Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A8872A
SPONSOR: Sayegh
 
TITLE OF BILL:
An act to amend the general business law, in relation to notification of
a data breach
 
SUMMARY OF PROVISIONS:
This bill amends existing subdivisions 2 and 3 of section 899-aa of the
general business law to provide that any person or business which owns
or licenses computerized data which includes private information that
experience a harmful data breach must disclose such breach within 30
days.
 
JUSTIFICATION:
On September 7th, 2017, one of three major consumer credit reporting
agencies in the United States-Equifax-reported that hackers gained
access to company data that potentially compromised sensitive informa-
tion for 143 million American consumers - nearly 44% of the U.S. popu-
lation. The breach included: social security numbers, driver's license
numbers, names, addresses and birth dates. Keys that unlock consumers'
medical histories, bank accounts, and employee accounts have also been
compromised. Credit card numbers for 209,000 consumers were stolen, and
documents with personal information used in disputes for 182,000 people
were also stolen.
The attack on Equifax represents one of the largest risks to personally
sensitive information in recent years. This incident is the third major
cybersecurity threat for the agency since 2015. Just last year, identify
thieves successfully hacked critical W-2 tax and salary data from an
Equifax website. Earlier this year, thieves again stole W-2 tax data
from an Equifax subsidiary, TAM which provides online payroll, tax and
human resources services to some of the nation's largest corporations.
According to investigations, criminals gained access to certain files in
the company's system from mid-May to July, 2017 by exploiting a weak
point in website software..
Identity thieves can impersonate people with lenders, creditors, and
service providers who rely on personal identity information. Thieves can
also use stored information from Equifax and use it to open accounts
with creditors that use Experian or TransUnion. Cybersecurity profes-
sionals criticized Equifax for not improving its security practices
after previous thefts. Critics also argue that Equifax should have
multiple layers of controls. Consumers complained of a 6-week lag
between the discovery of the attack and Equifax's public disclosure.
Equifax discovered the intrusion on July 29th but it first disclosed the
attack publicly on September 7th.
There seems to be a broad sense of uncertainty by experts and lawmakers
as to which federal regulations, if any, is charged with the responsi-
bility to monitor and do regular supervision on cybersecurity. The
Consumer Financial Protection Bureau has authority to police violations
of consumer protection laws by consumer credit bureaus, but the agency
generally leaves data privacy enforcement to the Federal Commission.
However, the Trade Commission lacks the authority to impose big fines or
authorize fines for first time violations of certain rules. Neither have
commented on applicable law or jurisdiction. Although federal lawmakers
have promised legislation and public hearings, no clear authority is
forthcoming in short order. Thus, it is time for New York State to lead
on this issue, given the fact that millions of our residents were
exposed in this episode.
TO THIS END, THIS LEGISLATION PROVIDES A CLEAR CONSUMER PROTECTION
MANDATE THAT WILL AGGRESSIVELY PROTECT CONSUMERS BY MANDATING TIMELY
DISCLOSURE OF DATA BEACHES BY CREDIT REPORTING AGENCIES.
 
LEGISLATIVE HISTORY:
S5808 2022
S6880 COMRIE No Same as ON FILE: 01/03/18 General Business Law
 
TITLE:
to notification of a data breach 09/20/17 REFERRED TO RULES 01/03/18
 
REFERRED TO CONSUMER PROTECTION:
 
FISCAL IMPLICATIONS:
None noted for, the state; the design of the legislation could signif-
icantly save money for consumers.
 
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
8872--A
IN ASSEMBLY
January 25, 2024
___________
Introduced by M. of A. SAYEGH -- read once and referred to the Committee
on Consumer Affairs and Protection -- reported and referred to the
Committee on Codes -- reported and referred to the Committee on Rules
-- committee discharged, bill amended, ordered reprinted as amended
and recommitted to said committee
AN ACT to amend the general business law, in relation to notification of
a data breach
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
2 section 899-aa of the general business law, as amended by chapter 117 of
3 the laws of 2019, are amended to read as follows:
4 Any person or business which owns or licenses computerized data which
5 includes private information shall disclose any breach of the security
6 of the system following discovery or notification of the breach in the
7 security of the system to any resident of New York state whose private
8 information was, or is reasonably believed to have been, accessed or
9 acquired by a person without valid authorization. The disclosure shall
10 be made in the most expedient time possible and without unreasonable
11 delay, [consistent with] provided that such notification shall be made
12 within thirty days after the breach has been discovered, except for the
13 legitimate needs of law enforcement, as provided in subdivision four of
14 this section[, or any measures necessary to determine the scope of the
15 breach and restore the integrity of the system].
16 3. Any person or business which maintains computerized data which
17 includes private information which such person or business does not own
18 shall notify the owner or licensee of the information of any breach of
19 the security of the system immediately, provided that such notification
20 shall be made within thirty days following discovery, if the private
21 information was, or is reasonably believed to have been, accessed or
22 acquired by a person without valid authorization.
23 § 2. Paragraph (a) of subdivision 8 of section 899-aa of the general
24 business law, as amended by chapter 117 of the laws of 2019, is amended
25 to read as follows:
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD04602-04-4
A. 8872--A 2
1 (a) In the event that any New York residents are to be notified, the
2 person or business shall notify the state attorney general, the depart-
3 ment of state [and], the division of state police, and the department of
4 financial services as to the timing, content and distribution of the
5 notices and approximate number of affected persons and shall provide a
6 copy of the template of the notice sent to affected persons. Such notice
7 shall be made without delaying notice to affected New York residents.
8 § 3. This act shall take effect immediately.