A01157 Summary:
BILL NO | A01157 |
  | |
SAME AS | No Same As |
  | |
SPONSOR | Santabarbara |
  | |
COSPNSR | Schiavoni, Reyes, Levenberg, Sayegh, Manktelow, Giglio |
  | |
MLTSPNSR | |
  | |
Amd §899-aa, Gen Bus L | |
  | |
Relates to imposing a five-day time limit during which to disclose a breach in the security of a system. |
A01157 Actions:
BILL NO | A01157 | |||||||||||||||||||||||||||||||||||||||||||||||||
  | ||||||||||||||||||||||||||||||||||||||||||||||||||
01/09/2025 | referred to consumer affairs and protection |
A01157 Memo:
Go to topNEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)   BILL NUMBER: A1157 SPONSOR: Santabarbara
  TITLE OF BILL: An act to amend the general business law, in relation to disclosure of breaches of the security of the system   PURPOSE OR GENERAL IDEA OF BILL: This bill would require any person or business which conducts business in the State of New York to disclose any breach of a security of a computerized system which compromises private customer information with- in 5 days of such a breach.   SUMMARY OF SPECIFIC PROVISIONS: Sections 1: Amends Subdivision 2 of section 899-aa of the general busi- ness law by requiring disclosure of a computer security system breach within 5 days. Section 2: Effective date.   JUSTIFICATION: Computer security breaches of national retailers have become common occurrences in recent years and these events jeopardize the privacy of personal information of countless New Yorkers. It is essential that individuals know as soon as possible if their private information has been compromised or there is the threat it has been compromised. If there is a security breach, potentially impacted individuals need to be notified as quickly as possible to make sure their information is safe. Currently, those conducting business in New York State who own or license computerized systems that store private information are required to disclose a breach or suspected breach without unreasonable delay. This time requirement is too vague and needs to be replaced with specif- ic guidelines for action. This bill would amend the existing language to require that a breach of personal information be disclosed within 5 days For consumers whose personal information is compromised in a security breach, awareness of the breach affords them the opportunity to take Preemptive action to ensure that they can mitigate the risk of identity theft. While the current law encourages breaches to be disclosed quick- ly, many factors may compel those responsible for the breached system to delay such a disclosure. This bill will make sure that consumers are provided with the information they deserve when their private informa- tion is compromised.   PRIOR LEGISLATIVE HISTORY: 2015-16: A5925 - referred to consumer affairs and protection 2017-18: A180 - referred to consumer affairs and protection 2019-20: A1387- referred to consumer affairs and protection   FISCAL IMPLICATIONS: None to the state.   EFFECTIVE DATE: This act shall take effect immediately.
A01157 Text:
Go to top STATE OF NEW YORK ________________________________________________________________________ 1157 2025-2026 Regular Sessions IN ASSEMBLY January 9, 2025 ___________ Introduced by M. of A. SANTABARBARA -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to disclosure of breaches of the security of the system The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The opening paragraph of subdivision 2 of section 899-aa of 2 the general business law, as amended by chapter 647 of the laws of 2024, 3 is amended to read as follows: 4 Any person or business which owns or licenses computerized data which 5 includes private information shall disclose any breach of the security 6 of the system [following] within five days of the discovery or notifica- 7 tion of the breach in the security of the system to any resident of New 8 York state whose private information was, or is reasonably believed to 9 have been, accessed or acquired by a person without valid authorization. 10 [The disclosure shall be made in the most expedient time possible and11without unreasonable delay, provided that such notification shall be12made within thirty days after the breach has been discovered, except for13the legitimate needs of law enforcement, as provided in subdivision four14of this section.] 15 § 2. This act shall take effect immediately. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD03501-01-5