Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach; exempts businesses under financial hardship.
STATE OF NEW YORK
________________________________________________________________________
5721--A
2019-2020 Regular Sessions
IN SENATE
May 13, 2019
___________
Introduced by Sen. COMRIE -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee
AN ACT to amend the general business law, in relation to requiring
certain businesses to offer identity theft prevention and mitigation
services in the case of a security breach
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 899-aa of the general business law is amended by
2 adding a new subdivision 10 to read as follows:
3 10. (a) Where a security breach from a person or business other than a
4 consumer credit reporting agency includes a social security number, and
5 that person or business is required to provide notice under subdivision
6 two of this section, that person or business shall offer each resident
7 of this state whose social security number was disclosed in the breach
8 of security or is reasonably believed to have been disclosed in the
9 breach of security, reasonable credit report monitoring, identity theft
10 prevention services and, if applicable, identity theft mitigation
11 services at no cost to said resident for a period of not less than twen-
12 ty-four months. The disclosure required by subdivision two of this
13 section shall include information for any resident of New York state
14 whose social security number was disclosed as a result of a data breach
15 to obtain free, reasonable credit report monitoring, identity theft
16 prevention services and, if applicable, identity theft mitigation
17 services as described in this section.
18 (b) The requirement to provide twenty-four months of identity theft
19 mitigation services shall not apply to any individual person or small
20 business as defined in section one hundred thirty-one of the economic
21 development law that can demonstrate a financial hardship directly owing
22 to such compliance. A request for a financial hardship waiver shall be
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11671-02-9
S. 5721--A 2
1 made to the commissioner of the department of financial services on a
2 form prescribed by the department of financial services.
3 § 2. This act shall take effect on the one hundred eightieth day after
4 it shall have become a law. Effective immediately, the addition, amend-
5 ment and/or repeal of any rule or regulation necessary for the implemen-
6 tation of this act on its effective date are authorized to be made and
7 completed on or before such effective date.