STATE OF NEW YORK
        ________________________________________________________________________
                                         6923--A
                               2017-2018 Regular Sessions
                    IN SENATE
                                    October 18, 2017
                                       ___________
        Introduced  by Sen. CARLUCCI -- read twice and ordered printed, and when
          printed to be committed to the Committee on Rules  --  recommitted  to
          the Committee on Consumer Protection in accordance with Senate Rule 6,
          sec.  8  --  committee  discharged, bill amended, ordered reprinted as
          amended and recommitted to said committee
        AN ACT to amend the general business law, in  relation  to  requiring  a
          consumer  credit  reporting  agency to offer identity theft prevention
          and mitigation services in the case of a breach  of  the  security  of
          such agency's system
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Subdivision (n) of section 380-t of  the  general  business
     2  law is amended by adding a new paragraph 3 to read as follows:
     3    (3)(i) Upon a breach of the security of the system of a consumer cred-
     4  it  reporting  agency  which  includes  any social security number, such
     5  agency shall offer to each consumer, whose information, including social
     6  security number, was breached or is reasonably  believed  to  have  been
     7  breached, reasonable identity theft prevention services and, if applica-
     8  ble,  identify theft mitigation services for a period not to exceed five
     9  years at no cost to such consumers. Such agency shall provide all infor-
    10  mation necessary for such consumers to enroll in such services and shall
    11  include information on how such consumers can request a security freeze.
    12  A consumer credit reporting agency shall not be required to  offer  such
    13  services  if,  after an appropriate investigation, the agency reasonably
    14  determines that the breach of security is unlikely to result in harm  to
    15  the consumers whose information has been breached.
    16    (ii)  "Breach of the security of the system" as used in this paragraph
    17  shall have the same definition as in paragraph (c) of subdivision one of
    18  section eight hundred ninety-nine-aa of this chapter.
    19    § 2.  This act shall take effect on the sixtieth day  after  it  shall
    20  have  become  a law and shall apply to any breach of the security of the
    21  system of a consumer credit reporting agency that occurred no more  than
    22  three years prior to the effective date of this act.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD13504-07-8