Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services in the list of entities that must be notified of a data breach that affects any New York resident.
STATE OF NEW YORK
________________________________________________________________________
9797
IN ASSEMBLY
February 13, 2020
___________
Introduced by M. of A. HYNDMAN -- read once and referred to the Commit-
tee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to notification of
a data breach
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi-
2 ness law, as amended by chapter 117 of the laws of 2019, are amended to
3 read as follows:
4 2. Any person or business which owns or licenses computerized data
5 which includes private information shall disclose any breach of the
6 security of the system following discovery or notification of the breach
7 in the security of the system to any resident of New York state whose
8 private information was, or is reasonably believed to have been,
9 accessed or acquired by a person without valid authorization. The
10 disclosure shall be made in the most expedient time possible and without
11 unreasonable delay, [consistent with] and shall be made within fifteen
12 days after the breach has been discovered, except for the legitimate
13 needs of law enforcement, as provided in subdivision four of this
14 section[, or any measures necessary to determine the scope of the breach
15 and restore the integrity of the system].
16 (a) Notice to affected persons under this section is not required if
17 the exposure of private information was an inadvertent disclosure by
18 persons authorized to access private information, and the person or
19 business reasonably determines such exposure will not likely result in
20 misuse of such information, or financial harm to the affected persons or
21 emotional harm in the case of unknown disclosure of online credentials
22 as found in subparagraph (ii) of paragraph (b) of subdivision one of
23 this section. Such a determination must be documented in writing and
24 maintained for at least five years. If the incident affects over five
25 hundred residents of New York, the person or business shall provide the
26 written determination to the state attorney general within ten days
27 after the determination.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08659-04-0
A. 9797 2
1 (b) If notice of the breach of the security of the system is made to
2 affected persons pursuant to the breach notification requirements under
3 any of the following laws, nothing in this section shall require any
4 additional notice to those affected persons, but notice still shall be
5 provided to the state attorney general, the department of state [and],
6 the division of state police and the department of financial services
7 pursuant to paragraph (a) of subdivision eight of this section and to
8 consumer reporting agencies pursuant to paragraph (b) of subdivision
9 eight of this section:
10 (i) regulations promulgated pursuant to Title V of the federal Gramm-
11 Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time;
12 (ii) regulations implementing the Health Insurance Portability and
13 Accountability Act of 1996 (45 C.F.R. parts 160 and 164), as amended
14 from time to time, and the Health Information Technology for Economic
15 and Clinical Health Act, as amended from time to time;
16 (iii) part five hundred of title twenty-three of the official compila-
17 tion of codes, rules and regulations of the state of New York, as
18 amended from time to time; or
19 (iv) any other data security rules and regulations of, and the stat-
20 utes administered by, any official department, division, commission or
21 agency of the federal or New York state government as such rules, regu-
22 lations or statutes are interpreted by such department, division,
23 commission or agency or by the federal or New York state courts.
24 3. Any person or business which maintains computerized data which
25 includes private information which such person or business does not own
26 shall notify the owner or licensee of the information of any breach of
27 the security of the system immediately and within fifteen days following
28 discovery, if the private information was, or is reasonably believed to
29 have been, accessed or acquired by a person without valid authorization.
30 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general
31 business law, as amended by chapter 117 of the laws of 2019, is amended
32 to read as follows:
33 (a) In the event that any New York residents are to be notified, the
34 person or business shall notify the state attorney general, the depart-
35 ment of state [and], the division of state police and the department of
36 financial services as to the timing, content and distribution of the
37 notices and approximate number of affected persons and shall provide a
38 copy of the template of the notice sent to affected persons. Such notice
39 shall be made without delaying notice to affected New York residents.
40 § 3. This act shall take effect immediately.