Bill Text: NY S02540 | 2019-2020 | General Assembly | Introduced

Bill Title: Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

Spectrum: Partisan Bill (Democrat 8-0)

Status: (Introduced) 2019-06-20 - COMMITTED TO RULES [S02540 Detail]

Download: New_York-2019-S02540-Introduced.html

                STATE OF NEW YORK
                               2019-2020 Regular Sessions
                    IN SENATE
                                    January 28, 2019
        Introduced  by  Sens.  COMRIE, ADDABBO, BAILEY, BROOKS, FELDER, KENNEDY,
          KRUEGER -- read twice and ordered printed,  and  when  printed  to  be
          committed to the Committee on Internet and Technology
        AN ACT to amend the general business law, in relation to notification of
          a data breach
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi-
     2  ness law, as added by chapter 442 of the laws of 2005,  are  amended  to
     3  read as follows:
     4    2.  Any  person or business which conducts business in New York state,
     5  and which owns or licenses  computerized  data  which  includes  private
     6  information  shall  disclose  any  breach  of the security of the system
     7  following discovery or notification of the breach in the security of the
     8  system to any resident of New York state whose private information  was,
     9  or  is  reasonably  believed  to have been, acquired by a person without
    10  valid authorization. The disclosure shall be made in the most  expedient
    11  time  possible  and  without  unreasonable  delay, [consistent with] and
    12  shall be made within fifteen days after the breach has been  discovered,
    13  except  for  the  legitimate  needs  of  law enforcement, as provided in
    14  subdivision four of this section[, or any measures necessary  to  deter-
    15  mine the scope of the breach and restore the reasonable integrity of the
    16  system].
    17    3.  Any  person  or  business  which maintains computerized data which
    18  includes private information which such person or business does not  own
    19  shall  notify  the owner or licensee of the information of any breach of
    20  the security of the system immediately and within fifteen days following
    21  discovery, if the private information was, or is reasonably believed  to
    22  have been, acquired by a person without valid authorization.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.

        S. 2540                             2
     1    §  2.  Paragraph (a) of subdivision 8 of section 899-aa of the general
     2  business law, as amended by section 6 of part N of  chapter  55  of  the
     3  laws of 2013, is amended to read as follows:
     4    (a)  In  the event that any New York residents are to be notified, the
     5  person or business shall notify the state attorney general, the  depart-
     6  ment  of state [and], the division of state police and the state depart-
     7  ment of financial services as to the timing, content and distribution of
     8  the notices and approximate number  of  affected  persons.  Such  notice
     9  shall be made without delaying notice to affected New York residents.
    10    § 3. This act shall take effect immediately.