Bill Text: NY S03161 | 2021-2022 | General Assembly | Introduced
Bill Title: Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach; exempts businesses under financial hardship.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-01-05 - REFERRED TO INTERNET AND TECHNOLOGY [S03161 Detail]
Download: New_York-2021-S03161-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 3161 2021-2022 Regular Sessions IN SENATE January 28, 2021 ___________ Introduced by Sen. COMRIE -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT to amend the general business law, in relation to requiring certain businesses to offer identity theft prevention and mitigation services in the case of a security breach The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivision 10 of section 899-aa of the general business 2 law, as renumbered by chapter 117 of the laws of 2019, is renumbered to 3 be subdivision 11 and a new subdivision 10 is added to read as follows: 4 10. (a) Where a security breach from a person or business other than a 5 consumer credit reporting agency includes a social security number, and 6 that person or business is required to provide notice under subdivision 7 two of this section, that person or business shall offer each resident 8 of this state whose social security number was disclosed in the breach 9 of security or is reasonably believed to have been disclosed in the 10 breach of security, reasonable credit report monitoring, identity theft 11 prevention services and, if applicable, identity theft mitigation 12 services at no cost to said resident for a period of not less than twen- 13 ty-four months. The disclosure required by subdivision two of this 14 section shall include information for any resident of New York state 15 whose social security number was disclosed as a result of a data breach 16 to obtain free, reasonable credit report monitoring, identity theft 17 prevention services and, if applicable, identity theft mitigation 18 services as described in this section. 19 (b) The requirement to provide twenty-four months of identity theft 20 mitigation services shall not apply to any individual person or small 21 business as defined in section one hundred thirty-one of the economic 22 development law that can demonstrate a financial hardship directly owing 23 to such compliance. A request for a financial hardship waiver shall be EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD05740-01-1S. 3161 2 1 made to the commissioner of the department of financial services on a 2 form prescribed by the department of financial services. 3 § 2. This act shall take effect on the one hundred eightieth day after 4 it shall have become a law. Effective immediately, the addition, amend- 5 ment and/or repeal of any rule or regulation necessary for the implemen- 6 tation of this act on its effective date are authorized to be made and 7 completed on or before such effective date.
