STATE OF NEW YORK
________________________________________________________________________
1104--A
Cal. No. 250
2017-2018 Regular Sessions
IN SENATE
January 6, 2017
___________
Introduced by Sen. VALESKY -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection --
reported favorably from said committee, ordered to first and second
report, ordered to a third reading, amended and ordered reprinted,
retaining its place in the order of third reading
AN ACT to amend the general business law, in relation to the timeliness
of disclosure of a breach of the security of a system which contains
private information
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 2 of section 899-aa of the general business
2 law, as added by chapter 442 of the laws of 2005, is amended to read as
3 follows:
4 2. Any person or business which conducts business in New York state,
5 and which owns or licenses computerized data which includes private
6 information shall disclose any breach of the security of the system
7 following discovery or notification of the breach in the security of the
8 system to any resident of New York state whose private information was,
9 or is reasonably believed to have been, acquired by a person without
10 valid authorization. The disclosure shall be made [in the most expedient
11 time possible and] without unreasonable delay, consistent with the
12 legitimate needs of law enforcement, as provided in subdivision four of
13 this section, or any measures necessary to determine the scope of the
14 breach and restore the reasonable integrity of the system. Reasonable
15 delay under this subdivision shall not exceed forty-five days, except as
16 provided in subdivision four of this section or unless the person or
17 business seeking additional time demonstrates to the attorney general
18 that additional time is reasonably necessary to determine the scope of
19 the breach of the security system, prevent further disclosures, conduct
20 the risk assessment, and restore the reasonable integrity of the securi-
21 ty system. If the attorney general determines that additional delay is
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06866-03-7
S. 1104--A 2
1 necessary the agency may extend the time period for notification for
2 additional periods of up to forty-five days each. Any such extension
3 shall be provided in writing.
4 § 2. This act shall take effect on the ninetieth day after it shall
5 have become a law.