S T A T E   O F   N E W   Y O R K
       ________________________________________________________________________
                                         2117
                              2011-2012 Regular Sessions
                                   I N  S E N A T E
                                   January 18, 2011
                                      ___________
       Introduced  by  Sen.  KRUGER -- read twice and ordered printed, and when
         printed to be committed to the Committee on Consumer Protection
       AN ACT to amend the general business law, in relation to identity  theft
         prevention
         THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
       BLY, DO ENACT AS FOLLOWS:
    1    Section 1. The general business law is amended by adding a new article
    2  32-A to read as follows:
    3                                ARTICLE 32-A
    4                          IDENTITY THEFT PREVENTION
    5  SECTION 676. DEFINITIONS.
    6          677. IDENTITY THEFT PREVENTION.
    7          678. APPLICATION OF ARTICLE.
    8          679. BANKING DEPARTMENT APPROVAL.
    9    S 676. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE, THE TERM:
   10    1. "BUSINESS ORGANIZATION" SHALL MEAN ANY PERSON,  FIRM,  ASSOCIATION,
   11  PARTNERSHIP OR CORPORATION ENGAGED IN BUSINESS IN NEW YORK STATE;
   12    2.  "INFORMATION  SECURITY  PLAN" SHALL MEAN A BUSINESS ORGANIZATION'S
   13  RISK-BASED APPROACH TO SAFEGUARDING THE PERSONAL  INFORMATION  COLLECTED
   14  AND RETAINED FOR THE PURPOSES OF EMPLOYMENT OR THE PROVISION OF GOODS OR
   15  SERVICES DEVELOPED PURSUANT TO SECTION SIX HUNDRED SEVENTY-SEVEN OF THIS
   16  ARTICLE.
   17    S  677.  IDENTITY THEFT PREVENTION. 1. ANY BUSINESS ORGANIZATION DOING
   18  BUSINESS IN THIS STATE, EXCEPT AS  SET  FORTH  IN  SECTION  SIX  HUNDRED
   19  SEVENTY-EIGHT  OF  THIS  ARTICLE,  SHALL DEVELOP AN INFORMATION SECURITY
   20  PLAN SUBJECT TO THE APPROVAL OF THE NEW YORK STATE BANKING DEPARTMENT.
   21    2. SUCH INFORMATION SECURITY PLAN SHALL:
   22    A. IDENTIFY AND ASSESS THE RISKS TO CUSTOMER INFORMATION AND  EVALUATE
   23  THE EFFECTIVENESS OF THE CURRENT SAFEGUARDS FOR CONTROLLING SUCH RISKS;
        EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                             [ ] is old law to be omitted.
                                                                  LBD00005-01-1
       S. 2117                             2
    1    B. SET FORTH, IMPLEMENT, REGULARLY MONITOR AND TEST A PROGRAM TO SAFE-
    2  GUARD  ANY  PERSONAL INFORMATION COLLECTED AND RETAINED FOR THE PURPOSES
    3  OF EMPLOYMENT OR THE PROVISION OF GOODS OR SERVICES;
    4    C. TAKE REASONABLE STEPS TO SELECT AND RETAIN INTERNET SERVICE PROVID-
    5  ERS  THAT  ARE  CAPABLE  OF  MAINTAINING  APPROPRIATE SAFEGUARDS FOR THE
    6  CUSTOMER INFORMATION THAT YOU MUST RETAIN IN ORDER TO DO BUSINESS;
    7    D. BE  EVALUATED  AND  ADJUSTED  TO  REFLECT  RELEVANT  CIRCUMSTANCES,
    8  INCLUDING  CHANGES  IN BUSINESS OPERATIONS OR AS A RESULT OF TESTING AND
    9  MONITORING;
   10    E. ENSURE THE SECURITY AND CONFIDENTIALITY  OF  PERSONAL  RECORDS  AND
   11  INFORMATION;
   12    F.  PROTECT AGAINST ANY ANTICIPATED THREATS OR HAZARDS TO THE SECURITY
   13  OR INTEGRITY OF SUCH PERSONAL RECORDS AND INFORMATION;
   14    G. PROTECT AGAINST UNAUTHORIZED ACCESS TO, OR USE OF, PERSONAL RECORDS
   15  AND INFORMATION THAT COULD RESULT IN SUBSTANTIAL HARM  OR  INCONVENIENCE
   16  TO ANY CUSTOMER OR EMPLOYEE; AND
   17    H.  BE  APPROPRIATE TO THE SIZE AND COMPLEXITY OF EACH BUSINESS ORGAN-
   18  IZATION.
   19    S 678. APPLICATION OF ARTICLE. THE PROVISIONS OF  THIS  ARTICLE  SHALL
   20  APPLY TO ANY BUSINESS ORGANIZATION DOING BUSINESS IN THIS STATE EXCEPT:
   21    1.  THOSE  SUBJECT TO REGULATION UNDER THE GRAMM-LEACH-BLILEY ACT, THE
   22  FEDERAL TRADE COMMISSION (HEREAFTER "FTC") PRIVACY RULE  AND  THE  FTC'S
   23  STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION, ALSO KNOWN AS THE FTC'S
   24  SAFEGUARDS RULE, AS IMPLEMENTED BY 16 C.F.R. PART 314; AND
   25    2.  ANY  AGENCY  OR  UNIT  OF  THE STATE OF NEW YORK AND ANY POLITICAL
   26  SUBDIVISION THEREOF INCLUDING MUNICIPALITIES AND ANY BUSINESS  ORGANIZA-
   27  TIONS REGULATED BY THE UNITED STATES GOVERNMENT.
   28    S  679.  BANKING  DEPARTMENT  APPROVAL. EACH INFORMATION SECURITY PLAN
   29  DEVELOPED PURSUANT TO SECTION SIX HUNDRED SEVENTY-SEVEN OF THIS  ARTICLE
   30  IS SUBJECT TO APPROVAL IN ACCORDANCE TO REGULATIONS DEVELOPED BY THE NEW
   31  YORK STATE BANKING DEPARTMENT.
   32    S  2.  This  act shall take effect on the ninetieth day after it shall
   33  have become a law; provided, that, effective immediately, the  addition,
   34  amendment  and/or  repeal  of  any  rule or regulation necessary for the
   35  implementation of this act on its  effective  date  are  authorized  and
   36  directed to be made and completed on or before such effective date.