Requires policies covering losses or damages from cyberattacks to include a requirement that the insured notify a law enforcement agency before receiving payment for losses or damages suffered as a result of the cyberattack.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A8463
SPONSOR: Bores
 
TITLE OF BILL:
An act to amend the insurance law, in relation to requiring policies
covering losses or damages from cyberattacks to include a requirement
that the insured notify a law enforcement agency within seventy-two
hours of discovery of the cyberattack
 
PURPOSE OR GENERAL IDEA OF BILL:
This bill would encourage reporting eyberattacks to law enforcement by
requiring that the insured corporation or business entity notify law
enforcement of a. cyberattack before being eligible to receive payment
for losses or damages from a cyberattack.
 
SUMMARY OF PROVISIONS:
Section one amends the insurance law to state that insurance policies
covering losses or damages from cyberattacks shall require the corpo-
ration or business entity to notify law enforcement of the cyberattack
before being eligible to receive payment for such losses or damages
suffered due to a cyberattack.
 
JUSTIFICATION:
The companies that store your personal information are constantly under
attack. This goes beyond your Netflix password - your social security
number, your credit card information, and your home address are all
targets for hackers online. It is your right to know when your personal
information is stolen. Only then can you protect yourself.
The problem is that companies often keep hacks under wraps. The FBI's
Internet Crime Complaint Center estimated in a 2016 report that only 15%
of victims report the crime to law enforcement. Millions of New Yorkers
might have their credit card numbers floating around online and not even
know.
New York State already requires businesses to notify everyone whose
information was compromised and relevant government and law enforcement
offices once that business discovers it has been the victim of a cyber-
attack. As noted above, though, they often do not. In the status quo,
it is too easy for a company to get hacked, collect their insurance
payout, and never tell anyone.
This bill would strengthen the incentive to report cyberattacks to law
enforcement. Under this legislation, insurers would be prohibited from
reimbursing companies that have been hacked unless the corporation or
business entity reports the crime to law enforcement. Under this bill,
failing to report a cyberattack finally has a price.
 
PRIOR LEGISLATIVE HISTORY:
This is a new bill.
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
 
EFFECTIVE DATE:
This act shall take effect one hundred and eighty days after it shall
have become a law.
STATE OF NEW YORK
________________________________________________________________________
8463
2023-2024 Regular Sessions
IN ASSEMBLY
December 29, 2023
___________
Introduced by M. of A. BORES -- read once and referred to the Committee
on Insurance
AN ACT to amend the insurance law, in relation to requiring policies
covering losses or damages from cyberattacks to include a requirement
that the insured notify a law enforcement agency within seventy-two
hours of discovery of the cyberattack
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "cyber ransom prevention act".
3 § 2. The insurance law is amended by adding a new section 3114 to read
4 as follows:
5 § 3114. Policies covering cyberattacks. Any insurance policy which
6 provides coverage for losses or damages suffered by a corporation or
7 business entity following a cyberattack shall require that the corpo-
8 ration or business entity shall notify a law enforcement agency of the
9 cyberattack before receiving payment for losses or damages suffered as a
10 result of such cyberattack.
11 § 3. This act shall take effect on the one hundred eightieth day after
12 it shall have become a law.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11860-03-3