STATE OF NEW YORK
________________________________________________________________________
2659--B
Cal. No. 1562
2023-2024 Regular Sessions
IN SENATE
January 24, 2023
___________
Introduced by Sen. COMRIE -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee -- recommitted to the Committee on
Internet and Technology in accordance with Senate Rule 6, sec. 8 --
committee discharged and said bill committed to the Committee on Rules
-- ordered to a third reading, amended and ordered reprinted, retain-
ing its place in the order of third reading
AN ACT to amend the general business law, in relation to notification of
a data breach
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
2 section 899-aa of the general business law, as amended by chapter 117 of
3 the laws of 2019, are amended to read as follows:
4 Any person or business which owns or licenses computerized data which
5 includes private information shall disclose any breach of the security
6 of the system following discovery or notification of the breach in the
7 security of the system to any resident of New York state whose private
8 information was, or is reasonably believed to have been, accessed or
9 acquired by a person without valid authorization. The disclosure shall
10 be made in the most expedient time possible and without unreasonable
11 delay, [consistent with] provided that such notification shall be made
12 within thirty days after the breach has been discovered, except for the
13 legitimate needs of law enforcement, as provided in subdivision four of
14 this section[, or any measures necessary to determine the scope of the
15 breach and restore the integrity of the system].
16 3. Any person or business which maintains computerized data which
17 includes private information which such person or business does not own
18 shall notify the owner or licensee of the information of any breach of
19 the security of the system immediately, provided that such notification
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD04602-05-4
S. 2659--B 2
1 shall be made within thirty days following discovery, if the private
2 information was, or is reasonably believed to have been, accessed or
3 acquired by a person without valid authorization.
4 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general
5 business law, as amended by chapter 117 of the laws of 2019, is amended
6 to read as follows:
7 (a) In the event that any New York residents are to be notified, the
8 person or business shall notify the state attorney general, the depart-
9 ment of state [and], the division of state police, and the department of
10 financial services as to the timing, content and distribution of the
11 notices and approximate number of affected persons and shall provide a
12 copy of the template of the notice sent to affected persons. Such notice
13 shall be made without delaying notice to affected New York residents.
14 § 3. This act shall take effect immediately.