A10190 Summary:

SAME ASNo same as
SPONSORRules (Dinowitz)
COSPNSRGottfried, Galef, Titone, Cook, Abinanti, Englebright, Otis, Fahy, Colton
Amd S899-aa, Gen Bus L
Relates to the protection of personal information by businesses.
Go to top    

A10190 Actions:

09/24/2014referred to consumer affairs and protection
Go to top

A10190 Text:

                STATE OF NEW YORK
                   IN ASSEMBLY
                                   September 24, 2014
        Introduced  by  COMMITTEE  ON RULES -- (at request of M. of A. Dinowitz,
          Gottfried, Galef, Titone, Cook,  Abinanti,  Englebright,  Otis,  Fahy,
          Colton) -- read once and referred to the Committee on Consumer Affairs
          and Protection
        AN  ACT to amend the general business law, in relation to the protection
          of personal information by businesses

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section  1.  Section  899-aa  of the general business law, as added by
     2  chapter 442 of the laws of 2005, paragraph (c) of subdivision  1,  para-
     3  graph  (a)  of subdivision 6 and subdivision 8 as amended by chapter 491
     4  of the laws of 2005 and paragraph (a) of subdivision  8  as  amended  by
     5  section  6  of  part  N of chapter 55 of the laws of 2013, is amended to
     6  read as follows:
     7    § 899-aa. Safeguarding personal information; [Notification;] notifica-
     8  tion, person without valid authorization has acquired  private  informa-
     9  tion.    1.  As used in this section, the following terms shall have the
    10  following meanings:
    11    (a) "Personal information" shall mean  any  information  concerning  a

    12  natural  person  which, because of name, number, personal mark, or other
    13  identifier, can be used to identify such natural person;
    14    (b) "Private information" shall mean personal  information  consisting
    15  of  any information in combination with any one or more of the following
    16  data elements, when either the personal information or the data  element
    17  is not encrypted, or encrypted with an encryption key that has also been
    18  acquired:
    19    (1) social security number;
    20    (2)  driver's license number or non-driver identification card number;
    21  or
    22    (3) account number, credit or debit card number, in  combination  with
    23  any  required  security code, access code, or password that would permit
    24  access to an individual's financial account;
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets

                              [ ] is old law to be omitted.

        A. 10190                            2
     1    "Private information" does not include publicly available  information
     2  which  is  lawfully  made  available to the general public from federal,
     3  state, or local government records.
     4    (c)  "Breach  of  the  security of the system" shall mean unauthorized
     5  acquisition or acquisition without valid authorization  of  computerized
     6  data  that  compromises  the  security, confidentiality, or integrity of
     7  personal information maintained by a business. Good faith acquisition of
     8  personal information by an employee or agent of  the  business  for  the
     9  purposes  of the business is not a breach of the security of the system,

    10  provided that the private information is not used or  subject  to  unau-
    11  thorized disclosure.
    12    In determining whether information has been acquired, or is reasonably
    13  believed  to  have  been acquired, by an unauthorized person or a person
    14  without valid authorization, such business may  consider  the  following
    15  factors, among others:
    16    (1) indications that the information is in the physical possession and
    17  control  of an unauthorized person, such as a lost or stolen computer or
    18  other device containing information; or
    19    (2) indications that the information has been downloaded or copied; or
    20    (3) indications that the  information  was  used  by  an  unauthorized
    21  person,  such  as  fraudulent  accounts  opened or instances of identity
    22  theft reported.
    23    (d) "Consumer reporting agency" shall mean any person which, for mone-

    24  tary fees, dues, or on a cooperative nonprofit basis, regularly  engages
    25  in whole or in part in the practice of assembling or evaluating consumer
    26  credit  information or other information on consumers for the purpose of
    27  furnishing consumer reports to third parties, and which uses  any  means
    28  or  facility  of  interstate  commerce  for  the purpose of preparing or
    29  furnishing consumer reports. A list of consumer reporting agencies shall
    30  be compiled by the state attorney general and furnished upon request  to
    31  any person or business required to make a notification under subdivision
    32  two of this section.
    33    2.  Any  person or business which conducts business in New York state,
    34  and which owns or licenses  computerized  data  which  includes  private
    35  information shall:
    36    (a) develop, implement, and maintain a comprehensive information secu-

    37  rity program which must be consistent with the safeguards for protection
    38  of personal information and information of a similar character set forth
    39  in any state or federal laws or regulations by which the person who owns
    40  or  licenses  such  information may be regulated, and that is written in
    41  one or more readily accessible parts and contains administrative,  tech-
    42  nical, and physical safeguards that are appropriate to:
    43    (i)  the  size, scope, and type of business of the person obligated to
    44  safeguard the personal information under such comprehensive  information
    45  security program;
    46    (ii) the amount of resources available to such person or business;
    47    (iii) the amount of stored data; and

    48    (iv)  the  need  for  security  and  confidentiality of information of
    49  customers and employees of the business.
    50    (b) disclose any breach  of  the  security  of  the  system  following
    51  discovery or notification of the breach in the security of the system to
    52  any  resident  of  New  York  state whose private information was, or is
    53  reasonably believed to have been, acquired by  a  person  without  valid
    54  authorization.  The  disclosure shall be made in the most expedient time
    55  possible and without unreasonable delay, consistent with the  legitimate
    56  needs  of  law  enforcement,  as  provided  in  subdivision four of this

        A. 10190                            3
     1  section, or any measures necessary to determine the scope of the  breach
     2  and restore the reasonable integrity of the system.

     3    3.  Without limiting the generality of the foregoing, every comprehen-
     4  sive information security program pursuant to paragraph (a) of  subdivi-
     5  sion two shall include, but not be limited to:
     6    (a)  designating  one  or more employees to maintain the comprehensive
     7  information security program;
     8    (b) identifying and  assessing  reasonably  foreseeable  internal  and
     9  external risks to the security, confidentiality, and/or integrity of any
    10  electronic, paper, or other records containing personal information, and
    11  evaluating  and  improving,  where necessary, the current safeguards for
    12  limiting such risks, including, but not limited to:
    13    (i) providing ongoing employee training;

    14    (ii) monitoring employee compliance with policies and procedures; and
    15    (iii) identifying means for detecting and preventing  security  system
    16  failures.
    17    (c)  developing  security policies for employees relating to the stor-
    18  age, access, and transportation of records containing personal  informa-
    19  tion outside of business premises;
    20    (d) imposing disciplinary measures for violations of the comprehensive
    21  information security program rules;
    22    (e)  preventing  terminated or former employees from assessing records
    23  containing personal information;
    24    (f) overseeing third-party service providers by:
    25    (i) taking reasonable steps to select and retain  third-party  service

    26  providers  that are capable of maintaining appropriate security measures
    27  to protect such personal information consistent  with  these  provisions
    28  and any applicable federal laws or regulations; and
    29    (ii)  requiring  such  third-party  service  providers  by contract to
    30  implement and maintain such appropriate security measures  for  personal
    31  information;  provided,  however, that until October first, two thousand
    32  seventeen, a contract a person or  business  has  entered  into  with  a
    33  third-party  service  provider  to  perform services for or functions on
    34  behalf of such person or  business  satisfies  the  provisions  of  this
    35  subparagraph  even if the contract a person or business has entered into

    36  with a third-party service provider does not include a requirement  that
    37  the  third-party service provider maintains such appropriate safeguards,
    38  as long as said person or business entered into the  contract  no  later
    39  than October first, two thousand fifteen.
    40    (g)  placing  reasonable  restrictions upon physical access to records
    41  containing personal information, and storage of such records and data in
    42  locked facilities, storage areas, or containers;
    43    (h) ensuring that the comprehensive information  security  program  is
    44  separating  in  a  manner  reasonably calculated to prevent unauthorized
    45  access to or unauthorized use of  personal  information,  and  upgrading
    46  information safeguards as necessary to limit risks;

    47    (i)  reviewing the scope of the security measures at least annually or
    48  whenever there is a material  change  in  business  practices  that  may
    49  reasonably  jeopardize  the  security or integrity of records containing
    50  personal information; and
    51    (j) documenting responsive actions taken in connection with any  inci-
    52  dent  involving a breach of security, and mandatory post-incident review
    53  of events and actions taken, if any, to make changes in  business  prac-
    54  tices relating to protection of personal information.

        A. 10190                            4
     1    [3.]4.  Any person or business which maintains computerized data which
     2  includes private information which such person or business does not  own
     3  shall:

     4    (a) include in its written, comprehensive information security program
     5  the  establishment  and  maintenance  of  a security system covering its
     6  computers, including any wireless system, that, at a minimum, and to the
     7  extent technically feasible, include the following elements:
     8    (i) secure user authentication protocols including:
     9    (1) control of user identifications and other identifiers;
    10    (2) a reasonably secure method of assigning and  selecting  passwords,
    11  or  use  of  unique identifier technologies, such as biometrics or token
    12  devices;
    13    (3) control of data security passwords to ensure that  such  passwords
    14  are  kept in a location and/or format that does not compromise the secu-
    15  rity of the data they protect;

    16    (4) restricting access to active users and active user accounts  only;
    17  and
    18    (5) blocking access to user identification after multiple unsuccessful
    19  attempts  to  gain  access  or  the  limitation placed on access for the
    20  particular system;
    21    (ii) secure access control measures that:
    22    (1) restrict access to records and files containing personal  informa-
    23  tion to those who need such information to perform their job duties; and
    24    (2)  assign  unique  identifications  plus  passwords,  which  are not
    25  vendor-supplied default passwords, to each person with  computer  access
    26  that  are  reasonably designed to maintain the integrity of the security
    27  of the access controls;

    28    (iii) encryption of  all  transmitted  records  and  files  containing
    29  personal  information  that  will  travel  across  public  networks, and
    30  encryption of all data containing personal information to be transmitted
    31  wirelessly;
    32    (iv) reasonable monitoring of  systems  for  unauthorized  use  of  or
    33  access to personal information;
    34    (v)  encryption of all personal information stored on laptops or other
    35  portable devices;
    36    (vi) for files containing personal information on  a  system  that  is
    37  connected  to  the  internet,  firewall  protection and operating system
    38  security patches reasonably designed to maintain the  integrity  of  the
    39  personal information;

    40    (vii)  system  security  agent  software  which  must  include malware
    41  protection and virus definitions, or a version of such software that can
    42  still be supported with up-to-date patches and virus definitions, and is
    43  set to receive the most current security updates on a regular basis; and
    44    (viii) education and training of employees on the proper  use  of  the
    45  computer  security  system  and  the  importance of personal information
    46  security.
    47    (b) notify the owner or licensee of the information of any  breach  of
    48  the  security  of  the  system  immediately  following discovery, if the
    49  private information  was,  or  is  reasonably  believed  to  have  been,
    50  acquired by a person without valid authorization.

    51    [4.]  5. The notification required by this section may be delayed if a
    52  law enforcement agency determines that such notification impedes a crim-
    53  inal investigation. The notification required by this section  shall  be
    54  made after such law enforcement agency determines that such notification
    55  does not compromise such investigation.

        A. 10190                            5
     1    [5.] 6. The notice required by this section shall be directly provided
     2  to the affected persons by one of the following methods:
     3    (a) written notice;
     4    (b)  electronic  notice,  provided  that  the person to whom notice is
     5  required has expressly consented to receiving said notice in  electronic
     6  form  and a log of each such notification is kept by the person or busi-

     7  ness who notifies affected  persons  in  such  form;  provided  further,
     8  however,  that  in no case shall any person or business require a person
     9  to consent to accepting said notice in  said  form  as  a  condition  of
    10  establishing any business relationship or engaging in any transaction.
    11    (c)  telephone notification provided that a log of each such notifica-
    12  tion is kept by the person or business who notifies affected persons; or
    13    (d) Substitute notice, if a business demonstrates to the state  attor-
    14  ney  general  that the cost of providing notice would exceed two hundred
    15  fifty thousand dollars, or that the affected class of subject persons to
    16  be notified exceeds five hundred thousand, or  such  business  does  not
    17  have  sufficient contact information. Substitute notice shall consist of
    18  all of the following:
    19    (1) e-mail notice when such business has an  e-mail  address  for  the

    20  subject persons;
    21    (2)  conspicuous  posting  of  the  notice on such business's web site
    22  page, if such business maintains one; and
    23    (3) notification to major statewide media.
    24    [6.] 7. (a) whenever the attorney general shall believe from  evidence
    25  satisfactory  to  him  that  there is a violation of this article he may
    26  bring an action in the name and on behalf of the people of the state  of
    27  New  York, in a court of justice having jurisdiction to issue an injunc-
    28  tion, to enjoin and restrain the continuation of  such  violation.    In
    29  such action, preliminary relief may be granted under article sixty-three
    30  of  the civil practice law and rules. In such action the court may award
    31  damages for actual costs or losses incurred  by  a  person  entitled  to
    32  notice  pursuant  to  this  article, if notification was not provided to

    33  such person pursuant to this article, including consequential  financial
    34  losses.  Whenever the court shall determine in such action that a person
    35  or business violated this article knowingly or recklessly, the court may
    36  impose a civil penalty of the greater of five thousand dollars or up  to
    37  ten  dollars  per  instance  of  failed  notification, provided that the
    38  latter amount shall not exceed one hundred fifty thousand dollars.
    39    (b) the remedies provided by this section shall be in addition to  any
    40  other lawful remedy available.
    41    (c)  no  action  may  be  brought under the provisions of this section
    42  unless such action is commenced within two years immediately  after  the
    43  date of the act complained of or the date of discovery of such act.
    44    [7.]  8.  Regardless  of  the method by which notice is provided, such

    45  notice shall include contact information  for  the  person  or  business
    46  making  the notification and a description of the categories of informa-
    47  tion that were, or are reasonably believed to have been, acquired  by  a
    48  person  without valid authorization, including specification of which of
    49  the elements of personal information and private  information  were,  or
    50  are reasonably believed to have been, so acquired.
    51    [8.]  9.  (a) In the event that any New York residents are to be noti-
    52  fied, the person or business shall notify the  state  attorney  general,
    53  the  department  of  state  and  the  division of state police as to the
    54  timing, content and distribution of the notices and  approximate  number
    55  of  affected  persons. Such notice shall be made without delaying notice
    56  to affected New York residents.

        A. 10190                            6
     1    (b) In the event that more than five thousand New York  residents  are
     2  to  be  notified  at  one time, the person or business shall also notify
     3  consumer reporting agencies as to the timing, content  and  distribution
     4  of  the  notices and approximate number of affected persons. Such notice
     5  shall be made without delaying notice to affected New York residents.
     6    [9.]  10.  The provisions of this section shall be exclusive and shall
     7  preempt any provisions of local law, ordinance or code, and no  locality
     8  shall impose requirements that are inconsistent with or more restrictive
     9  than those set forth in this section.
    10    §  2.  This act shall take effect immediately; provided, however, that
    11  the provisions of this act shall apply to any  person  or  business  who

    12  owns or licenses personal information about a resident of New York with-
    13  in  eighteen  months  after such effective date, provided, further, that
    14  any person or business may come into compliance  before  such  effective
    15  date.
Go to top