STATE OF NEW YORK ________________________________________________________________________ 2821 2019-2020 Regular Sessions IN SENATE January 29, 2019 ___________ Introduced by Sen. JORDAN -- read twice and ordered printed, and when printed to be committed to the Committee on Budget and Revenue AN ACT to amend the tax law, in relation to a business tax credit for purchase of data breach insurance; and providing for the repeal of such provisions upon expiration thereof The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 210-B of the tax law is amended by adding a new 2 subdivision 53 to read as follows: 3 53. Data breach insurance credit. (a) A taxpayer that is a business or 4 owner of a business shall be allowed a credit against the tax imposed by 5 this article equal to twenty-five percent of the premium paid during the 6 taxable year for qualified data breach insurance. For purposes of this 7 section, the term "qualified data breach insurance" means coverage 8 provided by an insurance company for expenses or losses in connection 9 with the theft, loss, disclosure, inaccessibility, or manipulation, of 10 data. 11 (b) In order to qualify for such credit, taxpayers shall adopt and be 12 in compliance with one of the following: 13 (1) Version 1.0 of the framework for improving critical infrastructure 14 cybersecurity published by the national institute of standards and tech- 15 nology as in effect on February twelfth, two thousand fourteen or subse- 16 quent versions or iterations; or 17 (2) Any similar standard specified by the state comptroller, after 18 consultation with the director of the office of information technology 19 services. 20 (c) In the case of insurance coverage under which amounts are payable 21 for other than expenses or losses described in paragraph (a) of this 22 subdivision: 23 (1) No amount shall be treated as premiums for qualified data breach 24 insurance unless the charge for such insurance is either separately EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD08957-01-9S. 2821 2 1 stated in the contract, or furnished to the policyholder by the insur- 2 ance company in a separate statement; 3 (2) The amount taken into account as the premium paid or incurred for 4 such insurance shall not exceed such charge; and 5 (3) No amount shall be treated as paid or incurred for such insurance 6 if the amount specified in the contract, or furnished to the policy- 7 holder by the insurance company in a separate statement, as the charge 8 for such insurance is unreasonably large in relation to the total charg- 9 es under the contract. 10 (d) Premiums shall be taken into account under paragraph (a) of this 11 subdivision only if such premiums are paid or incurred in the ordinary 12 course of the taxpayer's trade or business. 13 (e) This subdivision shall not apply to a business which employs one 14 hundred and one or more employees. 15 § 2. Section 606 of the tax law is amended by adding a new subsection 16 (jjj) to read as follows: 17 (jjj) Data breach insurance credit. (1) A taxpayer that is a business 18 or owner of a business shall be allowed a credit against the tax imposed 19 by this article equal to twenty-five percent of the premium paid during 20 the taxable year for qualified data breach insurance. For purposes of 21 this section, the term "qualified data breach insurance" means coverage 22 provided by an insurance company for expenses or losses in connection 23 with the theft, loss, disclosure, inaccessibility, or manipulation, of 24 data. 25 (2) In order to qualify for such credit, taxpayers shall adopt and be 26 in compliance with one of the following: 27 (A) Version 1.0 of the framework for improving critical infrastructure 28 cybersecurity published by the national institute of standards and tech- 29 nology as in effect on February twelfth, two thousand fourteen or subse- 30 quent versions or iterations; or 31 (B) Any similar standard specified by the state comptroller, after 32 consultation with the director of the office of information technology 33 services. 34 (3) In the case of insurance coverage under which amounts are payable 35 for other than expenses or losses described in paragraph one of this 36 subsection: 37 (A) No amount shall be treated as premiums for qualified data breach 38 insurance unless the charge for such insurance is either separately 39 stated in the contract, or furnished to the policyholder by the insur- 40 ance company in a separate statement; 41 (B) The amount taken into account as the premium paid or incurred for 42 such insurance shall not exceed such charge; and 43 (C) No amount shall be treated as paid or incurred for such insurance 44 if the amount specified in the contract, or furnished to the policy- 45 holder by the insurance company in a separate statement, as the charge 46 for such insurance is unreasonably large in relation to the total charg- 47 es under the contract. 48 (4) Premiums shall be taken into account under paragraph one of this 49 subsection only if such premiums are paid or incurred in the ordinary 50 course of the taxpayer's trade or business. 51 (5) This subsection shall not apply to a business which employs one 52 hundred and one or more employees. 53 § 3. Subparagraph (B) of paragraph 1 of subsection (i) of section 606 54 of the tax law is amended by adding a new clause (xliv) to read as 55 follows: 56 (xliv) Data breach insurance Amount of credit under subdivisionS. 2821 3 1 credit under subsection (jjj) fifty-three of section two hundred 2 ten-B 3 § 4. This act shall take effect immediately and shall apply to taxable 4 years beginning on and after the first of January next succeeding the 5 date on which it shall have become a law and shall remain in effect for 6 five years after it shall have become a law, when upon such date the 7 provisions of this act shall expire and be deemed repealed.