STATE OF NEW YORK
________________________________________________________________________
2821
2019-2020 Regular Sessions
IN SENATE
January 29, 2019
___________
Introduced by Sen. JORDAN -- read twice and ordered printed, and when
printed to be committed to the Committee on Budget and Revenue
AN ACT to amend the tax law, in relation to a business tax credit for
purchase of data breach insurance; and providing for the repeal of
such provisions upon expiration thereof
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 210-B of the tax law is amended by adding a new
2 subdivision 53 to read as follows:
3 53. Data breach insurance credit. (a) A taxpayer that is a business or
4 owner of a business shall be allowed a credit against the tax imposed by
5 this article equal to twenty-five percent of the premium paid during the
6 taxable year for qualified data breach insurance. For purposes of this
7 section, the term "qualified data breach insurance" means coverage
8 provided by an insurance company for expenses or losses in connection
9 with the theft, loss, disclosure, inaccessibility, or manipulation, of
10 data.
11 (b) In order to qualify for such credit, taxpayers shall adopt and be
12 in compliance with one of the following:
13 (1) Version 1.0 of the framework for improving critical infrastructure
14 cybersecurity published by the national institute of standards and tech-
15 nology as in effect on February twelfth, two thousand fourteen or subse-
16 quent versions or iterations; or
17 (2) Any similar standard specified by the state comptroller, after
18 consultation with the director of the office of information technology
19 services.
20 (c) In the case of insurance coverage under which amounts are payable
21 for other than expenses or losses described in paragraph (a) of this
22 subdivision:
23 (1) No amount shall be treated as premiums for qualified data breach
24 insurance unless the charge for such insurance is either separately
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08957-01-9
S. 2821 2
1 stated in the contract, or furnished to the policyholder by the insur-
2 ance company in a separate statement;
3 (2) The amount taken into account as the premium paid or incurred for
4 such insurance shall not exceed such charge; and
5 (3) No amount shall be treated as paid or incurred for such insurance
6 if the amount specified in the contract, or furnished to the policy-
7 holder by the insurance company in a separate statement, as the charge
8 for such insurance is unreasonably large in relation to the total charg-
9 es under the contract.
10 (d) Premiums shall be taken into account under paragraph (a) of this
11 subdivision only if such premiums are paid or incurred in the ordinary
12 course of the taxpayer's trade or business.
13 (e) This subdivision shall not apply to a business which employs one
14 hundred and one or more employees.
15 § 2. Section 606 of the tax law is amended by adding a new subsection
16 (jjj) to read as follows:
17 (jjj) Data breach insurance credit. (1) A taxpayer that is a business
18 or owner of a business shall be allowed a credit against the tax imposed
19 by this article equal to twenty-five percent of the premium paid during
20 the taxable year for qualified data breach insurance. For purposes of
21 this section, the term "qualified data breach insurance" means coverage
22 provided by an insurance company for expenses or losses in connection
23 with the theft, loss, disclosure, inaccessibility, or manipulation, of
24 data.
25 (2) In order to qualify for such credit, taxpayers shall adopt and be
26 in compliance with one of the following:
27 (A) Version 1.0 of the framework for improving critical infrastructure
28 cybersecurity published by the national institute of standards and tech-
29 nology as in effect on February twelfth, two thousand fourteen or subse-
30 quent versions or iterations; or
31 (B) Any similar standard specified by the state comptroller, after
32 consultation with the director of the office of information technology
33 services.
34 (3) In the case of insurance coverage under which amounts are payable
35 for other than expenses or losses described in paragraph one of this
36 subsection:
37 (A) No amount shall be treated as premiums for qualified data breach
38 insurance unless the charge for such insurance is either separately
39 stated in the contract, or furnished to the policyholder by the insur-
40 ance company in a separate statement;
41 (B) The amount taken into account as the premium paid or incurred for
42 such insurance shall not exceed such charge; and
43 (C) No amount shall be treated as paid or incurred for such insurance
44 if the amount specified in the contract, or furnished to the policy-
45 holder by the insurance company in a separate statement, as the charge
46 for such insurance is unreasonably large in relation to the total charg-
47 es under the contract.
48 (4) Premiums shall be taken into account under paragraph one of this
49 subsection only if such premiums are paid or incurred in the ordinary
50 course of the taxpayer's trade or business.
51 (5) This subsection shall not apply to a business which employs one
52 hundred and one or more employees.
53 § 3. Subparagraph (B) of paragraph 1 of subsection (i) of section 606
54 of the tax law is amended by adding a new clause (xliv) to read as
55 follows:
56 (xliv) Data breach insuranceAmount of credit under subdivision
S. 2821 3
1 credit under subsection (jjj)fifty-three of section two hundred
2 ten-B
3 § 4. This act shall take effect immediately and shall apply to taxable
4 years beginning on and after the first of January next succeeding the
5 date on which it shall have become a law and shall remain in effect for
6 five years after it shall have become a law, when upon such date the
7 provisions of this act shall expire and be deemed repealed.
