Bill Text: NY A00465 | 2019-2020 | General Assembly | Introduced


Bill Title: Enacts the "personal information protection act"; establishes a personal information bill of rights requiring parties having custody of residents' personal identifying information to ensure the security thereof; provides for the approval of programs to secure personal identifying information by the office of information security; requires the notification of the division of state police and the subjects of information upon the breach of such information; directs the office of technology services to establish an information sharing and analysis program to assess threats to cybersecurity; establishes standards for the protection of personal information and provides for a private right of action in the event such standards are violated.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced) 2019-01-09 - referred to governmental operations [A00465 Detail]

Download: New_York-2019-A00465-Introduced.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                           465
                               2019-2020 Regular Sessions
                   IN ASSEMBLY
                                       (Prefiled)
                                     January 9, 2019
                                       ___________
        Introduced by M. of A. PAULIN -- read once and referred to the Committee
          on Governmental Operations
        AN  ACT to amend the state law and the state technology law, in relation
          to enacting the "personal information protection act"
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section  1.  Short title.  This act shall be known and may be cited as
     2  the "personal information protection act".
     3    § 2. The state law is amended by adding a new article 3-A to  read  as
     4  follows:
     5                                 ARTICLE 3-A
     6                     PERSONAL INFORMATION BILL OF RIGHTS
     7  Section 45. Legislative findings and determinations.
     8          46. Personal information bill of rights.
     9          47. Publication  and posting of the personal information bill of
    10                rights.
    11    § 45. Legislative findings and determinations.  The legislature  finds
    12  and determines that the unauthorized access to, and the theft and misap-
    13  propriation  of,  personal information can cause serious and significant
    14  harm.  The legislature further finds and determines that in  an  attempt
    15  to  provide some level of protection against the unauthorized access to,
    16  and the theft and misappropriation, of such  personal  information,  all
    17  persons  or  entities who collect and maintain such personal information
    18  should be required to  follow  certain  minimum  safeguards,  protocols,
    19  standards  and  best practices.   The legislature additionally finds and
    20  determines that the minimum safeguards, protocols,  standards  and  best
    21  practices  established by this article seek to promote the protection of
    22  personal information contained in both paper and electronic records, and
    23  that the objectives of this article are  to  promote  the  security  and
    24  confidentiality  of  personal  information  in a manner fully consistent
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03808-01-9

        A. 465                              2
     1  with customarily accepted  safeguards,  standards,  protocols  and  best
     2  practices;  protect  against  unauthorized access, threats or hazards to
     3  the security or integrity of such information as best as can  be  antic-
     4  ipated;  and protect against unauthorized access to, or the unauthorized
     5  use of, such information that may  result  in  serious,  significant  or
     6  substantial  harm  or inconvenience.  The legislature additionally finds
     7  and determines that to promote improved protection of personal  informa-
     8  tion the state technology law should be amended to establish safeguards,
     9  standards,  protocols  and best practices for the protection of personal
    10  information by public and private entities, and this chapter  should  be
    11  amended  to  establish  a personal information bill of rights, with such
    12  being published and posted by the office of general services.
    13    § 46. Personal information bill of rights.   The  state  of  New  York
    14  hereby establishes a personal information bill of rights, to declare the
    15  right  of  all  New Yorkers to have their personal information, such as,
    16  but not limited  to,  personal  identifying  information,  protected  as
    17  follows:
    18    1.  That  all persons or entities that receive and maintain custody of
    19  personal information shall have a legal duty to protect such information
    20  from unauthorized access and/or unauthorized use.
    21    2. That all persons or entities that receive and maintain  custody  of
    22  personal  information, in order to protect the personal information over
    23  which they maintain custody, shall establish  a  comprehensive  security
    24  program, with safeguards, standards, protocols and best practices.
    25    3.  That  the  office  of information technology services, in order to
    26  facilitate the establishment of quality comprehensive security programs,
    27  shall design, produce and publish model comprehensive security programs,
    28  with safeguards, standards, protocols and best practices, to provide for
    29  the protection of personal information held  by  persons  and  entities,
    30  with  such  model  programs  tailored  to the size and scope of all such
    31  persons or entities.
    32    4. That the office of information technology  services  shall  further
    33  approve  the  comprehensive  security  program  of all agencies of state
    34  government, and  all  regulatory  agencies  of  state  government  shall
    35  approve  the  comprehensive security program of each of their respective
    36  regulated entities.
    37    5. That the office of  information  technology  services  shall  addi-
    38  tionally  incorporate  computer  system security requirements within its
    39  model comprehensive security programs,  and  shall  require  such  safe-
    40  guards,  standards,  protocols  and best practices to be included within
    41  all approved security programs.
    42    6. That all persons and entities that receive and maintain custody  of
    43  personal  information  shall have a legal duty to notify the division of
    44  state police within ten days of their discovery of any breach of securi-
    45  ty of the personal information under their custody, and all persons  and
    46  entities  that are required to have their comprehensive security program
    47  approved, shall have a legal duty to also notify  the  approving  entity
    48  within  five  days  of  their discovery of any breach of security of the
    49  personal information under their custody.
    50    7. That in the event a security  breach  of  personal  information  is
    51  discovered  that  will  adversely impact a personal information subject,
    52  the person or entity that maintained custody of such  personal  informa-
    53  tion  shall  further be required to notify all such personal information
    54  subjects of the fact that there has been a breach of security  involving
    55  their personal information.

        A. 465                              3
     1    8.  That  in  the  event  a security breach of personal information is
     2  discovered that will adversely impact a  personal  information  subject,
     3  and the person or entity that maintained custody of such personal infor-
     4  mation  did  not establish or maintain a comprehensive security program,
     5  or  did  not  substantially  follow the safeguards, standards, protocols
     6  and/or best practices contained within such program, then  the  personal
     7  information  subject  shall  be entitled to bring an action against, and
     8  maintain a recovery from, the person or entity that  maintained  custody
     9  of  such  personal  information,  together with costs, disbursements and
    10  attorney fees.
    11    9. That in the event a security  breach  of  personal  information  is
    12  discovered  that  will  adversely impact a personal information subject,
    13  and the person or entity that maintained custody of such personal infor-
    14  mation did establish and substantially maintain a comprehensive security
    15  program, and did substantially follow the safeguards, standards,  proto-
    16  cols  and  best practices contained within such program, then the person
    17  or entity that maintained custody of such personal information shall  be
    18  entitled  to a defense against any action brought by a personal informa-
    19  tion subject.
    20    10. That to further protect the security of personal information,  the
    21  office  of  information  technology services shall further establish and
    22  maintain an information sharing and analysis program,  to  increase  the
    23  volume,  timeliness, and quality of cyber threat information shared with
    24  state public and private sector entities  so  that  these  entities  may
    25  better  protect  and  defend  themselves  against  cyber  threats and to
    26  promote the development of effective defenses and strategies to  combat,
    27  and  protect  against,  cyber  threats  and  attacks, and thereby better
    28  protect personal information  stored  and/or  maintained  in  electronic
    29  format.
    30    §  47.  Publication  and  posting  of the personal information bill of
    31  rights.  The office of general services shall  publish  and  prominently
    32  post  in  all  state offices, a copy of the personal information bill of
    33  rights established in this article. It shall further print and produce a
    34  pamphlet on such personal information bill of  rights  for  distribution
    35  across the state. The office of general services may sell advertising to
    36  be  included  on  such pamphlet to reduce the cost of the production and
    37  distribution of the same.
    38    § 3. The state technology law is amended by adding a new article 4  to
    39  read as follows:
    40                                 ARTICLE IV
    41             SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES
    42                 FOR THE PROTECTION OF PERSONAL INFORMATION
    43  Section 401. Definitions of terms.
    44          402. Duty to protect personal information.
    45          403. Comprehensive   security   program  safeguards,  standards,
    46                 protocols and best practices.
    47          404. Development  of  security  program  safeguards,  standards,
    48                 protocols and best practices.
    49          405. Approval of comprehensive security programs.
    50          406. Computer system security requirements.
    51          407. Breach of security.
    52          408. Causes of action.
    53          409. Liability protection.
    54          410. Information sharing and analysis program.

        A. 465                              4
     1    §  401. Definitions of terms. The following definitions are applicable
     2  to this article, except where different meanings  are  expressly  speci-
     3  fied:
     4    1. "Personal information subject" means any natural person who has his
     5  or her personal information collected or maintained by a personal infor-
     6  mation recipient.
     7    2.  "Personal  information recipient" means any natural person, corpo-
     8  ration, partnership, limited liability company,  unincorporated  associ-
     9  ation,  government,  or  other  entity,  that,  in  the  course of their
    10  personal, business, commercial, corporate, association  or  governmental
    11  operations,  collects, receives, stores, maintains, processes, or other-
    12  wise has access to, personal information.
    13    3. "Personal information collector"  means  any  personal  information
    14  recipient, that does not maintain or store such personal information, or
    15  maintain  access  to  such  personal  information,  for  more  than five
    16  minutes, and was provided with the personal information by the  personal
    17  information subject.
    18    4. "Personal information holder" means any personal information recip-
    19  ient,  that  maintains or stores such personal information, or maintains
    20  access to such personal information, for more than five minutes, and was
    21  provided with the  personal  information  by  the  personal  information
    22  subject.
    23    5. "Third party personal information holder" means any personal infor-
    24  mation  recipient,  that  agrees  to  collect, receive, store, maintain,
    25  process, or otherwise have access  to,  personal  information,  and  was
    26  provided  with  such  personal  information  from a personal information
    27  collector,  a  personal  information  holder,  or  another  third  party
    28  personal information holder.
    29    6.  "Personal information" (a) means any information, including paper-
    30  based information or electronic information, that contains  a  New  York
    31  state  resident's  first  name  and last name, or a New York state resi-
    32  dent's first initial and last name, in combination with any one or  more
    33  of  the following other informational elements that relate to such resi-
    34  dent:
    35    (1) A governmentally issued identification number, including:
    36    (i) social security number;
    37    (ii) driver's license number;
    38    (iii) state issued identification card number;
    39    (iv) military identification card number;
    40    (v) student identification number; or
    41    (vi) a United States passport number;
    42    (2) Personal financial information, including:
    43    (i) financial account information, including:
    44    (A) bank account information;
    45    (B) investment account information;
    46    (C) retirement account information;
    47    (D) deferred compensation account information;
    48    (E) mortgage account information;
    49    (F) car loan account information;
    50    (G) credit line account information;
    51    (H) personal loan account information; or
    52    (I) any other monetary fund or loan account information; including:
    53    (I) the number of such financial account;
    54    (II) any record of such financial account;
    55    (III) a transaction history of such account;
    56    (IV) a balance of such account; and/or

        A. 465                              5
     1    (V) any security code, access code, personal identification number  or
     2  password,  that  would  permit  access  to,  or  use  of, such financial
     3  account;
     4    (ii) credit or debit card information, including:
     5    (A) the number of such credit card or debit card;
     6    (B) the expiration date of such credit or debit card;
     7    (C)  the  card  verification value code number of such credit or debit
     8  card;
     9    (D) any record of such credit or debit card account;
    10    (E) any transaction history of such credit or debit card;
    11    (F) any balance of such credit or debit card; and/or
    12    (G) any required security code, access code,  personal  identification
    13  number  or password, that would permit access to, or use of, such credit
    14  or debit card; or
    15    (iii) credit status information, including:
    16    (A) credit score;
    17    (B) credit history; or
    18    (C) any information describing credit  transactions  of  the  personal
    19  information subject;
    20    (3) Physical characteristic information, including:
    21    (i) the height of the personal information subject;
    22    (ii) the weight of the personal information subject;
    23    (iii) the hair color of the personal information subject;
    24    (iv) the eye color of the personal information subject; and/or
    25    (v)  any other distinguishing characteristics of the personal informa-
    26  tion subject;
    27    (4) Biometric information, including:
    28    (i) fingerprints of the personal information subject;
    29    (ii) voice-prints of the personal information subject;
    30    (iii) eye scans of the personal information subject;
    31    (iv) blood samples of the personal information subject;
    32    (v) deoxyribonucleic acid (DNA) based samples of the personal informa-
    33  tion subject;
    34    (vi) skin samples of the personal information subject;
    35    (vii) hair samples of the personal information subject; and/or
    36    (viii) any other biometric information which is intended or  collected
    37  for  the  purpose of identification of the personal information subject;
    38  or
    39    (5) Medical information, including but not limited to, any information
    40  collected or maintained about a personal information subject pursuant to
    41  examination, testing or treatment for  physical  or  mental  illness  or
    42  wellness, or any other information collected or maintained on a personal
    43  information subject by a health care provider or health care insurer;
    44    (b) shall not include:
    45    (1)  personal  information  that  is  lawfully  obtained from publicly
    46  available information,  or  from  federal,  state  or  local  government
    47  records lawfully made available to the general public; or
    48    (2)  paper-based  information that has been intentionally discarded or
    49  abandoned by the personal information subject.
    50    7. "Breach of security" means the unauthorized access, viewing, acqui-
    51  sition, copying, duplication, removal  or  any  other  use  of  personal
    52  information,  either  in  unencrypted form or in encrypted form together
    53  with the confidential process or key that is capable of compromising the
    54  security, confidentiality, or integrity of personal information. A  good
    55  faith  unauthorized  access, viewing or acquisition of personal informa-
    56  tion, for the lawful purposes of a personal information collector, shall

        A. 465                              6
     1  not be deemed to be a breach of security unless the personal information
     2  is thereafter used in an unauthorized manner or is  subject  to  further
     3  unauthorized  disclosure,  as  a  result of such good faith unauthorized
     4  access or acquisition.
     5    8.  "Record"  means any information upon which written, drawn, spoken,
     6  visual, or electromagnetic data or images  are  recorded  or  preserved,
     7  either as paper-based information or electronic information.
     8    9.  "Paper-based  information" means personal information collected or
     9  maintained via paper, writing or other  drawing  medium,  or  any  other
    10  physical based, tangible, recording medium.
    11    10.  "Electronic  information" means personal information collected or
    12  maintained via computer, telephone, internet, computer network or  other
    13  electrical,  digital,  magnetic,  wireless,  optical, electromagnetic or
    14  similar device.
    15    11. "Encryption" means the transformation of data into a form in which
    16  the meaning of such data cannot be accessed without the use of a  confi-
    17  dential process or key.
    18    12. "Office" means the office of information technology services.
    19    §  402.  Duty to protect personal information. Every personal informa-
    20  tion recipient shall have a legal  duty  to  protect  the  security  and
    21  integrity of all personal information in their custody from unauthorized
    22  access or unauthorized use.
    23    § 403. Comprehensive security program safeguards, standards, protocols
    24  and  best  practices.  1.  Comprehensive  security programs for personal
    25  information  recipients.  Every  personal  information  recipient  shall
    26  develop,  implement,  and  maintain a comprehensive personal information
    27  security program that is written  in  one  or  more  readily  accessible
    28  parts,  and contains administrative, technical, and physical safeguards,
    29  standards, protocols and best practices detailing the means, methods and
    30  practices to be used  regarding  the  personal  information  recipient's
    31  obligations  to  safeguard,  protect and secure the personal information
    32  under such comprehensive information security program, appropriate to:
    33    (a) the size, scope and type of the  personal,  business,  commercial,
    34  corporate,  association or governmental operation of the personal infor-
    35  mation recipient;
    36    (b) the amount of volunteers,  employees  and/or  financial  resources
    37  available to such personal information recipient;
    38    (c)  the amount of personal information in the custody of the personal
    39  information recipient; and
    40    (d) the need for security and confidentiality of the personal informa-
    41  tion.
    42    2. Safeguards, standards, protocols and best practices for  protection
    43  of  personal  information. The safeguards, standards, protocols and best
    44  practices contained in the comprehensive personal  information  security
    45  program  required  by  this  section  shall be consistent with the safe-
    46  guards, standards,  protocols  and  best  practices  for  protection  of
    47  personal  information, contained within the model comprehensive security
    48  programs published by the office in accordance with section four hundred
    49  four of this article, or as set forth in  any  state  or  federal  regu-
    50  lations  produced  by  an  executive  agency  under  which the holder of
    51  personal information may be regulated.
    52    3. Comprehensive personal information security programs may  be  indi-
    53  vidually tailored.  The requirement set forth in subdivision two of this
    54  section,  that  the  safeguards, standards, protocols and best practices
    55  contained in the comprehensive  personal  information  security  program
    56  shall  be  consistent with the safeguards, standards, protocols and best

        A. 465                              7
     1  practices for protection of personal information  contained  within  the
     2  model comprehensive security programs published by the office in accord-
     3  ance  with  section four hundred four of this article, shall not require
     4  that the personal information recipient must adopt a model comprehensive
     5  personal  information  security program published by the office in order
     6  to develop, implement and maintain a comprehensive personal  information
     7  security  program  that is in compliance with this article. Any individ-
     8  ually tailored comprehensive personal information security program  that
     9  provides better or equal safeguards, standards, protocols and best prac-
    10  tices  for protection of personal information than a model comprehensive
    11  personal information security program published by the office in accord-
    12  ance with section four hundred four of this article,  for  a  person  or
    13  entity  of  equivalent size and scope as the person or entity seeking to
    14  develop, implement or maintain an  individually  tailored  comprehensive
    15  personal  information  security  program,  shall be deemed in compliance
    16  with this article.
    17    4. Individually tailored comprehensive personal  information  security
    18  programs.    Any  personal information recipient that wishes to develop,
    19  implement and maintain an individually tailored  comprehensive  personal
    20  information  security program that is not a model comprehensive personal
    21  information security program published by the office, may  submit  their
    22  individually  tailored  program  to  the office for a security review to
    23  determine, and obtain approval from the office, that  such  individually
    24  tailored  program provides better or equal safeguards, standards, proto-
    25  cols and best practices for protection of personal information,  than  a
    26  model  comprehensive  personal information security program published by
    27  the office for a person or entity of equivalent size and  scope  of  the
    28  person  or entity seeking to develop, implement or maintain the individ-
    29  ually tailored comprehensive personal information security  program.  If
    30  the  office determines that such individually tailored program submitted
    31  for security review and approval does not provide such better  or  equal
    32  safeguards,  standards,  protocols  and best practices for protection of
    33  personal information, the  office  shall  specify,  with  detail,  their
    34  reasons  for  denial of approval of such plan, together with recommenda-
    35  tions on how such plan can be amended to  be  in  compliance  with  this
    36  article  and  provide such better or equal safeguards, standards, proto-
    37  cols and best practices for protection of personal information.  If  the
    38  office  does  not  provide the person or entity that has submitted their
    39  individually tailored plan for review and approval, with an approval  or
    40  such  detailed  denial  of  approval  of the individually tailored plan,
    41  within ninety days of the submission, then  such  individually  tailored
    42  plan shall be deemed approved.
    43    5.  Failure  to  submit an individually tailored program for approval.
    44  The failure of a person or entity to  submit  an  individually  tailored
    45  comprehensive  personal information security program to the office for a
    46  security review and approval, as provided by subdivision  four  of  this
    47  section,  shall  not  require  a  court  in accordance with section four
    48  hundred eight or four hundred nine of this article, to deem  such  indi-
    49  vidually  tailored  plan  as  not  in compliance with this article. Such
    50  failure, shall however, require the  court  to  determine  whether  such
    51  individually  tailored plan in question was actually designed to provide
    52  better or equal safeguards, standards, protocols and best practices  for
    53  protection  of  personal information than a model comprehensive personal
    54  information security program published by the office  for  a  person  or
    55  entity  of equivalent size and scope as the defendant, before such court

        A. 465                              8
     1  will grant such defendant the  liability  protections  contained  within
     2  section four hundred nine of this article.
     3    §  404.  Development of security program safeguards, standards, proto-
     4  cols and best practices.  1. The office shall publish  model  comprehen-
     5  sive  security  programs  containing  recommended standards, safeguards,
     6  protocols and best practices for personal information  recipients.  Such
     7  model  plans shall be tailored in consideration of the following factors
     8  of the personal information recipient:
     9    (a) the size, scope and type of the  personal,  business,  commercial,
    10  corporate,  association or governmental operation of the personal infor-
    11  mation recipient;
    12    (b) the amount of volunteers,  employees  and/or  financial  resources
    13  available to such personal information recipient;
    14    (c)  the amount of personal information in the custody of the personal
    15  information recipient; and
    16    (d) the need for security and confidentiality of the personal informa-
    17  tion.
    18    2. Requirements for model comprehensive security programs. Every model
    19  comprehensive information security program shall include, but shall  not
    20  be limited to:
    21    (a) Designating one or more persons, or in the case of a business with
    22  one or more employees, to maintain the comprehensive information securi-
    23  ty program;
    24    (b)  Clearly identifying and assessing reasonably foreseeable internal
    25  and external risks to the security, confidentiality, and/or integrity of
    26  any electronic information, paper-based  information  or  other  records
    27  containing personal information, in the custody of the personal informa-
    28  tion  recipient,  and  evaluating  and  improving,  where necessary, the
    29  effectiveness of the current safeguards, standards, protocols  and  best
    30  practices  contained within the comprehensive personal information secu-
    31  rity program for limiting such risks, including but not limited to:
    32    (1) ongoing personal, volunteer, and/or employee training;
    33    (2) personal, volunteer, and/or employee compliance with policies  and
    34  procedures;
    35    (3)  the  means  for  detecting  and preventing security system risks;
    36  and/or
    37    (4) the means for detecting and preventing security system failures;
    38    (c) Developing safeguards, standards, protocols,  best  practices  and
    39  security  policies  for persons, volunteers and/or employees relating to
    40  the storage, access and transportation of  records  containing  personal
    41  information on the premises and in the systems and record storage of the
    42  personal information recipient;
    43    (d)  Developing  safeguards,  standards, protocols, best practices and
    44  security policies for persons, volunteers and/or employees  relating  to
    45  the  storage,  access  and transportation of records containing personal
    46  information outside the premises,  systems  or  record  storage  of  the
    47  personal information recipient;
    48    (e) Imposing disciplinary measures for violations of the comprehensive
    49  information security program rules;
    50    (f)  Preventing  disassociated persons or volunteers, and/or former or
    51  terminated employees from accessing records containing personal informa-
    52  tion;
    53    (g) Oversight of third party personal information recipients, by:
    54    (1) taking reasonable steps to select and retain third party  personal
    55  information recipients that are capable of maintaining appropriate secu-
    56  rity  measures,  safeguards,  standards, protocols and best practices to

        A. 465                              9
     1  protect such personal information, consistent with this article and  any
     2  other applicable federal or state statutes or regulations; and
     3    (2)  requiring  such third party information recipients by contract to
     4  implement and maintain such appropriate security measures  for  personal
     5  information;
     6    (h)  Reasonable  restrictions  upon  physical access to any electronic
     7  information,  paper-based  information  or  other   records   containing
     8  personal information, and storage of such information and/or records and
     9  data  in  locked,  secure, and/or protected facilities, storage areas or
    10  containers;
    11    (i) Regular monitoring to ensure that  the  comprehensive  information
    12  security  program  is  operating  in  a  manner reasonably calculated to
    13  prevent unauthorized access to, or unauthorized use of, personal  infor-
    14  mation;  and  upgrading information safeguards, standards, protocols and
    15  best practices as necessary to limit and minimize such risks;
    16    (j) Reviewing the scope of the safeguards, standards, protocols,  best
    17  practices  and  security  measures, not less than quarterly, or whenever
    18  there is a material change in the personal, business, commercial, corpo-
    19  rate, association or governmental operation practices  of  the  personal
    20  information  recipient that may reasonably effect the security or integ-
    21  rity of records containing personal information;
    22    (k) Documenting responsive actions to be taken in connection with  any
    23  incident  involving  a  breach  of security, and mandatory post-incident
    24  review of events and actions taken, if  any,  to  make  changes  in  the
    25  personal,  business,  commercial, corporate, association or governmental
    26  operation practices of the personal information recipient,  relating  to
    27  protection of personal information; and
    28    (l) Detailing all physical security, safeguards, standards, protocols,
    29  and  best practices, as well as all encryption methods that will be used
    30  by the personal information recipient to safeguard the personal informa-
    31  tion.
    32    § 405. Approval of comprehensive security programs.  On or before  the
    33  first  day  of  April, every personal information holder and every third
    34  party personal information holder, that is a state government agency, or
    35  a contractor paid by state government, shall annually submit its compre-
    36  hensive personal information  security  program,  for  approval  to  the
    37  office.
    38    §  406.  Computer  system  security requirements.   1. Computer system
    39  security program. Every  personal  information  holder  or  third  party
    40  personal  information  holder  who  electronically  stores  or transmits
    41  personal information shall include in its written, comprehensive  infor-
    42  mation  security program the establishment and maintenance of a computer
    43  security system  program  covering  all  of  its  computers,  electronic
    44  systems and/or networks, including any wireless system.
    45    2.  Minimum  standards  for  computer  system  security program. Every
    46  personal information holder with more than fifty employees, or with more
    47  than one hundred volunteers, and/or with more than one  million  dollars
    48  in annual revenue, shall additionally, establish a computer system secu-
    49  rity  program,  that, at a minimum, and to the extent technically feasi-
    50  ble, has the following elements:
    51    (a) Secure user authentication protocols including:
    52    (1) control of user IDs, user names, passwords and other unique  iden-
    53  tifiers;
    54    (2)  a  reasonably secure method of assigning and selecting passwords,
    55  or use of unique identifier technologies, such as  biometrics  or  token
    56  devices;

        A. 465                             10
     1    (3)  control  of data security passwords to ensure that such passwords
     2  are kept in a location and/or format that does not compromise the  secu-
     3  rity of the data they protect;
     4    (4)  a  program  of restricting access to active users and active user
     5  accounts only; and
     6    (5) a requirement to block access to user identification after  multi-
     7  ple  unsuccessful  attempts  to  gain access or the limitation placed on
     8  access for the particular system;
     9    (b) Secure access control measures that:
    10    (1) restrict access to records and files containing personal  informa-
    11  tion to those who need such information to perform their job duties; and
    12    (2) assign unique identifications plus passwords, which are not vendor
    13  supplied  default  passwords,  to each person with computer access, that
    14  are reasonably designed to maintain the integrity of the security of the
    15  access controls;
    16    (c)  Encryption  of  all  transmitted  records  and  files  containing
    17  personal  information  that  will  travel  across public networks, or an
    18  alternative system  of  data  protection  and  security  that  has  been
    19  accepted by computer industry standards as equivalent or superior;
    20    (d) Encryption of all data containing personal information to be tran-
    21  smitted  wirelessly,  or  an  alternative  system of data protection and
    22  security that has been accepted by computer industry standards as equiv-
    23  alent or superior;
    24    (e) Reasonable monitoring of  systems,  for  unauthorized  use  of  or
    25  access to personal information;
    26    (f)  Encryption of all personal information stored on laptops or other
    27  portable devices, or an alternative system of data protection and  secu-
    28  rity that has been accepted by computer industry standards as equivalent
    29  or superior;
    30    (g)  Protocols  for  establishing state of the art, air-gapped systems
    31  for the storage and maintenance of personal information, or an  alterna-
    32  tive  system  of  data protection and security that has been accepted by
    33  computer industry standards as equivalent or superior;
    34    (h) For files containing personal information  on  a  system  that  is
    35  connected to the internet, reasonably up-to-date firewall protection and
    36  operating  system  security patches, reasonably designed to maintain the
    37  integrity of the personal information, or an alternative system of  data
    38  protection  and  security  that  has  been accepted by computer industry
    39  standards as equivalent or superior;
    40    (i) Reasonably up-to-date versions of system security  agent  software
    41  which  include  malware protection and reasonably up-to-date patches and
    42  virus definitions, or a version of  such  software  that  can  still  be
    43  supported  with up-to-date patches and virus definitions, set to receive
    44  the most current security updates on a regular basis, or an  alternative
    45  system of data protection and security that has been accepted by comput-
    46  er industry standards as equivalent or superior; and
    47    (j)  Education and training of persons, volunteers and/or employees on
    48  the proper use of the computer security system  and  the  importance  of
    49  personal information security.
    50    3.  Review of computer system security programs. Every personal infor-
    51  mation holder or third party personal information holder  who  electron-
    52  ically stores or transmits personal information shall further review and
    53  update its written, approved, comprehensive personal information securi-
    54  ty  program  not  less  than  annually, to include all feasible recently
    55  developed technological safeguards, standards, protocols and best  prac-

        A. 465                             11
     1  tices  that  could enhance the protection of the collection, storage and
     2  maintenance of such personal information.
     3    §  407.  Breach of security.  1. Notification to the division of state
     4  police. In addition to any other requirements contained within any other
     5  provision of law, not later than ten days after discovering  a  security
     6  breach  involving personal information, any personal information recipi-
     7  ent that has experienced a breach of security involving personal  infor-
     8  mation,  shall  make  a  comprehensive  report  to the division of state
     9  police, in the form and manner required by such division, notifying  the
    10  division of state police of such security breach.
    11    2. Notification of comprehensive personal information security program
    12  approval  entity.  If such personal information recipient or third party
    13  personal information recipient is required in  accordance  with  section
    14  four  hundred  five of this article to obtain approval of its comprehen-
    15  sive personal information security program, then such personal  informa-
    16  tion  recipient or third party personal information recipient shall also
    17  make a comprehensive report to the entity from which the personal infor-
    18  mation recipient or third party information  recipient  is  required  to
    19  obtain  approval  for  its  comprehensive  personal information security
    20  program, in the form and manner required by such approval entity,  noti-
    21  fying such approval entity of the security breach.
    22    3.  Notification  of the chief information officer. Not more than five
    23  days after receiving the notification required pursuant  to  subdivision
    24  one  or  two  of  this section, the division of state police, and/or the
    25  entity required to approve the comprehensive personal information  secu-
    26  rity  program  pursuant  to  section  four hundred five of this article,
    27  shall provide the comprehensive report provided to such division  and/or
    28  approval  entity  to  the  chief information officer of the office. Upon
    29  such notification, the chief information officer shall add the pertinent
    30  information concerning such breach to the information sharing and analy-
    31  sis program established in accordance with section four hundred  ten  of
    32  this article.
    33    4.  Notification  of personal information subjects. In addition to any
    34  other requirements pursuant to any other  provision  of  law,  upon  the
    35  receipt  of  the  comprehensive  report required by subdivision three of
    36  this section, the chief information officer of the office  may  require,
    37  in  a  specified timeframe, and in a specified form and manner, that the
    38  personal information recipient,  or  third  party  personal  information
    39  recipient, which sustained the breach of security of the personal infor-
    40  mation, notify all personal information subjects impacted by the securi-
    41  ty  breach, of the fact that there has been a breach of security involv-
    42  ing their personal  information.    If  the  chief  information  officer
    43  reasonably  believes  that  the  personal  information  subject  will be
    44  adversely impacted in any manner by the discovered breach  of  security,
    45  then  the  chief  information  officer  shall  require that the personal
    46  information recipient, or third party  personal  information  recipient,
    47  notify  all  such  personal information subjects, of the fact that there
    48  has been a breach of security involving their personal information.
    49    § 408. Causes of action.  1. Limitation on civil actions. Any personal
    50  information subject may bring a civil action, against a personal  infor-
    51  mation  holder  in the supreme court of any county in which the personal
    52  information recipient  resides  or  conducts  business  operations,  for
    53  damages  or  equitable relief, arising from a breach of security, and in
    54  accordance with the provisions of  this  section.  A  civil  action  for
    55  damages  or  equitable  relief,  shall  not,  however,  be  brought by a
    56  personal information subject, in any  other  state  court  of  competent

        A. 465                             12
     1  jurisdiction,  other  than  in  accordance  with  the provisions of this
     2  section, if such civil action arises out of a breach of  security  by  a
     3  personal  information  holder.    No  action shall be brought under this
     4  section  against  a  personal  information  collector  or  a third party
     5  personal information collector unless brought  in  accordance  with  the
     6  provisions  of  subparagraph four of paragraph (c) of subdivision two of
     7  this section.
     8    2. Civil actions that may be brought by a personal information subject
     9  against a personal information recipient.
    10    (a) Timeliness of actions. A civil action may be brought in accordance
    11  with this section if such civil action is brought within  six  years  of
    12  the  date  of  the  reporting  of  the breach of security as required by
    13  section four hundred seven of this article, or  in  the  event  no  such
    14  report was ever made, within any time after the date of the discovery of
    15  the breach of security by the personal information subject.
    16    (b)  Equitable  action.  Any  action  brought  in accordance with this
    17  section, may seek either damages or  equitable  relief.  If  a  personal
    18  information  subject  seeks  equitable  relief  for a breach of security
    19  involving a security breach of  personal  information  from  a  personal
    20  information  recipient,  and  the  court  determines that such equitable
    21  relief is just and proper and should be awarded,  then  in  addition  to
    22  such equitable relief, the court may also award the personal information
    23  subject costs, disbursements and attorneys fees of the action. No action
    24  brought  under  this  section  for  equitable  relief  shall  prohibit a
    25  personal information subject from also bringing any additional cause  of
    26  action  for  damages,  when  such  additional cause of action is allowed
    27  under this article.
    28    (c) Actions involving damages. Any action brought in  accordance  with
    29  this section, seeking damages for a breach of security involving a secu-
    30  rity  breach of personal information from a personal information recipi-
    31  ent, shall be brought as follows:
    32    (1) personal information holders or third party  personal  information
    33  holders  with  annual  revenues  of  ten  million  dollars  or more. Any
    34  personal information holder, or third party personal information holder,
    35  that has annual revenues of ten million dollars or more, that  fails  to
    36  maintain  the safeguards, standards, protocols or best practices for the
    37  protection of personal information as established in  its  comprehensive
    38  information security program, or that fails to establish a comprehensive
    39  personal  information  security program as required by this article, and
    40  that experiences a breach of security involving such  personal  informa-
    41  tion,  shall be liable in a civil action brought in accordance with this
    42  section, for damages, if the personal information  subject  involved  in
    43  the  breach of security sustains any damages as a result of such breach.
    44  Such liability shall extend to damages in the amount of three times  the
    45  amount of such damages sustained by the personal information subject, or
    46  an  amount  of  up  to ten thousand dollars, whichever is less, together
    47  with costs, disbursements and attorneys fees of the  action.  Where  the
    48  court  finds  that  the  personal  information  holder  or a third party
    49  personal information holder, intentionally failed to establish a compre-
    50  hensive personal information security program, or  intentionally  failed
    51  to  seek  and  obtain  approval for a comprehensive personal information
    52  security program, where required, or intentionally  failed  to  maintain
    53  the   safeguards,   standards,  protocols  or  best  practices  for  the
    54  protection of personal information as established in  its  comprehensive
    55  personal  information  security  program,  then the court may also award

        A. 465                             13
     1  punitive damages to the plaintiff of an action brought under this subdi-
     2  vision.
     3    (2)  personal  information holders or third party personal information
     4  holders with annual revenues of between  one  million  dollars  and  ten
     5  million  dollars.  Any  personal  information  holder,  or  third  party
     6  personal information holder, that has annual  revenues  of  between  one
     7  million  dollars and ten million dollars, and that fails to maintain the
     8  safeguards, standards, protocols or best practices for the protection of
     9  personal information as established in its comprehensive personal infor-
    10  mation security program, or that  fails  to  establish  a  comprehensive
    11  personal  information  security program as required by this article, and
    12  that experiences a breach of security involving such  personal  informa-
    13  tion,  shall be liable in a civil action brought in accordance with this
    14  section, for damages, if the personal information  subject  involved  in
    15  the  breach of security sustains any damages as a result of such breach.
    16  Such liability shall extend to damages in the amount of three times  the
    17  amount of such damages sustained by the personal information subject, or
    18  an  amount  of  up to five thousand dollars, whichever is less, together
    19  with costs, disbursements and attorneys fees of the  action.  Where  the
    20  court  finds  that  the  personal  information  holder  or a third party
    21  personal information holder, intentionally failed to establish a compre-
    22  hensive personal information security program, or  intentionally  failed
    23  to  seek  and  obtain  approval for a comprehensive personal information
    24  security program, where required, or intentionally  failed  to  maintain
    25  the   safeguards,   standards,  protocols  or  best  practices  for  the
    26  protection of personal information as established in  its  comprehensive
    27  personal  information  security  program,  then the court may also award
    28  punitive damages to the plaintiff of an action brought under this subdi-
    29  vision.
    30    (3) personal information holders or third party  personal  information
    31  holders  with  annual  revenues  of  less  than one million dollars. Any
    32  personal information holder, or third party personal information holder,
    33  that has annual revenues of less than  one  million  dollars,  and  that
    34  fails to maintain the safeguards, standards, protocols or best practices
    35  for the protection of personal information as established in its compre-
    36  hensive  personal  information security program, or that fails to estab-
    37  lish a comprehensive personal information security program  as  required
    38  by  this  article,  and  that experiences a breach of security involving
    39  such personal information, shall be liable in a civil action brought  in
    40  accordance  with  this section, for damages, if the personal information
    41  subject involved in the breach of security sustains  any  damages  as  a
    42  result  of  such breach.   Such liability shall extend to damages in the
    43  amount of three times the  amount  of  such  damages  sustained  by  the
    44  personal  information  subject,  or  an  amount  of  up  to one thousand
    45  dollars, whichever is  less,  together  with  costs,  disbursements  and
    46  attorneys  fees  of  the action. Where the court finds that the personal
    47  information holder or a third party personal information holder,  inten-
    48  tionally  failed to establish a comprehensive personal information secu-
    49  rity program, or intentionally failed to seek and obtain approval for  a
    50  comprehensive  personal information security program, where required, or
    51  intentionally failed to maintain the safeguards, standards, protocols or
    52  best practices for the protection of personal information as established
    53  in its comprehensive personal information  security  program,  then  the
    54  court  may  also  award  punitive  damages to the plaintiff of an action
    55  brought under this subdivision.

        A. 465                             14
     1    (4) personal information collectors. Any personal information  collec-
     2  tor  that fails to maintain the safeguards, standards, protocols or best
     3  practices for the protection of personal information as  established  in
     4  its  comprehensive  personal information security program, or that fails
     5  to  establish  a  comprehensive personal information security program as
     6  required by this article, and that  experiences  a  breach  of  security
     7  involving  such  personal information, shall be liable in a civil action
     8  for damages brought in accordance with this section, in  the  amount  of
     9  such  damages  so  sustained.  Where  the  court finds that the personal
    10  information collector intentionally failed to establish a  comprehensive
    11  personal  information  security program, or intentionally failed to seek
    12  and obtain approval for a comprehensive  personal  information  security
    13  program,  where  required, or intentionally failed to maintain the safe-
    14  guards, standards, protocols or best practices  for  the  protection  of
    15  personal information as established in its comprehensive personal infor-
    16  mation  security program, then the court may also award punitive damages
    17  to the plaintiff of an action brought under this subdivision.
    18    (5) no action brought under this section for damages shall prohibit  a
    19  personal  information subject from also bringing any additional cause of
    20  action for equitable relief, when such additional  cause  of  action  is
    21  also allowed under this article.
    22    § 409. Liability protection.  1. It shall be a complete defense to any
    23  civil  action  brought  in accordance with section four hundred eight of
    24  this article, for the personal information recipient that is the defend-
    25  ant in such action, that such personal information recipient established
    26  and maintained a comprehensive personal information security program, as
    27  required by this article, and substantially followed and  complied  with
    28  all  provisions  of  such  comprehensive  personal  information security
    29  program, and substantially maintained, if required, all computer  system
    30  security  requirements,  in  accordance with section four hundred six of
    31  this article, and substantially  maintained,  if  required,  the  proper
    32  approval  for  such comprehensive personal information security program,
    33  in accordance with section four hundred five of  this  article,  at  the
    34  time of the breach of such security.
    35    2.  Any civil action brought by a personal information subject, in any
    36  court of competent jurisdiction, involving damages arising from a breach
    37  of security that is not brought in accordance  with  the  provisions  of
    38  section  four  hundred eight of this article, shall be dismissed without
    39  prejudice, against such personal information recipient  or  third  party
    40  personal  information  recipient,  but  that  such  personal information
    41  subject may bring a new, subsequent action,  if  timely,  in  accordance
    42  with the provisions of section four hundred eight of this article.
    43    §  410. Information sharing and analysis program.  1. The office shall
    44  establish and maintain a voluntary New York state cyber security  infor-
    45  mation sharing and analysis program.
    46    2. It shall be the purpose of the New York state cyber security infor-
    47  mation  sharing and analysis program to increase the volume, timeliness,
    48  and quality of cyber threat information shared  with  state  public  and
    49  private  sector  entities  so that these entities may better protect and
    50  defend themselves against cyber threats and to promote  the  development
    51  of  effective  defenses  and  strategies to combat, and protect against,
    52  cyber threats and attacks.
    53    3. To facilitate the purposes of the New  York  state  cyber  security
    54  information  sharing  and  analysis program, the office shall promulgate
    55  regulations, in accordance with the provisions of this section.

        A. 465                             15
     1    4. The regulations promulgated pursuant to subdivision three  of  this
     2  section shall:
     3    (a) Provide for the timely production of unclassified reports of cyber
     4  threats to the state and its public and private sector entities, includ-
     5  ing, but not limited to, all participants in the information sharing and
     6  analysis  program,  with  express  details  on  threats  that identify a
     7  specific targeted entity or specific threat type or activity;
     8    (b) Address the need  to  protect  intelligence  and  law  enforcement
     9  sources, methods, operations, and investigations;
    10    (c) Establish a process that rapidly disseminates the reports produced
    11  pursuant  to  paragraph (a) of this subdivision, to any targeted entity,
    12  any program participant, and such other and further public  and  private
    13  entities  as  the office shall deem necessary to advance the purposes of
    14  this subdivision;
    15    (d) Provide for protections from liability for  entities  sharing  and
    16  receiving information with the New York state cyber security information
    17  and analysis program, so long as the entity acted in good faith;
    18    (e) Establish a system for tracking the production, dissemination, and
    19  disposition of the reports produced in accordance with the provisions of
    20  this subdivision;
    21    (f)  Establish an enhanced cyber security services program, within the
    22  state, to provide for procedures, methods and directives, for  a  volun-
    23  tary  information  sharing  program,  that will provide cyber threat and
    24  technical information collected from  both  public  and  private  sector
    25  entities,  to  all  participants in the information sharing and analysis
    26  program and all such private and public sector entities  as  the  office
    27  deems  prudent, and to also advise all critical infrastructure companies
    28  or commercial service providers that offer security services to critical
    29  infrastructure on cyber security threats and defense measures;
    30    (g) Seek to develop strategies to maximize the utility of cyber threat
    31  information sharing between and across the private and public sectors;
    32    (h) Promote the use  of  private  and  public  sector  subject  matter
    33  experts to address cyber security needs in the state, with these subject
    34  matter  experts  providing  advice regarding the content, structure, and
    35  types of information most useful to critical infrastructure  owners  and
    36  operators in reducing and mitigating cyber risks;
    37    (i) Establish a consultative process to coordinate improvements to the
    38  cyber  security of critical infrastructure, where as part of the consul-
    39  tative process, the public and  private  entities  of  the  state  shall
    40  engage;
    41    (j)  Provide that the office shall seek and consider the advice of the
    42  division of homeland security and emergency services,  the  division  of
    43  state  police,  the  center  for  internet  security, and such other and
    44  further private and public  sector  entities,  universities,  and  cyber
    45  security experts as the office may deem prudent; and
    46    (k)  Establish  a  baseline framework to reduce cyber risk to critical
    47  infrastructure and public and private  computer  systems,  networks  and
    48  operations.
    49    5.  The  office shall use the information sharing and analysis program
    50  developed under this section to lead in the development of  a  voluntary
    51  framework  to  reduce  cyber risks to critical infrastructure and public
    52  and private computer systems, networks and operations, to  be  known  as
    53  the cyber security framework.
    54    6. The development of the cyber security framework shall:

        A. 465                             16
     1    (a)  Include  a set of standards, methodologies, procedures, and proc-
     2  esses that align  policy,  business,  and  technological  approaches  to
     3  address cyber risks;
     4    (b)  Incorporate  voluntary consensus standards, safeguards, protocols
     5  and best practices to the fullest extent possible;
     6    (c) Provide a prioritized,  flexible,  repeatable,  performance-based,
     7  and cost-effective approach, including information security measures and
     8  controls,  to  help  owners and operators of critical infrastructure and
     9  public and private computer systems, networks and operations, to identi-
    10  fy, assess, and manage cyber risk;
    11    (d) Focus on identifying cross-sector security  standards  and  guide-
    12  lines  applicable  to  critical  infrastructure  and  public and private
    13  computer systems, networks and operations;
    14    (e) Identify areas for improvement that should  be  addressed  through
    15  future  collaboration  with  particular sectors and standards-developing
    16  organizations;
    17    (f) Enable technical innovation and account for organizational differ-
    18  ences, to provide guidance that is technology neutral and  that  enables
    19  critical infrastructure sectors and public and private computer systems,
    20  networks  and  operations,  to  benefit  from  a  competitive market for
    21  products and services that meet  the  standards,  methodologies,  proce-
    22  dures,  processes, safeguards, protocols and best practices to be devel-
    23  oped to address cyber risks;
    24    (g) Include guidance for measuring the performance  of  an  entity  in
    25  implementing the cyber security framework;
    26    (h)  Include  methodologies  to  identify  and mitigate impacts of the
    27  cyber security framework and associated information security measures or
    28  controls on business confidentiality, and to protect individual  privacy
    29  and civil liberties; and
    30    (i)  Engage  in the review of threat and vulnerability information and
    31  technical expertise.
    32    7. The regulations promulgated pursuant to subdivision three  of  this
    33  section shall additionally establish a voluntary critical infrastructure
    34  cyber  security  program  to  support the adoption of the cyber security
    35  framework by owners and operators of  critical  infrastructure  and  any
    36  other interested entities, where under this program implementation guid-
    37  ance or supplemental materials would be developed to address sector-spe-
    38  cific risks and operating environments.
    39    8. In developing the New York state cyber security information sharing
    40  and  analysis program in accordance with the provisions of this section,
    41  the office, in consultation with the division of homeland  security  and
    42  emergency  services  and the division of state police, shall produce and
    43  submit a report, to the governor, the temporary president of the senate,
    44  and the speaker of the assembly, making recommendations on the feasibil-
    45  ity, security benefits, and relative merits  of  incorporating  security
    46  safeguards,  standards,  protocols  and  best practices into acquisition
    47  planning and contract administration. Such report shall further  address
    48  what  steps  can  be  taken  to  harmonize  and make consistent existing
    49  procurement requirements related to cyber security and  the  feasibility
    50  of including risk-based security standards into procurement and contract
    51  administration.
    52    § 4. This act shall take effect on the one hundred eightieth day after
    53  it shall have become a law; provided, however, that the office of infor-
    54  mation technology services is authorized and directed to (i) publish its
    55  model  comprehensive security programs containing recommended standards,
    56  safeguards, protocols and best practices for holders of personal  infor-

        A. 465                             17
     1  mation  in  accordance  with section 404 of the state technology law, as
     2  added by section three of this act, and (ii) establish  the  information
     3  sharing  and  analysis  program and promulgate regulations regarding the
     4  same,  in  accordance  with  section 410 of the state technology law, as
     5  added by section three of this act, on or before the one hundred  fifti-
     6  eth day after this act shall have become a law.
feedback