Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1185
SPONSOR: Cahill
 
TITLE OF BILL:
An act to amend the insurance law, in relation to authorizing continuing
care retirement communities to adopt a written cybersecurity policy
 
PURPOSE:
To permit a continuing care retirement community (CCRCs) to attest to
the department of financial services (DFS) that the CCRC's cybersecurity
policies are consistent with cybersecurity regulations promulgated by
the superintendent
 
SUMMARY OF PROVISIONS:
Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, to provide that CCRCs may adopt a written cyberse-
curity policy that is designed to protect the confidentiality of nonpub-
lic information and is in compliance with all applicable cybersecurity
and privacy laws and protections governing nursing homes, adult care
facilities and assisted living residences. This section would also
require CCRCs to self-certify their cybersecurity policies and file such
self-certification with DFS. Finally, this section would require the DFS
to review the accuracy and reasonableness of the self-certification.
Section two establishes the effective date.
 
JUSTIFICATION:
DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017 and require all covered enti-
ties to annually certify they are complying with the regulations begin-
ning February 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.
New York's CCRCs are much smaller than most financial institutions and
insurers that are subject to these regulations. The average CCRC has a
total annual operating budget of approximately $20 million. Unlike banks
and most insurers, which transact with thousands of customers, often
through e-commerce, CCRCs typically collect funds from only 200-400
prospective and existing residents in the form of deposits, entrance
fees and monthly fees. As health care providers, CCRCs are already
subject to HIPAA privacy standards and safeguards.
This bill would permit CCRCs to adopt a written cybersecurity policy and
to self-certify to the DFS that such policies are in compliance with all
applicable cybersecurity and privacy laws and protections, and that such
policies are not inconsistent with the cybersecurity regulations adopted
by the DFS.
 
LEGISLATIVE HISTORY:
2017-2018: A.10486 - Passed Assembly
 
FISCAL IMPLICATIONS:
None.
 
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
1185
2019-2020 Regular Sessions
IN ASSEMBLY
January 14, 2019
___________
Introduced by M. of A. CAHILL, LIFTON, LUPARDO -- read once and referred
to the Committee on Insurance
AN ACT to amend the insurance law, in relation to authorizing continuing
care retirement communities to adopt a written cybersecurity policy
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 1119 of the insurance law is amended by adding a
2 new subsection (d) to read as follows:
3 (d) Such organization may adopt a written cybersecurity policy that is
4 designed to protect the confidentiality, integrity and security of
5 nonpublic information and is in compliance with: (i) the Health Informa-
6 tion Technology for Economic and Clinical Health Act ("HITECH"), the
7 Health Insurance Portability and Accountability Act ("HIPAA"), the
8 Gramm-Leach-Bliley Act; and (ii) all other applicable cybersecurity and
9 privacy protections governing nursing homes, adult care facilities and
10 assisted living residences to the extent the protections govern those
11 components of such organization's operations. The cybersecurity policy
12 shall be self-certified by such organization and such self-certified
13 cybersecurity policy shall be filed with the superintendent. The self-
14 certification shall attest that the policy provides sufficient
15 protections of nonpublic information in a manner which is not inconsist-
16 ent with the goals of the cybersecurity policies adopted by financial
17 services companies pursuant to regulations promulgated by the super-
18 intendent. Such self-certification shall be deemed compliant with such
19 regulations applicable to financial services companies. The superinten-
20 dent shall review the accuracy and reasonableness of the attestation.
21 Unless the superintendent objects to the attestation within sixty days
22 from the date it is submitted, such attestation shall be deemed
23 approved.
24 § 2. This act shall take effect immediately.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD05987-01-9