NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A6866
SPONSOR: Dinowitz
 
TITLE OF BILL: An act to amend the general business law and the state
technology law, in relation to the data security act
 
PURPOSE:
New York's data security law is outdated and out of touch. The current
legal framework is weak and reactive. The purpose of this bill is to
expand protection of consumer's "private information," and reward busi-
nesses who adopt model data security procedures. First, this bill
expands protection by broadening the definition of private information.
Second, this bill strengthens protection by requiring companies to adopt
reasonable data security standards. Finally, this bill rewards busi-
nesses who adopt heightened data security standards by creating a series
of presumptions and safe harbors.
 
SUMMARY OF PROVISIONS:
Section 1. Provides that the act shall be known and may be cited as the
data security act.
Section 2. Amends the definition of "private information" in the General
Business Law § 899-aa to include biometric information (i.e., data
generated by automatic measurements of an individual's physical charac-
teristics, which are used by the owner or licensee to authenticate the
individual's identity), online credentials (i.e., a user name or email
address in combination with a password or security question and answer
that would permit access), and any unsecured protected health informa-
tion as defined in The Health Insurance Portability and Accountability
Act of 1996 (45 C.F.R. pts. 160, 162, 164), as amended.
Section 3. Amends § 899-aa(4) of the General Business Law to provide
that forensic reports that are produced to local and state law enforce-
ment agencies, for the purposes of investigating and identifying those
responsible for a data breach, shall not constitute a waiver of any
applicable privilege or protection provided by law, including trade
secret protection. This section also states that forensic reports
produced are not subject to New York's Freedom of Information Law.
Amends § 899-aa(5) and adds a notice provision that, in the case of a
breach of a user name and password, allows for email notice, and in the
case of an email account, allows for other electronic notice delivered
to the resident online when the resident is connected to the online
account from an Internet Protocol address or online location from which
the person or business knows the resident customarily accesses the
account.
Section 4. Amends the penalties provided for in § 899-aa(6)(a) for
"knowingly" or "recklessly" violating General Business Law § 899-aa, by
increasing the maximum penalty from $150,000 to one million dollars.
Section 5. Amends the definition of "private information" in the New
York state technology law § 208 to include online credentials (i.e., a
user name or email address in combination with a password or security
question and answer that would permit access) and any unsecured
protected health information as defined in The Health Insurance Porta-
bility and Accountability Act of 1996 (45 C.F.R. pts. 160, 162, 164),
as amended.
Section 6. Adds a new § 899-bb to the General Business Law to:
Part 1 - Reasonable Data Security Requirements. Requires that any person
or business that conducts business in the state of New York that owns or
licenses private information must develop, implement and maintain
reasonable safeguards to protect the security, confidentiality and
integrity of the private information, including disposal of data.
Part 2 - Rebuttable Presumption. Persons or businesses that conduct
business in New York and are certified through independent, third-party
audits annually by licensed insurers under this section shall have a
rebuttable presumption. This rebuttable presumption states that the
business or person maintained reasonable data security safeguards to
protect the security, confidentiality and integrity of the private
information.
Part 3 - Certification. Authorizes and requires the Department of Finan-
cial Services ("DFS") to issue regulations allowing certain independent,
third party, licensed insurers to conduct audits and certify that an
entity has met the reasonable safeguard standards under §
899-bb(1)(b)(vii).
Part 4 Safe Harbor. If a covered person or business complies with
NIST(an agency of the United States Department of Commerce) Special
Publication 800-53, the covered person or business shall not be liable
to the New York Attorney General's office or any affected New York
consumer as a result of unauthorized access to private information by a
third party. To be eligible for this safe harbor, entities must be annu-
ally assessed as compliant with this heightened standard. This assess-
ment must be done by an independent, third-party licensed assessment
organization, accredited by FedRAMP and the General Services Adminis-
tration. Currently, there are 31 accredited third party assessment
organizations and they are listed online.
Part 5-Enforcement- Provides the attorney general may seek an injunction
and damages for actual costs or losses incurred by a person as a result
of failure to adopt the protections provided in this section, including
consequential financial losses, as well as penalties of up to $250 per
person, up to $10 million. Evidence of financial loss is not required
for the court to impose a penalty under this section. Whenever the court
shall determine that a person or business violated this section knowing-
ly or recklessly, the court may impose a civil penalty of up to one
thousand dollars per person; provided however, that the aggregate amount
of any civil penalties so imposed shall not exceed the greater of fifty
million dollars or three times the aggregate amount of any actual costs
and losses as determined by the court. Also provides for a statute of
limitations of three years immediately after the date of the act
complained of or the date of discovery of such act.
Section 7. Adds a new § 208(9) to the New York State Technology law that
mirrors the new ' § 899-bb(2)' of the General Business Law.
Section 8. Bill has an effect date of January 1, 2016.
 
JUSTIFICATION:
It will take a `cyber-Pearl Harbor' to wake up the nation to the vulner-
abilities in its computer systems. When Secretary of Defense Leon E.
Panetta uttered the words `cyber-Pearl Harbor,' it was not intended to
be hyperbolic. Rather, Panetta was describing a collective cyberattack;
one that would cause "physical destruction and the loss of life," that
"would paralyze and shock the nation, (creating) a new, profound sense
of vulnerability." While cyber-attacks to date have not yet resulted in
whole scale catastrophe, they are exponentially increasing in breadth
and magnitude, threatening the security of businesses and customers
alike.
New York's data security law is outdated, toothless and fails to address
some of the fundamental issues concerning data security breaches. For
example, there is no black-letter law requiring a company to maintain
"reasonable data security," except if they collect Social Security
Numbers. The law only requires that a company provide notice to consum-
ers and the New York Attorney General's office if there is a breach of
"private information," which is generally defined as a name in combina-
tion with a Social Security Number, driver's license or an account or
credit card number.
This legal framework is weak and reactive. It does not address the
current crisis in data security, and has done little to prevent data
breaches such as the recent breaches of Home Depot, and Target. More-
over, our present law fails to acknowledge a basic fact about data
breaches: it can happen to anyone, even those businesses that employ the
strictest data security measures available. For those who are meeting
top standards for security, law enforcement should be treating them like
a victim of a crime, not a perpetrator.
This bill addresses the deficiencies in our legal framework. Specif-
ically, this bill expands and strengthens protection for sensitive
information and rewards those who adopt model data security practices.
 
PRIOR LEGISLATIVE HISTORY:
None
 
EXISTING LAW:
The NYS Information Security Breach and Notification Act (General Busi-
ness Law § 899-aa) provides that in the event of unauthorized access to
"private information," defined as personal information in combination
with a Social Security Number, driver's license or an account or credit
card number, the New York Notification Act requires the business or
state entity to notify affected customers and inform appropriate author-
ities. Notification must be made "in the most expedient time possible
and without reasonable delay but subject and consistent with legitimate
needs of law enforcement." Covered state entities are also required to
have a notification policy. The New York Attorney General is granted
standing to bring an action against businesses that violate the New York
Notification Act.
The New York State Social Security Number Protection Law (General Busi-
ness Law § 399-dd) protects the use and disclosure of social security
numbers. The law provides that any covered individual or entity that
possesses Social Security numbers must adopt reasonable measures to
limit access to the Social Security numbers. Any person or employee who
has access to Social Security numbers must have a legitimate reason for
the access. Moreover each covered individual or entity must provide
safeguards "necessary" or "appropriate" to include unauthorized access
and to protect confidentiality of the numbers. (The law does not define
specific measures that are deemed "necessary" or "appropriate"). The
first violation of the law may result in a civil penalty of no more than
$1,000 for a single violation and $100,000 for multiple violations. Any
subsequent violation may result in a civil penalty of no more than
$5,000 for a single violation and $250,000 for multiple violations.
There is no private cause of action under this law, and only the Attor-
ney General can enforce its provisions.
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None
 
EFFECTIVE DATE:
January 1, 2016.
STATE OF NEW YORK
________________________________________________________________________
6866
2015-2016 Regular Sessions
IN ASSEMBLY
April 8, 2015
___________
Introduced by M. of A. DINOWITZ -- (at request of the Department of Law)
-- read once and referred to the Committee on Consumer Affairs and
Protection
AN ACT to amend the general business law and the state technology law,
in relation to the data security act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "data secu-
2 rity act".
3 § 2. The opening paragraph and paragraph (b) of subdivision 1 of
4 section 899-aa of the general business law, as added by chapter 442 of
5 the laws of 2005, are amended to read as follows:
6 As used in this section, and section eight hundred ninety-nine-bb of
7 this article, the following terms shall have the following meanings:
8 (b) "Private information" shall mean either: (i) personal information
9 consisting of any information in combination with any one or more of the
10 following data elements, when either the personal information or the
11 data element is not encrypted, or encrypted with an encryption key that
12 has also been acquired:
13 (1) social security number;
14 (2) driver's license number or non-driver identification card number;
15 [or]
16 (3) account number, credit or debit card number, in combination with
17 any required security code, access code, or password that would permit
18 access to an individual's financial account; or
19 (4) biometric information, meaning data generated by automatic meas-
20 urements of an individual's physical characteristics, which are used by
21 the owner or licensee to authenticate the individual's identity;
22 (ii) a user name or email address in combination with a password or
23 security question and answer that would permit access to an online
24 account; or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08145-09-5
A. 6866 2
1 (iii) any unsecured protected health information as defined in the
2 health insurance portability and accountability act of 1996 (45 C.F.R.
3 pts. 160, 162, 164), as amended from time to time.
4 "Private information" does not include publicly available information
5 which is lawfully made available to the general public from federal,
6 state, or local government records.
7 § 3. Subdivisions 4 and 5 of section 899-aa of the general business
8 law, as added by chapter 442 of the laws of 2005, are amended to read as
9 follows:
10 4. (a) The notification required by this section may be delayed if a
11 law enforcement agency determines that such notification impedes a crim-
12 inal investigation. The notification required by this section shall be
13 made after such law enforcement agency determines that such notification
14 does not compromise such investigation.
15 (b) The production of forensic reports to local and state law enforce-
16 ment agencies for the purposes of investigating and identifying those
17 responsible for a breach of the security of the system shall not consti-
18 tute a waiver of any applicable privilege or protection provided by law,
19 including trade secret protection, and forensic reports so produced
20 shall not be subject to disclosure under article six of the public offi-
21 cers law.
22 5. The notice required by this section shall be directly provided to
23 the affected persons by one of the following methods:
24 (a) written notice;
25 (b) electronic notice, provided that the person to whom notice is
26 required has expressly consented to receiving said notice in electronic
27 form and a log of each such notification is kept by the person or busi-
28 ness who notifies affected persons in such form; provided further,
29 however, that in no case shall any person or business require a person
30 to consent to accepting said notice in said form as a condition of
31 establishing any business relationship or engaging in any
32 transaction[.];
33 (c) telephone notification provided that a log of each such notifica-
34 tion is kept by the person or business who notifies affected persons; or
35 (d) Substitute notice, if a business demonstrates to the state attor-
36 ney general that the cost of providing notice would exceed two hundred
37 fifty thousand dollars, or that the affected class of subject persons to
38 be notified exceeds five hundred thousand, or such business does not
39 have sufficient contact information. Substitute notice shall consist of
40 all of the following:
41 (1) e-mail notice when such business has an e-mail address for the
42 subject persons;
43 (2) conspicuous posting of the notice on such business's web site
44 page, if such business maintains one; and
45 (3) notification to major statewide media.
46 (e) In the case of a breach of the security of the system involving a
47 user name, and password or security question and answer which would
48 permit access to an online account, as provided in subparagraph (ii) of
49 paragraph (b) of subdivision one of this section, and no other private
50 information defined in such paragraph (b), the person or business may
51 comply with this section by providing notification in electronic or
52 other form that directs the person whose private information has been
53 breached promptly to change his or her password and security question or
54 answer, as applicable, or to take other steps appropriate to protect the
55 online account with the person or business and all other online accounts
A. 6866 3
1 for which the person whose private information has been breached uses
2 the same information.
3 (f) In the case of a breach of the security of the system involving
4 the login credentials of an email account furnished by the person or
5 business as provided in subparagraph (ii) of paragraph (b) of subdivi-
6 sion one of this section, the person or business shall not comply with
7 this section by providing the security breach notification to that email
8 address, but shall, instead, comply with this section by providing
9 notice by another method described in this subdivision or by clear and
10 conspicuous notice delivered to the resident online when the resident is
11 connected to the online account from an internet protocol address or
12 online location from which the person or business knows the resident
13 customarily accesses the account.
14 § 4. Paragraph (a) of subdivision 6 of section 899-aa of the general
15 business law, as amended by chapter 491 of the laws of 2005, is amended
16 to read as follows:
17 (a) whenever the attorney general shall believe from evidence satis-
18 factory to him or her that there is a violation of this [article]
19 section he or she may bring an action in the name and on behalf of the
20 people of the state of New York, in a court of justice having jurisdic-
21 tion to issue an injunction, to enjoin and restrain the continuation of
22 such violation. In such action, preliminary relief may be granted under
23 article sixty-three of the civil practice law and rules. In such action
24 the court may award damages for actual costs or losses incurred by a
25 person entitled to notice pursuant to this [article] section, if notifi-
26 cation was not provided to such person pursuant to this [article]
27 section, including consequential financial losses. Whenever the court
28 shall determine in such action that a person or business violated this
29 [article] section knowingly or recklessly, the court may impose a civil
30 penalty of the greater of five thousand dollars or up to ten dollars per
31 instance of failed notification, provided that the latter amount shall
32 not exceed one [hundred fifty thousand] million dollars.
33 § 5. Paragraph (a) of subdivision 1 of section 208 of the state tech-
34 nology law, as added by chapter 442 of the laws of 2005, is amended to
35 read as follows:
36 (a) "Private information" shall mean either: (i) personal information
37 in combination with any one or more of the following data elements, when
38 either the personal information or the data element is not encrypted or
39 encrypted with an encryption key that has also been acquired:
40 (1) social security number;
41 (2) driver's license number or non-driver identification card number;
42 or
43 (3) account number, credit or debit card number, in combination with
44 any required security code, access code, or password which would permit
45 access to an individual's financial account;
46 (ii) a user name or email address in combination with a password or
47 security question and answer that would permit access to an online
48 account; or
49 (iii) any unsecured protected health information as defined in the
50 Health Insurance Portability and Accountability Act of 1996 (45 C.F.R.
51 pts. 160, 162, 164), as amended from time to time.
52 "Private information" does not include publicly available information
53 that is lawfully made available to the general public from federal,
54 state, or local government records.
55 § 6. The general business law is amended by adding a new section 899-
56 bb to read as follows:
A. 6866 4
1 § 899-bb. Data security requirements. 1. Reasonable safeguards. (a)
2 Any person or business that conducts business in New York state, and
3 owns or licenses computerized data which includes private information of
4 a resident of New York shall develop, implement and maintain reasonable
5 safeguards to protect the security, confidentiality and integrity of the
6 private information, including disposal of data.
7 (b) The following shall be deemed to be in compliance with paragraph
8 (a) of this subdivision:
9 (i) A person or business that complies with a state or federal law
10 providing greater protection to private information than that provided
11 by this section;
12 (ii) A person or business that is subject to and complies with regu-
13 lations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of
14 1999 (15 U.S.C. 6801 to 6809);
15 (iii) A person or business that complies with current International
16 Standards Organization standards for information security;
17 (iv) A person or business that is subject to and complies with regu-
18 lations implementing the Health Insurance Portability and Accountability
19 Act of 1996 (45 C.F.R. parts 160 and 164) and the Health Information
20 Technology for Economic and Clinical Health Act, as amended from time to
21 time;
22 (v) A person or business that complies with current National Institute
23 of Standards and Technology standards as referenced in subdivision three
24 of this section; or
25 (vi) A person or business that implements an information security
26 program that includes the following:
27 (A) Administrative safeguards such as the following, in which the
28 person or business:
29 (I) Designates one or more employees to coordinate the security
30 program;
31 (II) Identifies reasonably foreseeable internal and external risks;
32 (III) Assesses the sufficiency of safeguards in place to control the
33 identified risks;
34 (IV) Trains and manages employees in the security program practices
35 and procedures;
36 (V) Selects service providers capable of maintaining appropriate safe-
37 guards, and requires those safeguards by contract;
38 (VI) Adjusts the security program in light of business changes or new
39 circumstances; and
40 (B) Technical safeguards such as the following, in which the person or
41 business:
42 (I) Assesses risks in network and software design;
43 (II) Assesses risks in information processing, transmission and stor-
44 age;
45 (III) Detects, prevents and responds to attacks or system failures;
46 (IV) Regularly tests and monitors the effectiveness of key controls,
47 systems and procedures; and
48 (C) Physical safeguards such as the following, in which the person or
49 business:
50 (I) Assesses risks of information storage and disposal;
51 (II) Detects, prevents and responds to intrusions;
52 (III) Protects against unauthorized access to or use of private infor-
53 mation during or after the collection, transportation and destruction or
54 disposal of the information; and
A. 6866 5
1 (IV) Disposes of private information after it is no longer needed for
2 business purposes by erasing electronic media so that the information
3 cannot be read or reconstructed.
4 2. Rebuttable presumption. A person or business that obtains an inde-
5 pendent, third-party audit and certification annually under the data
6 security standard listed in paragraph (b) of subdivision one of this
7 section shall receive a rebuttable presumption that it maintained
8 reasonable safeguards to protect the security, confidentiality and
9 integrity of the private information.
10 3. Certification authority and regulation. The department of finan-
11 cial services shall promulgate regulations regarding independent, third-
12 party licensed insurers responsible for certifying entities that meet
13 the reasonable data security requirements set forth in subparagraph (vi)
14 of paragraph (b) of subdivision one of this section.
15 4. Safe harbor. Any person or business that complies with the most up
16 to date version of the National Institute of Standards and Technology
17 Special Publication 800-53 shall be immune from liability in a civil
18 action, including but not limited to an action brought by the attorney
19 general, resulting from unauthorized access to private information by a
20 third-party absent evidence of willful misconduct, bad faith or gross
21 negligence. Compliance must be certified annually by an independent,
22 third-party licensed insurer, authorized by the National Institute of
23 Standards and Technology.
24 5. Enforcement. (a) Whenever the attorney general shall believe from
25 evidence satisfactory to him or her that there is a violation of this
26 section he or she may bring an action in the name and on behalf of the
27 people of the state of New York, in a court of justice having jurisdic-
28 tion to issue an injunction, to enjoin and restrain the continuation of
29 such violation. In such action, preliminary relief may be granted under
30 article sixty-three of the civil practice law and rules. In such action,
31 the court may award damages for actual costs or losses incurred by a
32 person as a result of the failure by a person or business to comply with
33 the data security requirements set forth in this section, including
34 consequential financial losses, as well as a civil penalty of up to two
35 hundred fifty dollars, which penalty may be increased by a factor less
36 than or equal to the number of persons whose private information was
37 compromised; provided however, that the aggregate amount of any civil
38 penalties so imposed shall not exceed ten million dollars. Whenever the
39 court shall determine that a person or business violated this section
40 knowingly or recklessly, the court may, in lieu of imposing a civil
41 penalty as set forth above, instead impose a civil penalty of up to one
42 thousand dollars, which penalty may be increased by a factor less than
43 or equal to the number of persons whose private information was compro-
44 mised; provided however, that the aggregate amount of any civil penal-
45 ties so imposed shall not exceed the greater of fifty million dollars or
46 three times the aggregate amount of any actual costs and losses as
47 determined by the court. A court may award a civil penalty pursuant to
48 this paragraph without a showing of financial loss.
49 (b) The remedies provided by this section shall be in addition to any
50 other lawful remedy available.
51 (c) No action may be brought under the provisions of this section
52 unless such action is commenced within three years immediately after the
53 date of the act or omission complained of or the date of discovery of
54 such act or omission.
55 § 7. Section 208 of the state technology law is amended by adding a
56 new subdivision 9 to read as follows:
A. 6866 6
1 9. Data security requirements. (a) Any state entity that owns, main-
2 tains, or otherwise possesses private information shall develop, imple-
3 ment and maintain reasonable safeguards to protect the security, confi-
4 dentiality and integrity of the private information, including disposal
5 of data.
6 (b) The following shall be deemed to be in compliance with paragraph
7 (a) of this subdivision:
8 (i) A state entity that complies with a state or federal law providing
9 greater protection to private information than that provided by this
10 section;
11 (ii) A state entity that is subject to and complies with regulations
12 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999
13 (15 U.S.C. 6801 to 6809);
14 (iii) A state entity that complies with the most current International
15 Standards Organization standards for information security;
16 (iv) A state entity that is subject to and complies with regulations
17 implementing the Health Insurance Portability and Accountability Act of
18 1996 (45 C.F.R. parts 160 and 164) and the Health Information Technology
19 for Economic and Clinical Health Act, as amended from time to time;
20 (v) A state entity that complies with current National Institute of
21 Standards and Technology standards; or
22 (vi) A state entity that implements an information security program
23 that includes the following:
24 (A) Administrative safeguards such as the following, in which the
25 state entity:
26 (I) Designates one or more employees to coordinate the security
27 program;
28 (II) Identifies reasonably foreseeable internal and external risks;
29 (III) Assesses the sufficiency of safeguards in place to control the
30 identified risks;
31 (IV) Trains and manages employees in the security program practices
32 and procedures;
33 (V) Selects service providers capable of maintaining appropriate safe-
34 guards, and requires those safeguards by contract; and
35 (VI) Adjusts the security program in light of business changes or new
36 circumstances;
37 (B) Technical safeguards such as the following, in which the state
38 entity:
39 (I) Assesses risks in network and software design;
40 (II) Assesses risks in information processing, transmission and stor-
41 age;
42 (III) Detects, prevents and responds to attacks or system failures;
43 and
44 (IV) Regularly tests and monitors the effectiveness of key controls,
45 systems and procedures; and
46 (C) Physical safeguards such as the following, in which the state
47 entity:
48 (I) Assesses risks of information storage and disposal;
49 (II) Detects, prevents and responds to intrusions;
50 (III) Protects against unauthorized access to or use of private infor-
51 mation during or after the collection, transportation and destruction or
52 disposal of the information; and
53 (IV) Disposes of private information after it is no longer needed for
54 business purposes or as required by local, state or federal law by eras-
55 ing electronic media so that the information cannot be read or recon-
56 structed.
A. 6866 7
1 § 8. This act shall take effect January 1, 2016.