STATE OF NEW YORK
        ________________________________________________________________________

                                         2659--B
            Cal. No. 1562

                               2023-2024 Regular Sessions

                    IN SENATE

                                    January 24, 2023
                                       ___________

        Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
          printed to be committed to the Committee on Internet and Technology --
          committee discharged, bill amended, ordered reprinted as  amended  and
          recommitted  to  said  committee  --  recommitted  to the Committee on
          Internet and Technology in accordance with Senate Rule 6,  sec.  8  --
          committee discharged and said bill committed to the Committee on Rules
          --  ordered to a third reading, amended and ordered reprinted, retain-
          ing its place in the order of third reading

        AN ACT to amend the general business law, in relation to notification of
          a data breach

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
     2  section 899-aa of the general business law, as amended by chapter 117 of
     3  the laws of 2019, are amended to read as follows:
     4    Any  person or business which owns or licenses computerized data which
     5  includes private information shall disclose any breach of  the  security
     6  of  the  system following discovery or notification of the breach in the
     7  security of the system to any resident of New York state  whose  private
     8  information  was,  or  is  reasonably believed to have been, accessed or
     9  acquired by a person without valid authorization. The  disclosure  shall
    10  be  made  in  the  most expedient time possible and without unreasonable
    11  delay, [consistent with] provided that such notification shall  be  made
    12  within  thirty days after the breach has been discovered, except for the
    13  legitimate needs of law enforcement, as provided in subdivision four  of
    14  this  section[,  or any measures necessary to determine the scope of the
    15  breach and restore the integrity of the system].
    16    3. Any person or business  which  maintains  computerized  data  which
    17  includes  private information which such person or business does not own
    18  shall notify the owner or licensee of the information of any  breach  of
    19  the  security of the system immediately, provided that such notification

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD04602-05-4
        S. 2659--B                          2

     1  shall be made within thirty days following  discovery,  if  the  private
     2  information  was,  or  is  reasonably believed to have been, accessed or
     3  acquired by a person without valid authorization.
     4    §  2.  Paragraph (a) of subdivision 8 of section 899-aa of the general
     5  business law, as amended by chapter 117 of the laws of 2019, is  amended
     6  to read as follows:
     7    (a)  In  the event that any New York residents are to be notified, the
     8  person or business shall notify the state attorney general, the  depart-
     9  ment of state [and], the division of state police, and the department of
    10  financial  services  as  to  the timing, content and distribution of the
    11  notices and approximate number of affected persons and shall  provide  a
    12  copy of the template of the notice sent to affected persons. Such notice
    13  shall be made without delaying notice to affected New York residents.
    14    § 3. This act shall take effect immediately.