STATE OF NEW YORK
        ________________________________________________________________________

                                          2087

                               2021-2022 Regular Sessions

                    IN SENATE

                                    January 19, 2021
                                       ___________

        Introduced by Sens. JORDAN, GOUNARDES -- read twice and ordered printed,
          and when printed to be committed to the Committee on Budget and Reven-
          ue

        AN  ACT  to  amend the tax law, in relation to a business tax credit for
          purchase of data breach insurance; and providing  for  the  repeal  of
          such provisions upon expiration thereof

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Section 210-B of the tax law is amended  by  adding  a  new
     2  subdivision 55 to read as follows:
     3    55. Data breach insurance credit. (a) A taxpayer that is a business or
     4  owner of a business shall be allowed a credit against the tax imposed by
     5  this article equal to twenty-five percent of the premium paid during the
     6  taxable  year  for qualified data breach insurance. For purposes of this
     7  section, the term  "qualified  data  breach  insurance"  means  coverage
     8  provided  by  an  insurance company for expenses or losses in connection
     9  with the theft, loss, disclosure, inaccessibility, or  manipulation,  of
    10  data.
    11    (b)  In order to qualify for such credit, taxpayers shall adopt and be
    12  in compliance with one of the following:
    13    (1) Version 1.0 of the framework for improving critical infrastructure
    14  cybersecurity published by the national institute of standards and tech-
    15  nology as in effect on February twelfth, two thousand fourteen or subse-
    16  quent versions or iterations; or
    17    (2) Any similar standard specified by  the  state  comptroller,  after
    18  consultation  with  the director of the office of information technology
    19  services.
    20    (c) In the case of insurance coverage under which amounts are  payable
    21  for  other  than  expenses  or losses described in paragraph (a) of this
    22  subdivision:

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01410-01-1
        S. 2087                             2

     1    (1) No amount shall be treated as premiums for qualified  data  breach
     2  insurance  unless  the  charge  for  such insurance is either separately
     3  stated in the contract, or furnished to the policyholder by  the  insur-
     4  ance company in a separate statement;
     5    (2)  The amount taken into account as the premium paid or incurred for
     6  such insurance shall not exceed such charge; and
     7    (3) No amount shall be treated as paid or incurred for such  insurance
     8  if  the  amount  specified  in the contract, or furnished to the policy-
     9  holder by the insurance company in a separate statement, as  the  charge
    10  for such insurance is unreasonably large in relation to the total charg-
    11  es under the contract.
    12    (d)  Premiums  shall be taken into account under paragraph (a) of this
    13  subdivision only if such premiums are paid or incurred in  the  ordinary
    14  course of the taxpayer's trade or business.
    15    (e)  This  subdivision shall not apply to a business which employs one
    16  hundred and one or more employees.
    17    § 2. Section 606 of the tax law is amended by adding a new  subsection
    18  (kkk) to read as follows:
    19    (kkk)  Data breach insurance credit. (1) A taxpayer that is a business
    20  or owner of a business shall be allowed a credit against the tax imposed
    21  by this article equal to twenty-five percent of the premium paid  during
    22  the  taxable  year  for qualified data breach insurance. For purposes of
    23  this section, the term "qualified data breach insurance" means  coverage
    24  provided  by  an  insurance company for expenses or losses in connection
    25  with the theft, loss, disclosure, inaccessibility, or  manipulation,  of
    26  data.
    27    (2)  In order to qualify for such credit, taxpayers shall adopt and be
    28  in compliance with one of the following:
    29    (A) Version 1.0 of the framework for improving critical infrastructure
    30  cybersecurity published by the national institute of standards and tech-
    31  nology as in effect on February twelfth, two thousand fourteen or subse-
    32  quent versions or iterations; or
    33    (B) Any similar standard specified by  the  state  comptroller,  after
    34  consultation  with  the director of the office of information technology
    35  services.
    36    (3) In the case of insurance coverage under which amounts are  payable
    37  for  other  than  expenses  or losses described in paragraph one of this
    38  subsection:
    39    (A) No amount shall be treated as premiums for qualified  data  breach
    40  insurance  unless  the  charge  for  such insurance is either separately
    41  stated in the contract, or furnished to the policyholder by  the  insur-
    42  ance company in a separate statement;
    43    (B)  The amount taken into account as the premium paid or incurred for
    44  such insurance shall not exceed such charge; and
    45    (C) No amount shall be treated as paid or incurred for such  insurance
    46  if  the  amount  specified  in the contract, or furnished to the policy-
    47  holder by the insurance company in a separate statement, as  the  charge
    48  for such insurance is unreasonably large in relation to the total charg-
    49  es under the contract.
    50    (4)  Premiums  shall be taken into account under paragraph one of this
    51  subsection only if such premiums are paid or incurred  in  the  ordinary
    52  course of the taxpayer's trade or business.
    53    (5)  This  subsection  shall not apply to a business which employs one
    54  hundred and one or more employees.
        S. 2087                             3

     1    § 3. Subparagraph (B) of paragraph 1 of subsection (i) of section  606
     2  of  the  tax  law  is  amended  by adding a new clause (xlvi) to read as
     3  follows:
     4    (xlvi) Data breach insurance    Amount of credit under subdivision
     5    credit under subsection (kkk)   fifty-five of section two hundred
     6                                    ten-B
     7    § 4. This act shall take effect immediately and shall apply to taxable
     8  years  beginning  on  and after the first of January next succeeding the
     9  date on which it shall have become a law and shall remain in effect  for
    10  five  years  after  it  shall have become a law, when upon such date the
    11  provisions of this act shall expire and be deemed repealed.