Senate Bill S2659A

2023-2024 Legislative Session

Relates to notification of a data breach

download bill text pdf

Sponsored By

Current Bill Status - Passed Senate & Assembly


  • Introduced
    • In Committee Assembly
    • In Committee Senate
    • On Floor Calendar Assembly
    • On Floor Calendar Senate
    • Passed Assembly
    • Passed Senate
  • Delivered to Governor
  • Signed By Governor

Do you support this bill?

Please enter your contact information

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.
Actions
Votes

Bill Amendments

2023-S2659 - Details

See Assembly Version of this Bill:
A8872
Law Section:
General Business Law
Laws Affected:
Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:
2017-2018: S6880
2019-2020: S2540
2021-2022: S5808

2023-S2659 - Summary

Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

2023-S2659 - Sponsor Memo

2023-S2659 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2659
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 24, 2023
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
 section 899-aa of the general business law, as amended by chapter 117 of
 the laws of 2019, are amended to read as follows:
   Any  person or business which owns or licenses computerized data which
 includes private information shall disclose any breach of  the  security
 of  the  system following discovery or notification of the breach in the
 security of the system to any resident of New York state  whose  private
 information  was,  or  is  reasonably believed to have been, accessed or
 acquired by a person without valid authorization. The  disclosure  shall
 be  made  in  the  most expedient time possible and without unreasonable
 delay, [consistent with] AND SHALL BE MADE WITHIN FIFTEEN DAYS AFTER THE
 BREACH HAS BEEN DISCOVERED, EXCEPT  FOR  the  legitimate  needs  of  law
 enforcement,  as  provided  in subdivision four of this section[, or any
 measures necessary to determine the scope of the breach and restore  the
 integrity of the system].
   3.  Any  person  or  business  which maintains computerized data which
 includes private information which such person or business does not  own
 shall  notify  the owner or licensee of the information of any breach of
 the security of the system immediately AND WITHIN FIFTEEN DAYS following
 discovery, if the private information was, or is reasonably believed  to
 have been, accessed or acquired by a person without valid authorization.
   §  2.  Paragraph (a) of subdivision 8 of section 899-aa of the general
 business law, as amended by chapter 117 of the laws of 2019, is  amended
 to read as follows:

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD04602-01-3
 S. 2659                             2
              

2023-S2659A - Details

See Assembly Version of this Bill:
A8872
Law Section:
General Business Law
Laws Affected:
Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:
2017-2018: S6880
2019-2020: S2540
2021-2022: S5808

2023-S2659A - Summary

Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

2023-S2659A - Sponsor Memo

2023-S2659A - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  2659--A
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 24, 2023
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted to said committee
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
 section 899-aa of the general business law, as amended by chapter 117 of
 the laws of 2019, are amended to read as follows:
   Any person or business which owns or licenses computerized data  which
 includes  private  information shall disclose any breach of the security
 of the system following discovery or notification of the breach  in  the
 security  of  the system to any resident of New York state whose private
 information was, or is reasonably believed to  have  been,  accessed  or
 acquired  by  a person without valid authorization. The disclosure shall
 be made in the most expedient time  possible  and  without  unreasonable
 delay, [consistent with] AND SHALL BE MADE WITHIN FIFTEEN DAYS AFTER THE
 BREACH  HAS  BEEN  DISCOVERED,  EXCEPT  FOR  the legitimate needs of law
 enforcement, as provided in subdivision four of this  section[,  or  any
 measures  necessary to determine the scope of the breach and restore the
 integrity of the system].
   3. Any person or business  which  maintains  computerized  data  which
 includes  private information which such person or business does not own
 shall notify the owner or licensee of the information of any  breach  of
 the  security  of the system [immediately] WITHIN FIFTEEN DAYS following
 discovery, if the private information was, or is reasonably believed  to
 have been, accessed or acquired by a person without valid authorization.

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD04602-02-3
 S. 2659--A                          2
 
              

2023-S2659B (ACTIVE) - Details

See Assembly Version of this Bill:
A8872
Law Section:
General Business Law
Laws Affected:
Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:
2017-2018: S6880
2019-2020: S2540
2021-2022: S5808

2023-S2659B (ACTIVE) - Summary

Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

2023-S2659B (ACTIVE) - Sponsor Memo

2023-S2659B (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  2659--B
     Cal. No. 1562
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 24, 2023
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted  to  said  committee  --  recommitted  to the Committee on
   Internet and Technology in accordance with Senate Rule 6,  sec.  8  --
   committee discharged and said bill committed to the Committee on Rules
   --  ordered to a third reading, amended and ordered reprinted, retain-
   ing its place in the order of third reading
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
 section 899-aa of the general business law, as amended by chapter 117 of
 the laws of 2019, are amended to read as follows:
   Any  person or business which owns or licenses computerized data which
 includes private information shall disclose any breach of  the  security
 of  the  system following discovery or notification of the breach in the
 security of the system to any resident of New York state  whose  private
 information  was,  or  is  reasonably believed to have been, accessed or
 acquired by a person without valid authorization. The  disclosure  shall
 be  made  in  the  most expedient time possible and without unreasonable
 delay, [consistent with] PROVIDED THAT SUCH NOTIFICATION SHALL  BE  MADE
 WITHIN  THIRTY DAYS AFTER THE BREACH HAS BEEN DISCOVERED, EXCEPT FOR the
 legitimate needs of law enforcement, as provided in subdivision four  of
 this  section[,  or any measures necessary to determine the scope of the
 breach and restore the integrity of the system].
   3. Any person or business  which  maintains  computerized  data  which
 includes  private information which such person or business does not own
 shall notify the owner or licensee of the information of any  breach  of
 the  security of the system immediately, PROVIDED THAT SUCH NOTIFICATION
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
              

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.