Bill Text: NY S02659 | 2023-2024 | General Assembly | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Engrossed) 2024-06-06 - returned to senate [S02659 Detail]
Download: New_York-2023-S02659-Introduced.html
Bill Title: Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Engrossed) 2024-06-06 - returned to senate [S02659 Detail]
Download: New_York-2023-S02659-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 2659 2023-2024 Regular Sessions IN SENATE January 24, 2023 ___________ Introduced by Sen. COMRIE -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT to amend the general business law, in relation to notification of a data breach The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The opening paragraph of subdivision 2 and subdivision 3 of 2 section 899-aa of the general business law, as amended by chapter 117 of 3 the laws of 2019, are amended to read as follows: 4 Any person or business which owns or licenses computerized data which 5 includes private information shall disclose any breach of the security 6 of the system following discovery or notification of the breach in the 7 security of the system to any resident of New York state whose private 8 information was, or is reasonably believed to have been, accessed or 9 acquired by a person without valid authorization. The disclosure shall 10 be made in the most expedient time possible and without unreasonable 11 delay, [consistent with] and shall be made within fifteen days after the 12 breach has been discovered, except for the legitimate needs of law 13 enforcement, as provided in subdivision four of this section[, or any14measures necessary to determine the scope of the breach and restore the15integrity of the system]. 16 3. Any person or business which maintains computerized data which 17 includes private information which such person or business does not own 18 shall notify the owner or licensee of the information of any breach of 19 the security of the system immediately and within fifteen days following 20 discovery, if the private information was, or is reasonably believed to 21 have been, accessed or acquired by a person without valid authorization. 22 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general 23 business law, as amended by chapter 117 of the laws of 2019, is amended 24 to read as follows: EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD04602-01-3S. 2659 2 1 (a) In the event that any New York residents are to be notified, the 2 person or business shall notify the state attorney general, the depart- 3 ment of state and the division of state police and the department of 4 financial services as to the timing, content and distribution of the 5 notices and approximate number of affected persons and shall provide a 6 copy of the template of the notice sent to affected persons. Such notice 7 shall be made without delaying notice to affected New York residents. 8 § 3. This act shall take effect immediately.
