STATE OF NEW YORK
        ________________________________________________________________________
                                          1185
                               2019-2020 Regular Sessions
                   IN ASSEMBLY
                                    January 14, 2019
                                       ___________
        Introduced by M. of A. CAHILL, LIFTON, LUPARDO -- read once and referred
          to the Committee on Insurance
        AN ACT to amend the insurance law, in relation to authorizing continuing
          care retirement communities to adopt a written cybersecurity policy
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Section 1119 of the insurance law is amended  by  adding  a
     2  new subsection (d) to read as follows:
     3    (d) Such organization may adopt a written cybersecurity policy that is
     4  designed  to  protect  the  confidentiality,  integrity  and security of
     5  nonpublic information and is in compliance with: (i) the Health Informa-
     6  tion Technology for Economic and Clinical  Health  Act  ("HITECH"),  the
     7  Health  Insurance  Portability  and  Accountability  Act  ("HIPAA"), the
     8  Gramm-Leach-Bliley Act; and (ii) all other applicable cybersecurity  and
     9  privacy  protections  governing nursing homes, adult care facilities and
    10  assisted living residences to the extent the  protections  govern  those
    11  components  of  such organization's operations. The cybersecurity policy
    12  shall be self-certified by such  organization  and  such  self-certified
    13  cybersecurity  policy shall be filed with the superintendent.  The self-
    14  certification  shall  attest  that  the   policy   provides   sufficient
    15  protections of nonpublic information in a manner which is not inconsist-
    16  ent  with  the  goals of the cybersecurity policies adopted by financial
    17  services companies pursuant to regulations  promulgated  by  the  super-
    18  intendent.  Such  self-certification shall be deemed compliant with such
    19  regulations applicable to financial services companies. The  superinten-
    20  dent  shall  review  the accuracy and reasonableness of the attestation.
    21  Unless the superintendent objects to the attestation within  sixty  days
    22  from  the  date  it  is  submitted,  such  attestation  shall  be deemed
    23  approved.
    24    § 2. This act shall take effect immediately.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD05987-01-9