Relates to requiring a consumer credit reporting agency to offer identity theft prevention and mitigation services in the case of a breach of the security of such agency's system.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A2374
SPONSOR: Dinowitz
 
TITLE OF BILL: An act to amend the general business law, in relation
to requiring a consumer credit reporting agency to offer identity theft
prevention and mitigation services in the case of a breach of the secu-
rity of such agency's system
 
PURPOSE OR GENERAL IDEA OF BILL:
This bill would provide reasonable consumer protections following a
breach of consumer credit data at a credit reporting agency (CRA), when
such a breach involves social security numbers.
 
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 amends subdivision n of section 380-t of the general business
law by adding a new paragraph 3 that would require that when a credit
reporting agency suffers a breach of information containing consumer
social security numbers, the CRA must provide lifetime identity theft
prevention services, and if applicable, identity theft mitigation
services to affected customers. Additionally, this new paragraph would
prohibit fees relating to the implementation and lifting of security
freezes on consumer credit reports, if those reports were part of a
breach of information containing social security numbers.
Section 2 amends subdivision q of section 380-t of the general business
law by including new language to be included in a consumers summary of
rights CRAs must provide consumers on credit freezes to inform them that
in the instance of a breach of date involving a social security number,
that a consumer has the right to freeze their credit at no cost.
Section 3 sets the effective date.
 
JUSTIFICATION:
In late July 2017, one of the three main CRAs, Equifax Inc., experienced
a major data breach involving personal information that included theft
of social security numbers. At the time it was widely reported to impact
over 140 million accounts, but the full extent of the breach is still
uncertain. CRAs have been the subject of public scrutiny in years past
for their inaccurate files kept on unknowing consumers and the cumber-
some process they subject average people to in order to rectify such
errors. The magnitude of this breach won't be known for years, but the
status quo where consumers must bear the burden to protect their own
identities is unacceptable. To date, Equifax has offered to waive fees
for security freezes for a short time period, and offered 12 months of
identity theft prevention services at no charge. This response is simply
insufficient given that innocent people's information was stolen through
no fault of their own. This legislation aims to establish the minimal
amount of long term protection consumers could ask for, and even still
it is just that, the bare minimum.
 
PRIOR LEGISLATIVE HISTORY:
2017-18- A.8695A - Passed Assembly/S.6923A - Referred to Consumer
Protection
 
FISCAL IMPLICATIONS TO THE STATE:
None to the state.
 
EFFECTIVE DATE:
This act shall take effect on the sixtieth day after it shall have
become a law and shall apply to any breach of the security of a consumer
credit reporting agency that occurred no more than three years prior to
the effective date of this act.