NY State Senate Bill 2021-S3161

Senate Bill S3161

2021-2022 Legislative Session

Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach

download bill text pdf

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 05, 2022	referred to internet and technology
Jan 28, 2021	referred to internet and technology

2021-S3161 (ACTIVE) - Details

See Assembly Version of this Bill:: A3088
Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S5721, A7897
2023-2024: S700, A1725

2021-S3161 (ACTIVE) - Summary

Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach; exempts businesses under financial hardship.

2021-S3161 (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S3161

SPONSOR: COMRIE
 
TITLE OF BILL:

An act to amend the general business law, in relation to requiring
certain businesses to offer identity theft prevention and mitigation
services in the case of a security breach

 
PURPOSE:

This bill would require any person or business to provide free reason-
able credit report monitoring, identity theft prevention services, and
if applicable, identity theft mitigation services should they suffer a
data breach including a consumer's social security number.

 
SUMMARY OF PROVISIONS:

Section one amends section 899-aa of the general business law by adding
a new subdivision 10 that would require any person or business, other
than a credit reporting agency, to provide free reasonable credit report

monitoring, identity theft prevention services, and if applicable, iden-
tity theft mitigation services should they suffer a data breach includ-
ing a consumer's social security number. These services would be
required to be provided to affected consumers for a minimum of two
years. Additionally such person or business would be required to provide
notice to a consumer whose social security number was disclosed on how
to obtain such services free of charge. This section also provides that
any person or small business may apply to the Department of Financial
Services for a financial hardship waiver if they are able to demonstrate
to the Department that these requirements would impose a financial hard-
ship.

Section two sets the effective date.

 
JUSTIFICATION:

Data and security breaches are an all too common occurrence in the
modern age. Such breaches occur among many large corporations such as
Yahoo, Marriott, EBay, Target and JP Morgan. The theft of personal data,
including Social Security Numbers puts consumers at inordinate risk for
dire financial consequences, such as having their identity stolen and
their credit totally ruined.

This legislation would require any person or business to provide free
reasonable credit report monitoring, identity theft prevention services,
and if applicable, identity theft mitigation services should they suffer
a data breach including a consumer's social security number. These
services would be required to be provided to affected consumers for a
minimum of two years. Additionally such person or business would be
required to provide notice to a consumer whose social security number
was disclosed onò how to obtain such services free of charge. The bill
also provides that any person or small business may apply to the Depart-
ment of Financial Services for a financial hardship waiver if they are
able to demonstrate to the Department that these requirements would
impose a financial hardship.

 
LEGISLATIVE HISTORY:

Passed Senate 2019-20 Session.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect on the 180th day after it shall have become
law. Effective immediately, the addition, amendment and/or repeal of any
rule or regulation necessary for the implementation of this act on its
effective date are authorized to be made and completed on or before such
effective date.

2021-S3161 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   3161
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                             January 28, 2021
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general  business  law,  in  relation  to  requiring
   certain  businesses  to offer identity theft prevention and mitigation
   services in the case of a security breach

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Subdivision  10 of section 899-aa of the general business
 law, as renumbered by chapter 117 of the laws of 2019, is renumbered  to
 be subdivision 11 and a new subdivision 10 is added to read as follows:
   10. (A) WHERE A SECURITY BREACH FROM A PERSON OR BUSINESS OTHER THAN A
 CONSUMER  CREDIT REPORTING AGENCY INCLUDES A SOCIAL SECURITY NUMBER, AND
 THAT PERSON OR BUSINESS IS REQUIRED TO PROVIDE NOTICE UNDER  SUBDIVISION
 TWO  OF  THIS SECTION, THAT PERSON OR BUSINESS SHALL OFFER EACH RESIDENT
 OF THIS STATE WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED IN  THE  BREACH
 OF  SECURITY  OR  IS  REASONABLY  BELIEVED TO HAVE BEEN DISCLOSED IN THE
 BREACH OF SECURITY, REASONABLE CREDIT REPORT MONITORING, IDENTITY  THEFT
 PREVENTION  SERVICES  AND,  IF  APPLICABLE,  IDENTITY  THEFT  MITIGATION
 SERVICES AT NO COST TO SAID RESIDENT FOR A PERIOD OF NOT LESS THAN TWEN-
 TY-FOUR MONTHS. THE DISCLOSURE  REQUIRED  BY  SUBDIVISION  TWO  OF  THIS
 SECTION  SHALL  INCLUDE  INFORMATION  FOR ANY RESIDENT OF NEW YORK STATE
 WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED AS A RESULT OF A DATA  BREACH
 TO  OBTAIN  FREE,  REASONABLE  CREDIT  REPORT MONITORING, IDENTITY THEFT
 PREVENTION  SERVICES  AND,  IF  APPLICABLE,  IDENTITY  THEFT  MITIGATION
 SERVICES AS DESCRIBED IN THIS SECTION.
   (B)  THE  REQUIREMENT  TO PROVIDE TWENTY-FOUR MONTHS OF IDENTITY THEFT
 MITIGATION SERVICES SHALL NOT APPLY TO ANY INDIVIDUAL  PERSON  OR  SMALL
 BUSINESS  AS  DEFINED  IN SECTION ONE HUNDRED THIRTY-ONE OF THE ECONOMIC
 DEVELOPMENT LAW THAT CAN DEMONSTRATE A FINANCIAL HARDSHIP DIRECTLY OWING
 TO SUCH COMPLIANCE. A REQUEST FOR A FINANCIAL HARDSHIP WAIVER  SHALL  BE
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD05740-01-1

 S. 3161                             2
 
 MADE  TO  THE  COMMISSIONER OF THE DEPARTMENT OF FINANCIAL SERVICES ON A
 FORM PRESCRIBED BY THE DEPARTMENT OF FINANCIAL SERVICES.
   § 2. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.  Effective immediately, the addition, amend-
 ment and/or repeal of any rule or regulation necessary for the implemen-
 tation  of  this act on its effective date are authorized to be made and
 completed on or before such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.