NY State Senate Bill 2015-S6834A

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 09, 2016	print number 6834b
Jun 09, 2016	amend and recommit to consumer protection
May 13, 2016	print number 6834a
May 13, 2016	amend and recommit to consumer protection
Feb 26, 2016	referred to consumer protection

Bill Amendments

Original

B (Active)

2015-S6834 - Details

Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L; amd §208, St Tech L
Versions Introduced in 2017-2018 Legislative Session:: S5601

2015-S6834 - Summary

Relates to notification of a security breach; includes credit and debit card; increases civil penalties.

2015-S6834 - Sponsor Memo

                                 BILL NUMBER:  S6834

 TITLE OF BILL :  An act to amend the general business law and the
state technology law, in relation to notification of a security breach

 PURPOSE :  New York's data breach notification law needs to be
updated to keep pace with current technology. This bill broadens the
scope of information covered under the notification law and updates
the notification requirements when there has been a breach of data.

 SUMMARY OF PROVISIONS :

Section One of this bill amends subdivisions 1, 2, 6, 7, 8, and 9 of
Section 899-aa of the General Business law.

Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (c) of subdivision 1 is amended to
reflect the updated definition of "private information". Paragraph (d)
of subdivision 1 is amended to require the New York Attorney General
to publically post a list of consumer reporting agencies on its
website. Paragraphs (e) and (f) of subdivision 1 are added to provide
definitions for "credit card" and "debit card."

Subdivision 2 of Section 899-aa of the General Business law is amended

to further define the situation when a business would need to disclose
a breach of their security system.

Subdivision 6 of Section 899-aa of the General Business law is amended
to increase the civil penalty that may be imposed on a business that
knowingly or recklessly violated the data protection article.
Subdivision 6 is also amended to extend the amount of time within
which a cause of action must be commenced.

Subdivision 7 of Section 899-aa of the General Business law is amended
to require that consumer notification by a business under this act
would occur prior to the reissuance of any replacement credit or debit
card and that such notification will include contact information for
relevant government authorities that provide information regarding
security breach response and identity theft prevention.

Subdivision 8 of Section 899-aa of the General Business law is amended
to require that, when New York residents are to be notified under this
act, businesses also notify to the New York Attorney General, the
Department of State, and the Office of Information Technology Services
with information concerning their notification of New York residents.

Subdivision 9 of Section 899-aa of the General Business law is amended
to require the New York Department of State to receive and respond to
inquiries relating to any breach of information security, work in
cooperation with the New York Attorney General and the Office of
Information Technology Services to develop, update, and make
publically available information and best practices regarding the
response to and prevention of security breaches.

Section Two of this bill amends paragraph (d) of subdivision 1, and
subdivisions 2, 6, 7, and 8 of Section 208 of the State Technology
law.

Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (d) of subdivision 1 is amended to
require that the New York Attorney General publically post a list of
consumer reporting agencies to its website.
Subdivision 2 of Section 208 of the State Technology law is amended
such that, when a state entity suffers a breach, the Office of
Information Technology Services shall deliver a report on the scope of
the breach and recommendations to restore and improve that state
entity's information security system.

Subdivision 6 of Section 208 of the State Technology law is amended to
require that notice of a breach include contact information for
relevant state and federal agencies that provide information regarding
security breach response and identity theft prevention.

Subdivision 7 of Section 208 of the State Technology law is amended to
require, when New York residents are to be notified of a breach, that
the state entity responsible for the breach notify the New York
Attorney General, the Department of State, and the Office of
Information Technology Services and include a copy of the template of
the notice sent to the affected residents.

Subdivision 8 of Section 208 of the State Technology law is amended to
require the Office of Information Technology Services to develop,
update, and provide training to all state entities regarding best
practices for preventing security breaches.

Section Three of this bill provides that this act will take effect
January 1, 2017.

 JUSTIFICATION :  New York's current data breach notification law
needs to be updated to keep pace with individuals' use and
dissemination of private information. This bill recognizes the breadth
of private information, so it expands the scope of information
included under the current law to include biometric information, email
addresses and their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA. It
also updates the notification procedures companies and state entities
must follow when there has been a breach of private information.

 PRIOR LEGISLATIVE HISTORY : New bill.

 EXISTING LAW :  The NYS Information Security Breach and Notification
Act (General Business Law § 899-aa) provides that in the event of
unauthorized access to "private information," defined as personal
information in combination with a Social Security Number, driver's
license or an account or credit card number, the New York Notification
Act requires the business or state entity to notify affected customers
and inform appropriate authorities. Notification must be made "in the
most expedient time possible and without reasonable delay but subject
and consistent with legitimate needs of law enforcement." The New York
Attorney General is authorized to bring an action against businesses
that violate the New York Notification Act.

Covered state entities are also required to have a notification
policy. The NYS Internet Security and Privacy Act (State Technology
Law Article 2) mirrors many of the statutory provisions provided under
the General Business Law § 899-aa above, and imposes the same
notification requirements on State agencies that handle "private
information" under State Technology Law § 208, paragraph 5.

 FISCAL IMPACT :  None.

 EFFECTIVE DATE :  This act shall take effect January 1, 2017.

2015-S6834 - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  6834

                            I N  S E N A T E

                            February 26, 2016
                               ___________

Introduced  by Sen. VENDITTO -- read twice and ordered printed, and when
  printed to be committed to the Committee on Consumer Protection

AN ACT to amend the general business law and the state  technology  law,
  in relation to notification of a security breach

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Subdivisions 1, 2, 6, 7, 8 and 9 of section 899-aa  of  the
general business law, as added by chapter 442 of the laws of 2005, para-
graph  (c) of subdivision 1, paragraph (a) of subdivision 6 and subdivi-
sion 8 as amended by chapter 491 of the laws of 2005 and  paragraph  (a)
of  subdivision 8 as amended by section 6 of part N of chapter 55 of the
laws of 2013, are amended to read as follows:
  1. As used in this section, the following terms shall have the follow-
ing meanings:
  (a) "Personal information" shall mean  any  information  concerning  a
natural  person  which, because of name, number, personal mark, or other
identifier, can be used to identify such natural person;
  (b) "Private information" shall mean EITHER: (I) personal  information
consisting of any information in combination with any one or more of the
following  data  elements,  when  either the personal information or the
data element is not encrypted, or encrypted with an encryption key  that
has also been acquired:
  (1) social security number;
  (2)  driver's license number or non-driver identification card number;
[or]
  (3) account number, credit or debit card number, in  combination  with
any  required  security code, access code, or password that would permit
access to an individual's financial account; OR
  (4) BIOMETRIC INFORMATION, MEANING DATA GENERATED BY  AUTOMATIC  MEAS-
UREMENTS  OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
  (II) A USER NAME OR EMAIL ADDRESS IN COMBINATION WITH  A  PASSWORD  OR
SECURITY  QUESTION  AND  ANSWER  THAT  WOULD  PERMIT ACCESS TO AN ONLINE
ACCOUNT; OR

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.

                                                           LBD09470-07-6

S. 6834                             2

  (III) ANY UNSECURED PROTECTED HEALTH INFORMATION  AS  DEFINED  IN  THE
HEALTH  INSURANCE  PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (45 C.F.R.
PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME.
  "Private  information" does not include publicly available information
which is lawfully made available to the  general  public  from  federal,
state, or local government records.
  (c)  "Breach  of  the  security of the system" shall mean unauthorized
acquisition or acquisition without valid authorization  of  computerized
data  that  compromises  the  security, confidentiality, or integrity of
[personal] PRIVATE information maintained  by  a  business.  Good  faith
acquisition of [personal] PRIVATE information by an employee or agent of
the  business  for  the  purposes of the business is not a breach of the
security of the system, provided that the  private  information  is  not
used or subject to unauthorized disclosure.
  In determining whether information has been acquired, or is reasonably
believed  to  have  been acquired, by an unauthorized person or a person
without valid authorization, such business may  consider  the  following
factors, among others:
  (1) indications that the information is in the physical possession and
control  of an unauthorized person, such as a lost or stolen computer or
other device containing information; or
  (2) indications that the information has been downloaded or copied; or
  (3) indications that the  information  was  used  by  an  unauthorized
person,  such  as  fraudulent  accounts  opened or instances of identity
theft reported.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary fees, dues, or on a cooperative nonprofit basis, regularly  engages
in whole or in part in the practice of assembling or evaluating consumer
credit  information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses  any  means
or  facility  of  interstate  commerce  for  the purpose of preparing or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
any person or business required to make a notification under subdivision
two of this section] PUBLICLY POSTED ON ITS WEBSITE.
  (E) "CREDIT CARD" SHALL HAVE THE SAME MEANING AS IN 15 U.S.C. S 1602.
  (F) "DEBIT CARD" SHALL HAVE THE SAME MEANING AS IN 15 U.S.C. S 1681A.
  2. Any person or business which conducts business in New  York  state,
and  which  owns  or  licenses  computerized data which includes private
information shall disclose any breach of  the  security  of  the  system
following discovery or notification of the breach in the security of the
system  to any resident of New York state whose private information was,
or is reasonably believed to have been, acquired  by  a  person  without
valid  authorization OR BY AN UNAUTHORIZED PERSON.  The disclosure shall
be made in the most expedient time  possible  and  without  unreasonable
delay,  consistent  with  the  legitimate  needs  of law enforcement, as
provided in subdivision four of this section, or any measures  necessary
to determine the scope of the breach and restore the [reasonable] integ-
rity of the system.
  6.  (a)  whenever  the  attorney  general  shall believe from evidence
satisfactory to him that there is a violation of  this  article  he  may
bring  an action in the name and on behalf of the people of the state of
New York, in a court of justice having jurisdiction to issue an  injunc-
tion,  to  enjoin  and  restrain the continuation of such violation.  In
such action, preliminary relief may be granted under article sixty-three
of the civil practice law and rules. In such action the court may  award

S. 6834                             3

damages  for  actual  costs  or  losses incurred by a person entitled to
notice pursuant to this article, if notification  was  not  provided  to
such  person pursuant to this article, including consequential financial
losses.  Whenever the court shall determine in such action that a person
or business violated this article knowingly or recklessly, the court may
impose a civil penalty of the greater of [five] TEN thousand dollars  or
up to [ten] TWENTY dollars per instance of failed notification, provided
that the latter amount shall not exceed [one] TWO hundred fifty thousand
dollars.
  (b)  the remedies provided by this section shall be in addition to any
other lawful remedy available.
  (c) no action may be brought under  the  provisions  of  this  section
unless  such  action is commenced within [two] THREE years [immediately]
after EITHER the date [of the act complained of or the date of discovery
of such act] THE ACT WAS DISCOVERED OR, THE DATE OF NOTICE SENT PURSUANT
TO PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION.
  7. Regardless of the method by which notice is provided,  such  notice
shall  PRECEDE THE ISSUANCE OF ANY REPLACEMENT CREDIT CARD OR DEBIT CARD
TO ANY AFFECTED PERSON AS A RESULT OF ANY BREACH OF THE SECURITY OF  THE
SYSTEM ABSENT ANY DOCUMENTED EVIDENCE OF UNAUTHORIZED USE OF SUCH CREDIT
CARD  OR DEBIT CARD AND SHALL include contact information for the person
or business making the notification, THE TELEPHONE NUMBERS AND  WEBSITES
OF  THE  RELEVANT  STATE  AND  FEDERAL AGENCIES THAT PROVIDE INFORMATION
REGARDING SECURITY BREACH RESPONSE AND  IDENTITY  THEFT  PREVENTION  AND
PROTECTION  INFORMATION, and a description of the categories of informa-
tion that were, or are reasonably believed to have been, acquired  by  a
person without valid authorization OR BY AN UNAUTHORIZED PERSON, includ-
ing  specification  of which of the elements of personal information and
private information were, or are reasonably believed to  have  been,  so
acquired.
  8.  (a)  In  the event that any New York residents are to be notified,
the person or business shall notify  the  state  attorney  general,  the
department  of state and the [division of state police] OFFICE OF INFOR-
MATION TECHNOLOGY SERVICES as to the timing, content and distribution of
the notices [and], approximate number of affected persons AND PROVIDE  A
COPY  OF  THE  TEMPLATE  OF  THE NOTICE SENT TO AFFECTED PERSONS.   Such
notice shall be made without delaying notice to affected New York  resi-
dents.
  (b)  In  the event that more than five thousand New York residents are
to be notified at one time, the person or  business  shall  also  notify
consumer  reporting  agencies as to the timing, content and distribution
of the notices and approximate number of affected persons.  Such  notice
shall be made without delaying notice to affected New York residents.
  9. THE DEPARTMENT OF STATE SHALL RECEIVE AND RESPOND TO COMPLAINTS AND
INQUIRIES  RELATING  TO  ANY  BREACH OF THE SECURITY OF THE SYSTEM, MAKE
REFERRALS AS APPROPRIATE AND IN  COOPERATION  WITH  THE  STATE  ATTORNEY
GENERAL AND THE OFFICE OF INFORMATION TECHNOLOGY SERVICES DEVELOP, REGU-
LARLY  UPDATE AND MAKE PUBLICLY AVAILABLE INFORMATION RELATING TO HOW TO
RESPOND TO A BREACH OF THE SECURITY OF THE SYSTEM AND BEST PRACTICES FOR
HOW TO PREVENT A BREACH OF THE SECURITY OF THE SYSTEM.
  10. The provisions of  this  section  shall  be  exclusive  and  shall
preempt  any provisions of local law, ordinance or code, and no locality
shall impose requirements that are inconsistent with or more restrictive
than those set forth in this section.
  S 2. Paragraphs (a) and (d) of subdivision 1 and subdivisions 2, 6,  7
and  8  of  section 208 of the state technology law, as added by chapter

S. 6834                             4

442 of the laws of 2005, subdivision 2 and paragraph (a) of  subdivision
7  as  amended  by section 5 of part N of chapter 55 of the laws of 2013
and subdivisions 6 and 7 as amended by chapter 491 of the laws of  2005,
are amended to read as follows:
  (a)  "Private  information"  shall  mean:  (I) personal information in
combination with any one or more of the following  data  elements,  when
either  the personal information or the data element is not encrypted or
encrypted with an encryption key that has also been acquired:
  (1) social security number;
  (2) driver's license number or non-driver identification card  number;
[or]
  (3)  account  number, credit or debit card number, in combination with
any required security code, access code, or password which would  permit
access to an individual's financial account; OR
  (4)  BIOMETRIC  INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS-
UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED  BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
  (II)  A  USER  NAME OR EMAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
SECURITY QUESTION AND ANSWER THAT  WOULD  PERMIT  ACCESS  TO  AN  ONLINE
ACCOUNT; OR
  (III)  ANY  UNSECURED  PROTECTED  HEALTH INFORMATION AS DEFINED IN THE
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996  (45  C.F.R.
PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME.
  "Private  information" does not include publicly available information
that is lawfully made available to  the  general  public  from  federal,
state, or local government records.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose  of
furnishing  consumer  reports to third parties, and which uses any means
or facility of interstate commerce  for  the  purpose  of  preparing  or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
state  entities required to make a notification under subdivision two of
this section] PUBLICLY POSTED ON ITS WEBSITE.
  2. Any state entity that  owns  or  licenses  computerized  data  that
includes  private  information shall disclose any breach of the security
of the system following discovery or notification of the breach  in  the
security  of  the system to any resident of New York state whose private
information was, or is reasonably believed to have been, acquired  by  a
person  without valid authorization. The disclosure shall be made in the
most expedient time possible and without unreasonable delay,  consistent
with the legitimate needs of law enforcement, as provided in subdivision
four  of  this section, or any measures necessary to determine the scope
of the breach and restore the [reasonable] integrity of the data system.
The state entity shall consult with  the  state  office  of  information
technology services to determine the scope of the breach and restoration
measures.  WITHIN NINETY DAYS OF THE NOTICE OF THE BREACH, THE OFFICE OF
INFORMATION TECHNOLOGY SERVICES SHALL DELIVER A REPORT ON THE  SCOPE  OF
THE  BREACH  AND  RECOMMENDATIONS TO RESTORE AND IMPROVE THE SECURITY OF
THE SYSTEM TO THE STATE ENTITY.
  6. Regardless of the method by which notice is provided,  such  notice
shall  include  contact  information  for  the  state  entity making the
notification, THE TELEPHONE NUMBERS AND THE WEBSITES  FOR  THE  RELEVANT
STATE  AND  FEDERAL AGENCIES THAT PROVIDE INFORMATION REGARDING SECURITY

S. 6834                             5

BREACH RESPONSE AND IDENTITY THEFT PREVENTION AND PROTECTION INFORMATION
and a description of the categories of information  that  were,  or  are
reasonably  believed  to  have  been, acquired by a person without valid
authorization,  including  specification  of  which  of  the elements of
personal information and private information  were,  or  are  reasonably
believed to have been, so acquired.
  7.  (a)  In  the event that any New York residents are to be notified,
the state entity shall notify the state attorney general, the department
of state and the state office of information technology services  as  to
the  timing,  content  and  distribution  of the notices and approximate
number of affected persons AND PROVIDE A COPY OF  THE  TEMPLATE  OF  THE
NOTICE  SENT  TO  AFFECTED  PERSONS.   Such notice shall be made without
delaying notice to affected New York residents.
  (b) In the event that more than five thousand New York  residents  are
to  be notified at one time, the state entity shall also notify consumer
reporting agencies as to the timing, content  and  distribution  of  the
notices and approximate number of affected persons. Such notice shall be
made without delaying notice to affected New York residents.
  8.  THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL DEVELOP,
UPDATE AND PROVIDE REGULAR TRAINING TO ALL STATE  ENTITIES  RELATING  TO
BEST  PRACTICES  FOR  THE  PREVENTION OF A BREACH OF THE SECURITY OF THE
SYSTEM.
   9. Any entity listed in subparagraph two of paragraph (c) of subdivi-
sion one of this section shall adopt a notification policy no more  than
one  hundred  twenty days after the effective date of this section. Such
entity may develop a notification policy which is consistent  with  this
section  or  alternatively  shall  adopt a local law which is consistent
with this section.
  S 3. This act shall take effect January 1, 2017.

2015-S6834A - Details

Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L; amd §208, St Tech L
Versions Introduced in 2017-2018 Legislative Session:: S5601

2015-S6834A - Summary

Relates to notification of a security breach; includes credit and debit card; increases civil penalties.

2015-S6834A - Sponsor Memo

                                 BILL NUMBER:  S6834A

 TITLE OF BILL :  An act to amend the general business law and the
state technology law, in relation to notification of a security breach

 PURPOSE :

New York's data breach notification law needs to be updated to keep
pace with current technology. This bill broadens the scope of
information covered under the notification law and updates the
notification requirements when there has been a breach of data.

 SUMMARY OF PROVISIONS :

Section One of this bill amends subdivisions 1, 2, 6, 7, 8, and 9 of
Section 899-aa of the General Business law.

Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (c) of subdivision 1 is amended to
reflect the updated definition of "private information". Paragraph (d)
of subdivision 1 is amended to require the New York Attorney General
to publically post a list of consumer reporting agencies on its
website. Paragraphs (e) and (f) of subdivision 1 are added to provide
definitions for "credit card" and "debit card."

Subdivision 2 of Section 899-aa of the General Business law is amended
to further define the situation when a business would need to disclose
a breach of their security system.

Subdivision 5 of Section 899-aa of the General Business law is amended
to update how a business complies with the notice requirements as a
result of a data breach, with specific provisions regarding when an
e-mail account with corresponding login information is breached and
provisions regarding when a breach affects a credit or debit card
issuer.

Subdivision 6 of Section 899-aa of the General Business law is amended
to increase the civil penalty that may be imposed on a business that
knowingly or recklessly violated the data notification section of law.
Subdivision 6 is also amended to extend the amount of time within
which a cause of action must be commenced.

Subdivision 7 of Section 899-aa of the General Business law is amended
to require notification will include contact information for relevant
government authorities that provide information regarding security
breach response and identity theft prevention.

Subdivision 8 of Section 899-aa of the General Business law is amended
to require that, when New York residents are to be notified under this
act, businesses also notify to the New York Attorney General, the
Department of State, and the Office of Information Technology Services
with information concerning their notification of New York residents.

Subdivision 9 of Section 899-aa of the General Business law is amended
to require the New York Department of State to receive and respond to
inquiries relating to any breach of information security, work in
cooperation with the New York Attorney General and the Office of
Information Technology Services to develop, update, and make
publically available information and best practices regarding the
response to and prevention of security breaches.

Section Two of this bill amends paragraph (d) of subdivision 1, and
subdivisions 2, 6, 7, and 8 of Section 208 of the State Technology
law.
Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (d) of subdivision 1 is amended to
require that the New York Attorney General publically post a list of
consumer reporting agencies to its website.

Subdivision 2 of Section 208 of the State Technology law is amended
such that, when a state entity suffers a breach, the Office of
Information Technology Services shall deliver a report on the scope of
the breach and recommendations to restore and improve that state
entity's information security system.

Subdivision 6 of Section 208 of the State Technology law is amended to
require that notice of a breach include contact information for
relevant state and federal agencies that provide information regarding
security breach response and identity theft prevention.

Subdivision 7 of Section 208 of the State Technology law is amended to
require, when New York residents are to be notified of a breach, that
the state entity responsible for the breach notify the New York
Attorney General, the Department of State, and the Office of
Information Technology Services and include a copy of the template of
the notice sent to the affected residents.

Subdivision 8 of Section 208 of the State Technology law is amended to
require the Office of Information Technology Services to develop,
update, and provide training to all state entities regarding best
practices for preventing security breaches.

Section Three of this bill provides that this act will take effect
January 1, 2017.

 JUSTIFICATION :

New York's current data breach notification law needs to be updated to
keep pace with individuals' use and dissemination of private
information. This bill recognizes the breadth of private information,
so it expands the scope of information included under the current law
to include biometric information, email addresses and their
corresponding passwords or security questions and answers, and
protected health information as defined under HIPAA. It also updates
the notification procedures companies and state entities must follow
when there has been a breach of private information.

 PRIOR LEGISLATIVE HISTORY :

New bill.

 EXISTING LAW :

The NYS Information Security Breach and Notification Act (General
Business Law § 899-aa) provides that in the event of unauthorized
access to "private information," defined as personal information in
combination with a Social Security Number, driver's license or an
account or credit card number, the New York Notification Act requires
the business or state entity to notify affected customers and inform
appropriate authorities. Notification must be made "in the most
expedient time possible and without reasonable delay but subject and
consistent with legitimate needs of law enforcement." The New York
Attorney General is authorized to bring an action against businesses
that violate the New York Notification Act.

Covered state entities are also required to have a notification
policy. The NYS Internet Security and Privacy Act (State Technology
Law Article 2) mirrors many of the statutory provisions provided under
the General Business Law § 899-aa above, and imposes the same
notification requirements on State agencies that handle "private
information" under State Technology Law § 208, paragraph 5.

 FISCAL IMPACT :

None.

 EFFECTIVE DATE :
This act shall take effect January 1, 2017.

2015-S6834A - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 6834--A

                            I N  S E N A T E

                            February 26, 2016
                               ___________

Introduced  by Sen. VENDITTO -- read twice and ordered printed, and when
  printed to be committed to the Committee  on  Consumer  Protection  --
  committee  discharged,  bill amended, ordered reprinted as amended and
  recommitted to said committee

AN ACT to amend the general business law and the state  technology  law,
  in relation to notification of a security breach

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Subdivisions 1, 2, 5, 6, 7, 8 and 9 of  section  899-aa  of
the  general  business law, as added by chapter 442 of the laws of 2005,
paragraph (c) of subdivision 1,  paragraph  (a)  of  subdivision  6  and
subdivision  8  as  amended by chapter 491 of the laws of 2005 and para-
graph (a) of subdivision 8 as amended by section 6 of part N of  chapter
55 of the laws of 2013, are amended to read as follows:
  1. As used in this section, the following terms shall have the follow-
ing meanings:
  (a)  "Personal  information"  shall  mean any information concerning a
natural person which, because of name, number, personal mark,  or  other
identifier, can be used to identify such natural person;
  (b)  "Private information" shall mean EITHER: (I) personal information
consisting of any information in combination with any one or more of the
following data elements, when either the  personal  information  or  the
data  element is not encrypted, or encrypted with an encryption key that
has also been acquired:
  (1) social security number;
  (2) driver's license number or non-driver identification card  number;
[or]
  (3)  account  number, credit or debit card number, in combination with
any required security code, access code, or password that  would  permit
access to an individual's financial account; OR
  (4)  BIOMETRIC  INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS-
UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED  BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09470-10-6

S. 6834--A                          2

  (II)  A  USER NAME OR E-MAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
SECURITY QUESTION AND ANSWER THAT  WOULD  PERMIT  ACCESS  TO  AN  ONLINE
ACCOUNT; OR
  (III)  ANY  UNSECURED  PROTECTED HEALTH INFORMATION HELD BY A "COVERED
ENTITY" AS DEFINED IN THE HEALTH INSURANCE PORTABILITY AND  ACCOUNTABIL-
ITY ACT OF 1996 (45 C.F.R.  PTS. 160, 162, 164), AS AMENDED FROM TIME TO
TIME.
  "Private  information" does not include publicly available information
which is lawfully made available to the  general  public  from  federal,
state, or local government records.
  (c)  "Breach  of  the  security of the system" shall mean unauthorized
acquisition or acquisition without valid authorization  of  computerized
data  that  compromises  the  security, confidentiality, or integrity of
[personal] PRIVATE information maintained  by  a  business.  Good  faith
acquisition of [personal] PRIVATE information by an employee or agent of
the  business  for  the  purposes of the business is not a breach of the
security of the system, provided that the  private  information  is  not
used or subject to unauthorized disclosure.
  In determining whether information has been acquired, or is reasonably
believed  to  have  been acquired, by an unauthorized person or a person
without valid authorization, such business may  consider  the  following
factors, among others:
  (1) indications that the information is in the physical possession and
control  of  A  PERSON WITHOUT VALID AUTHORIZATION OR BY an unauthorized
person, such as a lost or stolen computer  or  other  device  containing
information; or
  (2) indications that the information has been downloaded or copied; or
  (3)  indications  that  the  information  was used by A PERSON WITHOUT
VALID AUTHORIZATION  OR  an  unauthorized  person,  such  as  fraudulent
accounts opened or instances of identity theft reported.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose  of
furnishing  consumer  reports to third parties, and which uses any means
or facility of interstate commerce  for  the  purpose  of  preparing  or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
any person or business required to make a notification under subdivision
two of this section] PUBLICLY POSTED ON ITS WEBSITE.
  (E) "CREDIT CARD" SHALL MEAN ANY CARD OR OTHER CREDIT DEVICE ISSUED BY
A  FINANCIAL  INSTITUTION  TO  A  CONSUMER  FOR THE PURPOSE OF PROVIDING
MONEY, PROPERTY, LABOR OR SERVICES ON CREDIT.
  (F) "DEBIT CARD" SHALL MEAN ANY CARD  OR  OTHER  DEVICE  ISSUED  BY  A
FINANCIAL  INSTITUTION TO A CONSUMER FOR USE IN INITIATING AN ELECTRONIC
FUND TRANSFER FROM THE ACCOUNT OF THE CONSUMER AT SUCH FINANCIAL  INSTI-
TUTION,  FOR  THE  PURPOSE  OF  TRANSFERRING  MONEY  BETWEEN ACCOUNTS OR
OBTAINING MONEY, PROPERTY, LABOR, OR SERVICES.
  2. Any person or business which conducts business in New  York  state,
and  which  owns  or  licenses  computerized data which includes private
information shall disclose any breach of  the  security  of  the  system
following discovery or notification of the breach in the security of the
system  to any resident of New York state whose private information was,
or is reasonably believed to have been, acquired  by  a  person  without
valid  authorization OR BY AN UNAUTHORIZED PERSON.  The disclosure shall
be made in the most expedient time  possible  and  without  unreasonable

S. 6834--A                          3

delay,  consistent  with  the  legitimate  needs  of law enforcement, as
provided in subdivision four of this section, or any measures  necessary
to determine the scope of the breach and restore the [reasonable] integ-
rity of the system.
  5.  The  notice required by this section shall be directly provided to
the affected persons by one of the following methods:
  (a) written notice;
  (b) electronic notice, provided that the  person  to  whom  notice  is
required  has expressly consented to receiving said notice in electronic
form and a log of each such notification is kept by the person or  busi-
ness  who  notifies  affected  persons  in  such form; provided further,
however, that in no case shall any person or business require  a  person
to  consent  to  accepting  said  notice  in said form as a condition of
establishing any business relationship or engaging in any transaction.
  (c) telephone notification provided that a log of each such  notifica-
tion is kept by the person or business who notifies affected persons; or
  (d)  Substitute notice, if a business demonstrates to the state attor-
ney general that the cost of providing notice would exceed  two  hundred
fifty thousand dollars, or that the affected class of subject persons to
be  notified  exceeds  five  hundred thousand, or such business does not
have sufficient contact information. Substitute notice shall consist  of
all of the following:
  (1)  e-mail  notice  when  such business has an e-mail address for the
subject persons, PROVIDED THE BREACHED INFORMATION DOES NOT  INCLUDE  AN
E-MAIL  ADDRESS  IN COMBINATION WITH A PASSWORD OR SECURITY QUESTION AND
ANSWER THAT WOULD PERMIT ACCESS TO THE ONLINE ACCOUNT,  IN  WHICH  CASE,
NOTICE SHOULD BE PROVIDED AS DESCRIBED IN PARAGRAPH (E) OF THIS SUBDIVI-
SION;
  (2)  conspicuous  posting  of  the  notice on such business's web site
page, if such business maintains one; and
  (3) notification to major statewide media.
  (E) IN THE CASE OF A BREACH OF THE SECURITY OF THE SYSTEM INVOLVING AN
E-MAIL ADDRESS IN COMBINATION WITH A PASSWORD OR SECURITY  QUESTION  AND
ANSWER  THAT  WOULD  PERMIT  ACCESS TO THE ONLINE ACCOUNT AS OUTLINED IN
SUBPARAGRAPH (II) OF PARAGRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION,
AND NO OTHER PRIVATE INFORMATION DEFINED IN PARAGRAPH (B) OF SUBDIVISION
ONE  OF  THIS SECTION, THE PERSON OR BUSINESS SHALL NOT COMPLY WITH THIS
SECTION BY PROVIDING THE SECURITY BREACH  NOTIFICATION  TO  THAT  E-MAIL
ACCOUNT,  BUT SHALL INSTEAD COMPLY WITH THIS SECTION BY PROVIDING NOTICE
BY ANOTHER METHOD DESCRIBED IN THIS SUBDIVISION OR BY CLEAR AND CONSPIC-
UOUS NOTICE DELIVERED TO  THE  CONSUMER  ONLINE  WHEN  THE  CONSUMER  IS
CONNECTED  TO  THE  ONLINE  ACCOUNT FROM AN INTERNET PROTOCOL ADDRESS OR
FROM AN ONLINE LOCATION WHICH THE PERSON OR BUSINESS KNOWS THE  CONSUMER
CUSTOMARILY ACCESSES THE ONLINE ACCOUNT.
  (F)  ANY CREDIT OR DEBIT CARD ISSUER THAT ISSUES A NEW CREDIT OR DEBIT
CARD AS A RESULT OF A BREACH OF THE SECURITY OF THE SYSTEM  PURSUANT  TO
PARAGRAPH  (C)  OF SUBDIVISION ONE OF THIS SECTION, SHALL PROVIDE NOTICE
PRIOR TO THE ISSUANCE OF ANY REPLACEMENT CREDIT OR DEBIT CARD ABSENT ANY
DOCUMENTED EVIDENCE OF UNAUTHORIZED USE OF SUCH CREDIT OR DEBIT CARD.
  6. (a) whenever the  attorney  general  shall  believe  from  evidence
satisfactory  to  him  that  there is a violation of this article he may
bring an action in the name and on behalf of the people of the state  of
New  York, in a court of justice having jurisdiction to issue an injunc-
tion, to enjoin and restrain the continuation of  such  violation.    In
such action, preliminary relief may be granted under article sixty-three
of  the civil practice law and rules. In such action the court may award

S. 6834--A                          4

damages for actual costs or losses incurred  by  a  person  entitled  to
notice  pursuant  to  this  article, if notification was not provided to
such person pursuant to this article, including consequential  financial
losses.  Whenever the court shall determine in such action that a person
or business violated this article knowingly or recklessly, the court may
impose a civil penalty of the greater of [five] TEN thousand dollars  or
up to [ten] TWENTY dollars per instance of failed notification, provided
that the latter amount shall not exceed [one] TWO hundred fifty thousand
dollars.
  (b)  the remedies provided by this section shall be in addition to any
other lawful remedy available.
  (c) no action may be brought under  the  provisions  of  this  section
unless  such  action is commenced within [two] THREE years [immediately]
after EITHER the date [of the act complained of or the date of discovery
of such act] THE ACT WAS DISCOVERED OR, THE DATE OF NOTICE SENT PURSUANT
TO PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION.
  7. Regardless of the method by which notice is provided,  such  notice
shall  include contact information for the person or business making the
notification, THE TELEPHONE NUMBERS AND WEBSITES OF THE  RELEVANT  STATE
AND  FEDERAL AGENCIES THAT PROVIDE INFORMATION REGARDING SECURITY BREACH
RESPONSE AND IDENTITY THEFT PREVENTION AND PROTECTION INFORMATION, and a
description of the categories of information that were, or  are  reason-
ably  believed to have been, acquired by a person without valid authori-
zation OR BY AN UNAUTHORIZED PERSON, including specification of which of
the elements of personal information and private  information  were,  or
are reasonably believed to have been, so acquired.
  8.  (a)  In  the event that any New York residents are to be notified,
the person or business shall notify  the  state  attorney  general,  the
department  of state and the [division of state police] OFFICE OF INFOR-
MATION TECHNOLOGY SERVICES as to the timing, content and distribution of
the notices [and], approximate number of affected persons AND PROVIDE  A
COPY  OF  THE  TEMPLATE  OF  THE NOTICE SENT TO AFFECTED PERSONS.   Such
notice shall be made without delaying notice to affected New York  resi-
dents.
  (b)  In  the event that more than five thousand New York residents are
to be notified at one time, the person or  business  shall  also  notify
consumer  reporting  agencies as to the timing, content and distribution
of the notices and approximate number of affected persons.  Such  notice
shall be made without delaying notice to affected New York residents.
  9. THE DEPARTMENT OF STATE SHALL RECEIVE AND RESPOND TO COMPLAINTS AND
INQUIRIES  RELATING  TO  ANY  BREACH OF THE SECURITY OF THE SYSTEM, MAKE
REFERRALS AS APPROPRIATE AND IN  COOPERATION  WITH  THE  STATE  ATTORNEY
GENERAL AND THE OFFICE OF INFORMATION TECHNOLOGY SERVICES DEVELOP, REGU-
LARLY  UPDATE AND MAKE PUBLICLY AVAILABLE INFORMATION RELATING TO HOW TO
RESPOND TO A BREACH OF THE SECURITY OF THE SYSTEM AND BEST PRACTICES FOR
HOW TO PREVENT A BREACH OF THE SECURITY OF THE SYSTEM.
  10. The provisions of  this  section  shall  be  exclusive  and  shall
preempt  any provisions of local law, ordinance or code, and no locality
shall impose requirements that are inconsistent with or more restrictive
than those set forth in this section.
  S 2. Paragraphs (a) and (d) of subdivision 1 and subdivisions 2, 6,  7
and 8 of section 208 of the state technology law, paragraphs (a) and (d)
of  subdivision  1 and subdivision 8 as added by chapter 442 of the laws
of 2005, subdivision 2 and paragraph (a) of subdivision 7 as amended  by
section 5 of part N of chapter 55 of the laws of 2013 and subdivisions 6

S. 6834--A                          5

and 7 as amended by chapter 491 of the laws of 2005, are amended to read
as follows:
  (a)  "Private  information"  shall  mean:  (I) personal information in
combination with any one or more of the following  data  elements,  when
either  the personal information or the data element is not encrypted or
encrypted with an encryption key that has also been acquired:
  (1) social security number;
  (2) driver's license number or non-driver identification card  number;
[or]
  (3)  account  number, credit or debit card number, in combination with
any required security code, access code, or password which would  permit
access to an individual's financial account; OR
  (4)  BIOMETRIC  INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS-
UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED  BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
  (II)  A  USER NAME OR E-MAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
SECURITY QUESTION AND ANSWER THAT  WOULD  PERMIT  ACCESS  TO  AN  ONLINE
ACCOUNT; OR
  (III)  ANY  UNSECURED  PROTECTED  HEALTH INFORMATION AS DEFINED IN THE
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996  (45  C.F.R.
PTS. 160, 162, 164), AS AMENDED FROM TIME TO TIME.
  "Private  information" does not include publicly available information
that is lawfully made available to  the  general  public  from  federal,
state, or local government records.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose  of
furnishing  consumer  reports to third parties, and which uses any means
or facility of interstate commerce  for  the  purpose  of  preparing  or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
state  entities required to make a notification under subdivision two of
this section] PUBLICLY POSTED ON ITS WEBSITE.
  2. Any state entity that  owns  or  licenses  computerized  data  that
includes  private  information shall disclose any breach of the security
of the system following discovery or notification of the breach  in  the
security  of  the system to any resident of New York state whose private
information was, or is reasonably believed to have been, acquired  by  a
person  without  valid  authorization  OR  AN UNAUTHORIZED PERSON.   The
disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforce-
ment, as provided in subdivision four of this section, or  any  measures
necessary  to determine the scope of the breach and restore the [reason-
able] integrity of the data system.  The state entity shall consult with
the state office of information technology  services  to  determine  the
scope  of the breach and restoration measures. WITHIN NINETY DAYS OF THE
NOTICE OF THE BREACH, THE  OFFICE  OF  INFORMATION  TECHNOLOGY  SERVICES
SHALL DELIVER A REPORT ON THE SCOPE OF THE BREACH AND RECOMMENDATIONS TO
RESTORE AND IMPROVE THE SECURITY OF THE SYSTEM TO THE STATE ENTITY.
  6.  Regardless  of the method by which notice is provided, such notice
shall include contact  information  for  the  state  entity  making  the
notification,  THE  TELEPHONE  NUMBERS AND THE WEBSITES FOR THE RELEVANT
STATE AND FEDERAL AGENCIES THAT PROVIDE INFORMATION  REGARDING  SECURITY
BREACH RESPONSE AND IDENTITY THEFT PREVENTION AND PROTECTION INFORMATION
and  a  description  of  the categories of information that were, or are

S. 6834--A                          6

reasonably believed to have been, acquired by  a  person  without  valid
authorization  OR  AN  UNAUTHORIZED  PERSON,  including specification of
which of the elements of personal information  and  private  information
were, or are reasonably believed to have been, so acquired.
  7.  (a)  In  the event that any New York residents are to be notified,
the state entity shall notify the state attorney general, the department
of state and the state office of information technology services  as  to
the  timing,  content  and  distribution  of the notices and approximate
number of affected persons AND PROVIDE A COPY OF  THE  TEMPLATE  OF  THE
NOTICE  SENT  TO  AFFECTED  PERSONS.   Such notice shall be made without
delaying notice to affected New York residents.
  (b) In the event that more than five thousand New York  residents  are
to  be notified at one time, the state entity shall also notify consumer
reporting agencies as to the timing, content  and  distribution  of  the
notices and approximate number of affected persons. Such notice shall be
made without delaying notice to affected New York residents.
  8.  THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL DEVELOP,
UPDATE AND PROVIDE REGULAR TRAINING TO ALL STATE  ENTITIES  RELATING  TO
BEST  PRACTICES  FOR  THE  PREVENTION OF A BREACH OF THE SECURITY OF THE
SYSTEM.
   9. Any entity listed in subparagraph two of paragraph (c) of subdivi-
sion one of this section shall adopt a notification policy no more  than
one  hundred  twenty days after the effective date of this section. Such
entity may develop a notification policy which is consistent  with  this
section  or  alternatively  shall  adopt a local law which is consistent
with this section.
  S 3. This act shall take effect January 1, 2017.

2015-S6834B (ACTIVE) - Details

Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L; amd §208, St Tech L
Versions Introduced in 2017-2018 Legislative Session:: S5601

2015-S6834B (ACTIVE) - Summary

Relates to notification of a security breach; includes credit and debit card; increases civil penalties.

2015-S6834B (ACTIVE) - Sponsor Memo

                                 BILL NUMBER:  S6834B

 TITLE OF BILL :  An act to amend the general business law and the
state technology law, in relation to notification of a security breach

 PURPOSE :

New York's data breach notification law needs to be updated to keep
pace with current technology. This bill broadens the scope of
information covered under the notification law and updates the
notification requirements when there has been a breach of data.

 SUMMARY OF PROVISIONS :

Section One of this bill amends subdivisions 1, 2, 6, 7, 8, and 9 of
Section 899-aa of the General Business law.

Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (c) of subdivision 1 is amended to
reflect the updated definition of "private information". Paragraph (d)
of subdivision 1 is amended to require the New York Attorney General
to publically post a list of consumer reporting agencies on its
website. Paragraphs (e) and (f) of subdivision 1 are added to provide
definitions for "credit card" and "debit card."

Subdivision 2 of Section 899-aa of the General Business law is amended
to further define the situation when a business would need to disclose
a breach of their security system.

Subdivision 5 of Section 899-aa of the General Business law is amended
to update how a business complies with the notice requirements as a
result of a data breach, with specific provisions regarding when an
e-mail account with corresponding login information is breached and
provisions regarding when a breach affects a credit or debit card
issuer.

Subdivision 6 of Section 899-aa of the General Business law is amended
to increase the civil penalty that may be imposed on a business that
knowingly or recklessly violated the data notification section of law.
Subdivision 6 is also amended to clarify the attorney general's
statute of limitations to bring an action for a violation of the
notification law.

Subdivision 7 of Section 899-aa of the General Business law is amended
to require notification will include contact information for relevant
government authorities that provide information regarding security
breach response and identity theft prevention.

Subdivision 8 of Section 899-aa of the General Business law is amended
to require that, when New York residents are to be notified under this
act, businesses also notify to the New York Attorney General, the
Department of State, and the Office of Information Technology Services
with information concerning their notification of New York residents.

Subdivision 9 of Section 899-aa of the General Business law is amended
to require the New York Department of State to receive and respond to
inquiries relating to any breach of information security, work in
cooperation with the New York Attorney General and the Office of
Information Technology Services to develop, update, and make
publically available information and best practices regarding the
response to and prevention of security breaches.



Section Two of this bill amends paragraph (d) of subdivision 1, and
subdivisions 2, 6, 7, and 8 of Section 208 of the State Technology
law.

Subdivision 1 is amended to include biometric information, email
addresses with their corresponding passwords or security questions and
answers, and protected health information as defined under HIPAA as
"private information." Paragraph (d) of subdivision 1 is amended to
require that the New York Attorney General publically post a list of
consumer reporting agencies to its website.

Subdivision 2 of Section 208 of the State Technology law is amended
such that, when a state entity suffers a breach, the Office of
Information Technology Services shall deliver a report on the scope of
the breach and recommendations to restore and improve that state
entity's information security system.

Subdivision 6 of Section 208 of the State Technology law is amended to
require that notice of a breach include contact information for
relevant state and federal agencies that provide information regarding
security breach response and identity theft prevention.

Subdivision 7 of Section 208 of the State Technology law is amended to
require, when New York residents are to be notified of a breach, that
the state entity responsible for the breach notify the New York
Attorney General, the Department of State, and the Office of
Information Technology Services and include a copy of the template of
the notice sent to the affected residents.

Subdivision 8 of Section 208 of the State Technology law is amended to
require the Office of Information Technology Services to develop,
update, and provide training to all state entities regarding best
practices for preventing security breaches.

Section Three of this bill provides that this act will take effect
January 1, 2017.

 JUSTIFICATION :

New York's current data breach notification law needs to be updated to
keep pace with individuals' use and dissemination of private
information. This bill recognizes the breadth of private information,
so it expands the scope of information included under the current law
to include biometric information, email addresses and their
corresponding passwords or security questions and answers, and
protected health information as defined under HIPAA. It also updates
the notification procedures companies and state entities must follow
when there has been a breach of private information.

 PRIOR LEGISLATIVE HISTORY :

New bill.

 EXISTING LAW :

The NYS Information Security Breach and Notification Act (General
Business Law § 899-aa) provides that in the event of unauthorized
access to "private information," defined as personal information in
combination with a Social Security Number, driver's license or an
account or credit card number, the New York Notification Act requires
the business or state entity to notify affected customers and inform
appropriate authorities. Notification must be made "in the most
expedient time possible and without reasonable delay but subject and
consistent with legitimate needs of law enforcement." The New York
Attorney General is authorized to bring an action against businesses
that violate the New York Notification Act.
Covered state entities are also required to have a notification
policy. The NYS Internet Security and Privacy Act (State Technology
Law Article 2) mirrors many of the statutory provisions provided under
the General Business Law § 899-aa above, and imposes the same
notification requirements on State agencies that handle "private
information" under State Technology Law § 208, paragraph 5.

 FISCAL IMPACT :

None.

 EFFECTIVE DATE :
This act shall take effect January 1, 2017.

2015-S6834B (ACTIVE) - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 6834--B

                            I N  S E N A T E

                            February 26, 2016
                               ___________

Introduced  by Sen. VENDITTO -- read twice and ordered printed, and when
  printed to be committed to the Committee  on  Consumer  Protection  --
  committee  discharged,  bill amended, ordered reprinted as amended and
  recommitted to said committee -- committee discharged,  bill  amended,
  ordered reprinted as amended and recommitted to said committee

AN  ACT  to amend the general business law and the state technology law,
  in relation to notification of a security breach

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section  1.  Subdivisions  1, 2, 5, 6, 7, 8 and 9 of section 899-aa of
the general business law, as added by chapter 442 of the laws  of  2005,
paragraph  (c)  of  subdivision  1,  paragraph  (a) of subdivision 6 and
subdivision 8 as amended by chapter 491 of the laws of  2005  and  para-
graph  (a) of subdivision 8 as amended by section 6 of part N of chapter
55 of the laws of 2013, are amended and a new subdivision 5-a  is  added
to read as follows:
  1. As used in this section, the following terms shall have the follow-
ing meanings:
  (a)  "Personal  information"  shall  mean any information concerning a
natural person which, because of name, number, personal mark,  or  other
identifier, can be used to identify such natural person;
  (b)  "Private information" shall mean EITHER: (I) personal information
consisting of any information in combination with any one or more of the
following data elements, when either the  personal  information  or  the
data  element is not encrypted, or encrypted with an encryption key that
has also been acquired:
  (1) social security number;
  (2) driver's license number or non-driver identification card  number;
[or]
  (3)  account  number, credit or debit card number, in combination with
any required security code, access code, or password that  would  permit
access to an individual's financial account; OR

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09470-16-6

S. 6834--B                          2

  (4)  BIOMETRIC  INFORMATION, MEANING DATA GENERATED BY AUTOMATIC MEAS-
UREMENTS OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED  BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
  (II)  A  USER NAME OR E-MAIL ADDRESS IN COMBINATION WITH A PASSWORD OR
SECURITY QUESTION AND ANSWER THAT  WOULD  PERMIT  ACCESS  TO  AN  ONLINE
ACCOUNT; OR
  (III)  ANY  UNSECURED  PROTECTED HEALTH INFORMATION HELD BY A "COVERED
ENTITY" AS DEFINED IN THE HEALTH INSURANCE PORTABILITY AND  ACCOUNTABIL-
ITY ACT OF 1996 (45 C.F.R.  PTS. 160, 162, 164), AS AMENDED FROM TIME TO
TIME.
  "Private  information" does not include publicly available information
which is lawfully made available to the  general  public  from  federal,
state, or local government records.
  (c)  "Breach  of  the  security of the system" shall mean unauthorized
acquisition or acquisition without valid authorization  of  computerized
data  that  compromises  the  security, confidentiality, or integrity of
[personal] PRIVATE information maintained  by  a  business.  Good  faith
acquisition of [personal] PRIVATE information by an employee or agent of
the  business  for  the  purposes of the business is not a breach of the
security of the system, provided that the  private  information  is  not
used or subject to unauthorized disclosure.
  In determining whether information has been acquired, or is reasonably
believed  to  have  been acquired, by an unauthorized person or a person
without valid authorization, such business may  consider  the  following
factors, among others:
  (1) indications that the information is in the physical possession and
control  of  A  PERSON WITHOUT VALID AUTHORIZATION OR BY an unauthorized
person, such as a lost or stolen computer  or  other  device  containing
information; or
  (2) indications that the information has been downloaded or copied; or
  (3)  indications  that  the  information  was used by A PERSON WITHOUT
VALID AUTHORIZATION  OR  an  unauthorized  person,  such  as  fraudulent
accounts opened or instances of identity theft reported.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose  of
furnishing  consumer  reports to third parties, and which uses any means
or facility of interstate commerce  for  the  purpose  of  preparing  or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
any person or business required to make a notification under subdivision
two of this section] PUBLICLY POSTED ON ITS WEBSITE.
  (E) "CREDIT CARD" SHALL MEAN ANY CARD OR OTHER CREDIT DEVICE ISSUED BY
A  FINANCIAL  INSTITUTION  TO  A  CONSUMER  FOR THE PURPOSE OF PROVIDING
MONEY, PROPERTY, LABOR OR SERVICES ON CREDIT.
  (F) "DEBIT CARD" SHALL MEAN ANY CARD  OR  OTHER  DEVICE  ISSUED  BY  A
FINANCIAL  INSTITUTION TO A CONSUMER FOR USE IN INITIATING AN ELECTRONIC
FUND TRANSFER FROM THE ACCOUNT OF THE CONSUMER AT SUCH FINANCIAL  INSTI-
TUTION,  FOR  THE  PURPOSE  OF  TRANSFERRING  MONEY  BETWEEN ACCOUNTS OR
OBTAINING MONEY, PROPERTY, LABOR, OR SERVICES.
  2. Any person or business which conducts business in New  York  state,
and  which  owns  or  licenses  computerized data which includes private
information shall disclose any breach of  the  security  of  the  system
following discovery or notification of the breach in the security of the
system  to any resident of New York state whose private information was,

S. 6834--B                          3

or is reasonably believed to have been, acquired  by  a  person  without
valid  authorization OR BY AN UNAUTHORIZED PERSON.  The disclosure shall
be made in the most expedient time  possible  and  without  unreasonable
delay,  consistent  with  the  legitimate  needs  of law enforcement, as
provided in subdivision four of this section, or any measures  necessary
to determine the scope of the breach and restore the [reasonable] integ-
rity of the system.
  5.  The  notice required by this section shall be directly provided to
the affected persons by one of the following methods:
  (a) written notice;
  (b) electronic notice, provided that the  person  to  whom  notice  is
required  has expressly consented to receiving said notice in electronic
form and a log of each such notification is kept by the person or  busi-
ness  who  notifies  affected  persons  in  such form; provided further,
however, that in no case shall any person or business require  a  person
to  consent  to  accepting  said  notice  in said form as a condition of
establishing any business relationship or engaging in any transaction.
  (c) telephone notification provided that a log of each such  notifica-
tion is kept by the person or business who notifies affected persons; or
  (d)  substitute notice, if a business demonstrates to the state attor-
ney general that the cost of providing notice would exceed  two  hundred
fifty thousand dollars, or that the affected class of subject persons to
be  notified  exceeds  five  hundred thousand, or such business does not
have sufficient contact information. Substitute notice shall consist  of
all of the following:
  (1)  e-mail  notice  when  such business has an e-mail address for the
subject persons, PROVIDED THE BREACHED INFORMATION DOES NOT  INCLUDE  AN
E-MAIL  ADDRESS  IN COMBINATION WITH A PASSWORD OR SECURITY QUESTION AND
ANSWER THAT WOULD PERMIT ACCESS TO THE ONLINE ACCOUNT,  IN  WHICH  CASE,
THE  PERSON  OR BUSINESS SHALL NOT COMPLY WITH THIS SECTION BY PROVIDING
NOTICE TO THAT E-MAIL  ACCOUNT,  BUT  SHALL  INSTEAD  COMPLY  WITH  THIS
SECTION BY CLEAR AND CONSPICUOUS NOTICE DELIVERED TO THE CONSUMER ONLINE
WHEN  THE  CONSUMER  IS CONNECTED TO THE ONLINE ACCOUNT FROM AN INTERNET
PROTOCOL ADDRESS OR FROM AN ONLINE LOCATION WHICH THE PERSON OR BUSINESS
KNOWS THE CONSUMER CUSTOMARILY ACCESSES THE ONLINE ACCOUNT;
  (2) conspicuous posting of the notice  on  such  business's  web  site
page, if such business maintains one; and
  (3) notification to major statewide media.
  5-A. ANY CREDIT OR DEBIT CARD ISSUER THAT ISSUES A NEW CREDIT OR DEBIT
CARD  AS  A RESULT OF A BREACH OF THE SECURITY OF THE SYSTEM PURSUANT TO
PARAGRAPH (C) OF SUBDIVISION ONE OF  THIS  SECTION,  SHALL  PROVIDE  THE
CONSUMER  NOTICE  THAT  THE  ISSUANCE OF THE REPLACEMENT CREDIT OR DEBIT
CARD IS DUE TO A POTENTIAL COMPROMISE  OF  THE  PRIOR  CARD  ABSENT  ANY
EVIDENCE OF ACTUAL OR POTENTIAL UNAUTHORIZED USE OF SUCH CREDIT OR DEBIT
CARD  OR OTHER CIRCUMSTANCES PRECIPITATING THE ISSUANCE OF A REPLACEMENT
CARD.
  6. (a) whenever the  attorney  general  shall  believe  from  evidence
satisfactory  to  him  that  there is a violation of this article he may
bring an action in the name and on behalf of the people of the state  of
New  York, in a court of justice having jurisdiction to issue an injunc-
tion, to enjoin and restrain the continuation of  such  violation.    In
such action, preliminary relief may be granted under article sixty-three
of  the civil practice law and rules. In such action the court may award
damages for actual costs or losses incurred  by  a  person  entitled  to
notice  pursuant  to  this  article, if notification was not provided to
such person pursuant to this article, including consequential  financial

S. 6834--B                          4

losses.  Whenever the court shall determine in such action that a person
or business violated this article knowingly or recklessly, the court may
impose a civil penalty of the greater of five thousand dollars or up  to
[ten]  TWENTY dollars per instance of failed notification, provided that
the latter amount shall not exceed  [one]  TWO  hundred  fifty  thousand
dollars.
  (b)  the remedies provided by this section shall be in addition to any
other lawful remedy available.
  (c) no action may be brought under  the  provisions  of  this  section
unless  such  action  is  commenced within two years [immediately] after
EITHER the date [of the act complained of or the date  of  discovery  of
such  act]  ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION,
OR THE DATE OF NOTICE SENT PURSUANT  TO  PARAGRAPH  (A)  OF  SUBDIVISION
EIGHT OF THIS SECTION, WHICHEVER OCCURS FIRST.
  7.  Regardless  of the method by which notice is provided, such notice
shall include contact information for the person or business making  the
notification,  THE  TELEPHONE NUMBERS AND WEBSITES OF THE RELEVANT STATE
AND FEDERAL AGENCIES THAT PROVIDE INFORMATION REGARDING SECURITY  BREACH
RESPONSE AND IDENTITY THEFT PREVENTION AND PROTECTION INFORMATION, and a
description  of  the categories of information that were, or are reason-
ably believed to have been, acquired by a person without valid  authori-
zation OR BY AN UNAUTHORIZED PERSON, including specification of which of
the  elements  of  personal information and private information were, or
are reasonably believed to have been, so acquired.
  8. (a) In the event that any New York residents are  to  be  notified,
the  person  or  business  shall  notify the state attorney general, the
department of state and the [division of state police] OFFICE OF  INFOR-
MATION TECHNOLOGY SERVICES as to the timing, content and distribution of
the  notices [and], approximate number of affected persons AND PROVIDE A
COPY OF THE TEMPLATE OF THE NOTICE  SENT  TO  AFFECTED  PERSONS.    Such
notice  shall be made without delaying notice to affected New York resi-
dents.
  (b) In the event that more than five thousand New York  residents  are
to  be  notified  at  one time, the person or business shall also notify
consumer reporting agencies as to the timing, content  and  distribution
of  the  notices and approximate number of affected persons. Such notice
shall be made without delaying notice to affected New York residents.
  9. THE DEPARTMENT  OF  STATE  SHALL  RECEIVE  COMPLAINTS  PURSUANT  TO
SECTION NINETY-FOUR-A OF THE EXECUTIVE LAW RELATING TO ANY BREACH OF THE
SECURITY OF THE SYSTEM, MAKE REFERRALS AS APPROPRIATE AND IN COOPERATION
WITH THE STATE ATTORNEY GENERAL AND THE OFFICE OF INFORMATION TECHNOLOGY
SERVICES  DEVELOP, REGULARLY UPDATE AND MAKE PUBLICLY AVAILABLE INFORMA-
TION RELATING TO HOW TO RESPOND TO A  BREACH  OF  THE  SECURITY  OF  THE
SYSTEM AND BEST PRACTICES FOR HOW TO PREVENT A BREACH OF THE SECURITY OF
THE SYSTEM.
  10.  The  provisions  of  this  section  shall  be exclusive and shall
preempt any provisions of local law, ordinance or code, and no  locality
shall impose requirements that are inconsistent with or more restrictive
than those set forth in this section.
  S  2. Paragraphs (a) and (d) of subdivision 1 and subdivisions 2, 6, 7
and 8 of section 208 of the state technology law, paragraphs (a) and (d)
of subdivision 1 and subdivision 8 as added by chapter 442 of  the  laws
of  2005, subdivision 2 and paragraph (a) of subdivision 7 as amended by
section 5 of part N of chapter 55 of the laws of 2013 and subdivisions 6
and 7 as amended by chapter 491 of the laws of 2005, are amended to read
as follows:

S. 6834--B                          5

  (a) "Private information" shall  mean:  (I)  personal  information  in
combination  with  any  one or more of the following data elements, when
either the personal information or the data element is not encrypted  or
encrypted with an encryption key that has also been acquired:
  (1) social security number;
  (2)  driver's license number or non-driver identification card number;
[or]
  (3) account number, credit or debit card number, in  combination  with
any  required security code, access code, or password which would permit
access to an individual's financial account; OR
  (4) BIOMETRIC INFORMATION, MEANING DATA GENERATED BY  AUTOMATIC  MEAS-
UREMENTS  OF AN INDIVIDUAL'S PHYSICAL CHARACTERISTICS, WHICH ARE USED BY
THE OWNER OR LICENSEE TO AUTHENTICATE THE INDIVIDUAL'S IDENTITY;
  (II) A USER NAME OR E-MAIL ADDRESS IN COMBINATION WITH A  PASSWORD  OR
SECURITY  QUESTION  AND  ANSWER  THAT  WOULD  PERMIT ACCESS TO AN ONLINE
ACCOUNT; OR
  (III) ANY UNSECURED PROTECTED HEALTH INFORMATION  HELD  BY  A  COVERED
ENTITY AS DEFINED IN THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT  OF  1996  (45 C.F.R.   PTS. 160, 162, 164), AS AMENDED FROM TIME TO
TIME.
  "Private information" does not include publicly available  information
that  is  lawfully  made  available  to the general public from federal,
state, or local government records.
  (d) "Consumer reporting agency" shall mean any person which, for mone-
tary fees, dues, or on a cooperative nonprofit basis, regularly  engages
in whole or in part in the practice of assembling or evaluating consumer
credit  information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses  any  means
or  facility  of  interstate  commerce  for  the purpose of preparing or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and [furnished upon request to
state entities required to make a notification under subdivision two  of
this section] PUBLICLY POSTED ON ITS WEBSITE.
  2.  Any  state  entity  that  owns  or licenses computerized data that
includes private information shall disclose any breach of  the  security
of  the  system following discovery or notification of the breach in the
security of the system to any resident of New York state  whose  private
information  was,  or is reasonably believed to have been, acquired by a
person without valid authorization  OR  AN  UNAUTHORIZED  PERSON.    The
disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforce-
ment,  as  provided in subdivision four of this section, or any measures
necessary to determine the scope of the breach and restore the  [reason-
able] integrity of the data system.  The state entity shall consult with
the  state  office  of  information technology services to determine the
scope of the breach and restoration measures. WITHIN NINETY DAYS OF  THE
NOTICE  OF  THE  BREACH,  THE  OFFICE OF INFORMATION TECHNOLOGY SERVICES
SHALL DELIVER A REPORT ON THE SCOPE OF THE BREACH AND RECOMMENDATIONS TO
RESTORE AND IMPROVE THE SECURITY OF THE SYSTEM TO THE STATE ENTITY.
  6. Regardless of the method by which notice is provided,  such  notice
shall  include  contact  information  for  the  state  entity making the
notification, THE TELEPHONE NUMBERS AND THE WEBSITES  FOR  THE  RELEVANT
STATE  AND  FEDERAL AGENCIES THAT PROVIDE INFORMATION REGARDING SECURITY
BREACH RESPONSE AND IDENTITY THEFT PREVENTION AND PROTECTION INFORMATION
and a description of the categories of information  that  were,  or  are
reasonably  believed  to  have  been, acquired by a person without valid

S. 6834--B                          6

authorization OR AN  UNAUTHORIZED  PERSON,  including  specification  of
which  of  the  elements of personal information and private information
were, or are reasonably believed to have been, so acquired.
  7.  (a)  In  the event that any New York residents are to be notified,
the state entity shall notify the state attorney general, the department
of state and the state office of information technology services  as  to
the  timing,  content  and  distribution  of the notices and approximate
number of affected persons AND PROVIDE A COPY OF  THE  TEMPLATE  OF  THE
NOTICE  SENT  TO  AFFECTED  PERSONS.   Such notice shall be made without
delaying notice to affected New York residents.
  (b) In the event that more than five thousand New York  residents  are
to  be notified at one time, the state entity shall also notify consumer
reporting agencies as to the timing, content  and  distribution  of  the
notices and approximate number of affected persons. Such notice shall be
made without delaying notice to affected New York residents.
  8.  THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL DEVELOP,
UPDATE AND PROVIDE REGULAR TRAINING TO ALL STATE  ENTITIES  RELATING  TO
BEST  PRACTICES  FOR  THE  PREVENTION OF A BREACH OF THE SECURITY OF THE
SYSTEM.
   9. Any entity listed in subparagraph two of paragraph (c) of subdivi-
sion one of this section shall adopt a notification policy no more  than
one  hundred  twenty days after the effective date of this section. Such
entity may develop a notification policy which is consistent  with  this
section  or  alternatively  shall  adopt a local law which is consistent
with this section.
  S 3. This act shall take effect January 1, 2017.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S6834A

Sponsored By

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Bill Amendments

2015-S6834 - Details

2015-S6834 - Summary

2015-S6834 - Sponsor Memo

2015-S6834 - Bill Text download pdf

2015-S6834A - Details

2015-S6834A - Summary

2015-S6834A - Sponsor Memo

2015-S6834A - Bill Text download pdf

2015-S6834B (ACTIVE) - Details

2015-S6834B (ACTIVE) - Summary

2015-S6834B (ACTIVE) - Sponsor Memo

2015-S6834B (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S6834A

Share this bill

Sponsored By

Michael Venditto

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Bill Amendments

2015-S6834 - Details

2015-S6834 - Summary

2015-S6834 - Sponsor Memo

2015-S6834 - Bill Text download pdf

2015-S6834A - Details

2015-S6834A - Summary

2015-S6834A - Sponsor Memo

2015-S6834A - Bill Text download pdf

2015-S6834B (ACTIVE) - Details

2015-S6834B (ACTIVE) - Summary

2015-S6834B (ACTIVE) - Sponsor Memo

2015-S6834B (ACTIVE) - Bill Text download pdf

Comments