personal information
9 consisting of any information in combination with any one or more of the
10 following data elements, when either the personal information or the
11 data element is not encrypted, or encrypted with an encryption key that
12 has also been acquired:
13 (1) social security number;
14 (2) driver's license number or non-driver identification card number;
15 [or]
16 (3) account number, credit or debit card number, in combination with
17 any required security code, access code, or password that would permit
18 access to an individual's financial account; or
19 (4) biometric information, meaning data generated by automatic meas-
20 urements of an individual's physical characteristics, which are used by
21 the owner or licensee to authenticate the individual's identity;
22 (ii) a user name or email address in combination with a password or
23 security question and answer that would permit access to an online
24 account; or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08145-09-5
A. 6866 2
1 (iii) any unsecured protected health information as defined in the
2 health insurance portability and accountability act of 1996 (45 C.F.R.
3 pts. 160, 162, 164), as amended from time to time.
4 "Private information" does not include publicly available information
5 which is lawfully made available to the general public from federal,
6 state, or local government records.
7 § 3. Subdivisions 4 and 5 of section 899-aa of the general business
8 law, as added by chapter 442 of the laws of 2005, are amended to read as
9 follows:
10 4. (a) The notification required by this section may be delayed if a
11 law enforcement agency determines that such notification impedes a crim-
12 inal investigation. The notification required by this section shall be
13 made after such law enforcement agency determines that such notification
14 does not compromise such investigation.
15 (b) The production of forensic reports to local and state law enforce-
16 ment agencies for the purposes of investigating and identifying those
17 responsible for a breach of the security of the system shall not consti-
18 tute a waiver of any applicable privilege or protection provided by law,
19 including trade secret protection, and forensic reports so produced
20 shall not be subject to disclosure under article six of the public offi-
21 cers law.
22 5. The notice required by this section shall be directly provided to
23 the affected persons by one of the following methods:
24 (a) written notice;
25 (b) electronic notice, provided that the person to whom notice is
26 required has expressly consented to receiving said notice in electronic
27 form and a log of each such notification is kept by the person or busi-
28 ness who notifies affected persons in such form; provided further,
29 however, that in no case shall any person or business require a person
30 to consent to accepting said notice in said form as a condition of
31 establishing any business relationship or engaging in any
32 transaction[.];
33 (c) telephone notification provided that a log of each such notifica-
34 tion is kept by the person or business who notifies affected persons; or
35 (d) Substitute notice, if a business demonstrates to the state attor-
36 ney general that the cost of providing notice would exceed two hundred
37 fifty thousand dollars, or that the affected class of subject persons to
38 be notified exceeds five hundred thousand, or such business does not
39 have sufficient contact information. Substitute notice shall consist of
40 all of the following:
41 (1) e-mail notice when such business has an e-mail address for the
42 subject persons;
43 (2) conspicuous posting of the notice on such business's web site
44 page, if such business maintains one; and
45 (3) notification to major statewide media.
46 (e) In the case of a breach of the security of the system involving a
47 user name, and password or security question and answer which would
48 permit access to an online account, as provided in subparagraph (ii) of
49 paragraph (b) of subdivision one of this section, and no other private
50 information defined in such paragraph (b), the person or business may
51 comply with this section by providing notification in electronic or
52 other form that directs the person whose private information has been
53 breached promptly to change his or her password and security question or
54 answer, as applicable, or to take other steps appropriate to protect the
55 online account with the person or business and all other online accounts
A. 6866 3
1 for which the person whose private information has been breached uses
2 the same information.
3 (f) In the case of a breach of the security of the system involving
4 the login credentials of an email account furnished by the person or
5 business as provided in subparagraph (ii) of paragraph (b) of subdivi-
6 sion one of this section, the person or business shall not comply with
7 this section by providing the security breach notification to that email
8 address, but shall, instead, comply with this section by providing
9 notice by another method described in this subdivision or by clear and
10 conspicuous notice delivered to the resident online when the resident is
11 connected to the online account from an internet protocol address or
12 online location from which the person or business knows the resident
13 customarily accesses the account.
14 § 4. Paragraph (a) of subdivision 6 of section 899-aa of the general
15 business law, as amended by chapter 491 of the laws of 2005, is amended
16 to read as follows:
17 (a) whenever the attorney general shall believe from evidence satis-
18 factory to him or her that there is a violation of this [article]
19 section he or she may bring an action in the name and on behalf of the
20 people of the state of New York, in a court of justice having jurisdic-
21 tion to issue an injunction, to enjoin and restrain the continuation of
22 such violation. In such action, preliminary relief may be granted under
23 article sixty-three of the civil practice law and rules. In such action
24 the court may award damages for actual costs or losses incurred by a
25 person entitled to notice pursuant to this [article] section, if notifi-
26 cation was not provided to such person pursuant to this [article]
27 section, including consequential financial losses. Whenever the court
28 shall determine in such action that a person or business violated this
29 [article] section knowingly or recklessly, the court may impose a civil
30 penalty of the greater of five thousand dollars or up to ten dollars per
31 instance of failed notification, provided that the latter amount shall
32 not exceed one [hundred fifty thousand] million dollars.
33 § 5. Paragraph (a) of subdivision 1 of section 208 of the state tech-
34 nology law, as added by chapter 442 of the laws of 2005, is amended to
35 read as follows:
36 (a) "Private information" shall mean either: (i) personal information
37 in combination with any one or more of the following data elements, when
38 either the personal information or the data element is not encrypted or
39 encrypted with an encryption key that has also been acquired:
40 (1) social security number;
41 (2) driver's license number or non-driver identification card number;
42 or
43 (3) account number, credit or debit card number, in combination with
44 any required security code, access code, or password which would permit
45 access to an individual's financial account;
46 (ii) a user name or email address in combination with a password or
47 security question and answer that would permit access to an online
48 account; or
49 (iii) any unsecured protected health information as defined in the
50 Health Insurance Portability and Accountability Act of 1996 (45 C.F.R.
51 pts. 160, 162, 164), as amended from time to time.
52 "Private information" does not include publicly available information
53 that is lawfully made available to the general public from federal,
54 state, or local government records.
55 § 6. The general business law is amended by adding a new section 899-
56 bb to read as follows:
A. 6866 4
1 § 899-bb. Data security requirements. 1. Reasonable safeguards. (a)
2 Any person or business that conducts business in New York state, and
3 owns or licenses computerized data which includes private information of
4 a resident of New York shall develop, implement and maintain reasonable
5 safeguards to protect the security, confidentiality and integrity of the
6 private information, including disposal of data.
7 (b) The following shall be deemed to be in compliance with paragraph
8 (a) of this subdivision:
9 (i) A person or business that complies with a state or federal law
10 providing greater protection to private information than that provided
11 by this section;
12 (ii) A person or business that is subject to and complies with regu-
13 lations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of
14 1999 (15 U.S.C. 6801 to 6809);
15 (iii) A person or business that complies with current International
16 Standards Organization standards for information security;
17 (iv) A person or business that is subject to and complies with regu-
18 lations implementing the Health Insurance Portability and Accountability
19 Act of 1996 (45 C.F.R. parts 160 and 164) and the Health Information
20 Technology for Economic and Clinical Health Act, as amended from time to
21 time;
22 (v) A person or business that complies with current National Institute
23 of Standards and Technology standards as referenced in subdivision three
24 of this section; or
25 (vi) A person or business that implements an information security
26 program that includes the following:
27 (A) Administrative safeguards such as the following, in which the
28 person or business:
29 (I) Designates one or more employees to coordinate the security
30 program;
31 (II) Identifies reasonably foreseeable internal and external risks;
32 (III) Assesses the sufficiency of safeguards in place to control the
33 identified risks;
34 (IV) Trains and manages employees in the security program practices
35 and procedures;
36 (V) Selects service providers capable of maintaining appropriate safe-
37 guards, and requires those safeguards by contract;
38 (VI) Adjusts the security program in light of business changes or new
39 circumstances; and
40 (B) Technical safeguards such as the following, in which the person or
41 business:
42 (I) Assesses risks in network and software design;
43 (II) Assesses risks in information processing, transmission and stor-
44 age;
45 (III) Detects, prevents and responds to attacks or system failures;
46 (IV) Regularly tests and monitors the effectiveness of key controls,
47 systems and procedures; and
48 (C) Physical safeguards such as the following, in which the person or
49 business:
50 (I) Assesses risks of information storage and disposal;
51 (II) Detects, prevents and responds to intrusions;
52 (III) Protects against unauthorized access to or use of private infor-
53 mation during or after the collection, transportation and destruction or
54 disposal of the information; and
A. 6866 5
1 (IV) Disposes of private information after it is no longer needed for
2 business purposes by erasing electronic media so that the information
3 cannot be read or reconstructed.
4 2. Rebuttable presumption. A person or business that obtains an inde-
5 pendent, third-party audit and certification annually under the data
6 security standard listed in paragraph (b) of subdivision one of this
7 section shall receive a rebuttable presumption that it maintained
8 reasonable safeguards to protect the security, confidentiality and
9 integrity of the private information.
10 3. Certification authority and regulation. The department of finan-
11 cial services shall promulgate regulations regarding independent, third-
12 party licensed insurers responsible for certifying entities that meet
13 the reasonable data security requirements set forth in subparagraph (vi)
14 of paragraph (b) of subdivision one of this section.
15 4. Safe harbor. Any person or business that complies with the most up
16 to date version of the National Institute of Standards and Technology
17 Special Publication 800-53 shall be immune from liability in a civil
18 action, including but not limited to an action brought by the attorney
19 general, resulting from unauthorized access to private information by a
20 third-party absent evidence of willful misconduct, bad faith or gross
21 negligence. Compliance must be certified annually by an independent,
22 third-party licensed insurer, authorized by the National Institute of
23 Standards and Technology.
24 5. Enforcement. (a) Whenever the attorney general shall believe from
25 evidence satisfactory to him or her that there is a violation of this
26 section he or she may bring an action in the name and on behalf of the
27 people of the state of New York, in a court of justice having jurisdic-
28 tion to issue an injunction, to enjoin and restrain the continuation of
29 such violation. In such action, preliminary relief may be granted under
30 article sixty-three of the civil practice law and rules. In such action,
31 the court may award damages for actual costs or losses incurred by a
32 person as a result of the failure by a person or business to comply with
33 the data security requirements set forth in this section, including
34 consequential financial losses, as well as a civil penalty of up to two
35 hundred fifty dollars, which penalty may be increased by a factor less
36 than or equal to the number of persons whose private information was
37 compromised; provided however, that the aggregate amount of any civil
38 penalties so imposed shall not exceed ten million dollars. Whenever the
39 court shall determine that a person or business violated this section
40 knowingly or recklessly, the court may, in lieu of imposing a civil
41 penalty as set forth above, instead impose a civil penalty of up to one
42 thousand dollars, which penalty may be increased by a factor less than
43 or equal to the number of persons whose private information was compro-
44 mised; provided however, that the aggregate amount of any civil penal-
45 ties so imposed shall not exceed the greater of fifty million dollars or
46 three times the aggregate amount of any actual costs and losses as
47 determined by the court. A court may award a civil penalty pursuant to
48 this paragraph without a showing of financial loss.
49 (b) The remedies provided by this section shall be in addition to any
50 other lawful remedy available.
51 (c) No action may be brought under the provisions of this section
52 unless such action is commenced within three years immediately after the
53 date of the act or omission complained of or the date of discovery of
54 such act or omission.
55 § 7. Section 208 of the state technology law is amended by adding a
56 new subdivision 9 to read as follows:
A. 6866 6
1 9. Data security requirements. (a) Any state entity that owns, main-
2 tains, or otherwise possesses private information shall develop, imple-
3 ment and maintain reasonable safeguards to protect the security, confi-
4 dentiality and integrity of the private information, including disposal
5 of data.
6 (b) The following shall be deemed to be in compliance with paragraph
7 (a) of this subdivision:
8 (i) A state entity that complies with a state or federal law providing
9 greater protection to private information than that provided by this
10 section;
11 (ii) A state entity that is subject to and complies with regulations
12 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999
13 (15 U.S.C. 6801 to 6809);
14 (iii) A state entity that complies with the most current International
15 Standards Organization standards for information security;
16 (iv) A state entity that is subject to and complies with regulations
17 implementing the Health Insurance Portability and Accountability Act of
18 1996 (45 C.F.R. parts 160 and 164) and the Health Information Technology
19 for Economic and Clinical Health Act, as amended from time to time;
20 (v) A state entity that complies with current National Institute of
21 Standards and Technology standards; or
22 (vi) A state entity that implements an information security program
23 that includes the following:
24 (A) Administrative safeguards such as the following, in which the
25 state entity:
26 (I) Designates one or more employees to coordinate the security
27 program;
28 (II) Identifies reasonably foreseeable internal and external risks;
29 (III) Assesses the sufficiency of safeguards in place to control the
30 identified risks;
31 (IV) Trains and manages employees in the security program practices
32 and procedures;
33 (V) Selects service providers capable of maintaining appropriate safe-
34 guards, and requires those safeguards by contract; and
35 (VI) Adjusts the security program in light of business changes or new
36 circumstances;
37 (B) Technical safeguards such as the following, in which the state
38 entity:
39 (I) Assesses risks in network and software design;
40 (II) Assesses risks in information processing, transmission and stor-
41 age;
42 (III) Detects, prevents and responds to attacks or system failures;
43 and
44 (IV) Regularly tests and monitors the effectiveness of key controls,
45 systems and procedures; and
46 (C) Physical safeguards such as the following, in which the state
47 entity:
48 (I) Assesses risks of information storage and disposal;
49 (II) Detects, prevents and responds to intrusions;
50 (III) Protects against unauthorized access to or use of private infor-
51 mation during or after the collection, transportation and destruction or
52 disposal of the information; and
53 (IV) Disposes of private information after it is no longer needed for
54 business purposes or as required by local, state or federal law by eras-
55 ing electronic media so that the information cannot be read or recon-
56 structed.
A. 6866 7
1 § 8. This act shall take effect January 1, 2016.