•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A01157 Summary:

BILL NOA01157
 
SAME ASNo Same As
 
SPONSORSantabarbara
 
COSPNSRSchiavoni, Reyes, Levenberg, Sayegh, Manktelow, Giglio
 
MLTSPNSR
 
Amd §899-aa, Gen Bus L
 
Relates to imposing a five-day time limit during which to disclose a breach in the security of a system.
Go to top    

A01157 Actions:

BILL NOA01157
 
01/09/2025referred to consumer affairs and protection
Go to top

A01157 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1157
 
SPONSOR: Santabarbara
  TITLE OF BILL: An act to amend the general business law, in relation to disclosure of breaches of the security of the system   PURPOSE OR GENERAL IDEA OF BILL: This bill would require any person or business which conducts business in the State of New York to disclose any breach of a security of a computerized system which compromises private customer information with- in 5 days of such a breach.   SUMMARY OF SPECIFIC PROVISIONS: Sections 1: Amends Subdivision 2 of section 899-aa of the general busi- ness law by requiring disclosure of a computer security system breach within 5 days. Section 2: Effective date.   JUSTIFICATION: Computer security breaches of national retailers have become common occurrences in recent years and these events jeopardize the privacy of personal information of countless New Yorkers. It is essential that individuals know as soon as possible if their private information has been compromised or there is the threat it has been compromised. If there is a security breach, potentially impacted individuals need to be notified as quickly as possible to make sure their information is safe. Currently, those conducting business in New York State who own or license computerized systems that store private information are required to disclose a breach or suspected breach without unreasonable delay. This time requirement is too vague and needs to be replaced with specif- ic guidelines for action. This bill would amend the existing language to require that a breach of personal information be disclosed within 5 days For consumers whose personal information is compromised in a security breach, awareness of the breach affords them the opportunity to take Preemptive action to ensure that they can mitigate the risk of identity theft. While the current law encourages breaches to be disclosed quick- ly, many factors may compel those responsible for the breached system to delay such a disclosure. This bill will make sure that consumers are provided with the information they deserve when their private informa- tion is compromised.   PRIOR LEGISLATIVE HISTORY: 2015-16: A5925 - referred to consumer affairs and protection 2017-18: A180 - referred to consumer affairs and protection 2019-20: A1387- referred to consumer affairs and protection   FISCAL IMPLICATIONS: None to the state.   EFFECTIVE DATE: This act shall take effect immediately.
Go to top

A01157 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          1157
 
                               2025-2026 Regular Sessions
 
                   IN ASSEMBLY
 
                                     January 9, 2025
                                       ___________
 
        Introduced  by  M.  of  A. SANTABARBARA -- read once and referred to the
          Committee on Consumer Affairs and Protection
 
        AN ACT to amend the general business law, in relation to  disclosure  of
          breaches of the security of the system
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. The opening paragraph of subdivision 2 of section 899-aa of
     2  the general business law, as amended by chapter 647 of the laws of 2024,
     3  is amended to read as follows:
     4    Any person or business which owns or licenses computerized data  which
     5  includes  private  information shall disclose any breach of the security
     6  of the system [following] within five days of the discovery or notifica-
     7  tion of the breach in the security of the system to any resident of  New
     8  York  state  whose private information was, or is reasonably believed to
     9  have been, accessed or acquired by a person without valid authorization.
    10  [The disclosure shall be made in the most expedient  time  possible  and
    11  without  unreasonable  delay,  provided  that such notification shall be
    12  made within thirty days after the breach has been discovered, except for
    13  the legitimate needs of law enforcement, as provided in subdivision four
    14  of this section.]
    15    § 2. This act shall take effect immediately.
 
 
 
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03501-01-5
Go to top