•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A01185 Summary:

BILL NOA01185
 
SAME ASNo Same As
 
SPONSORCahill
 
COSPNSRLifton, Lupardo
 
MLTSPNSR
 
Amd §1119, Ins L
 
Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.
Go to top    

A01185 Actions:

BILL NOA01185
 
01/14/2019referred to insurance
01/08/2020referred to insurance
Go to top

A01185 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1185
 
SPONSOR: Cahill
  TITLE OF BILL: An act to amend the insurance law, in relation to authorizing continuing care retirement communities to adopt a written cybersecurity policy   PURPOSE: To permit a continuing care retirement community (CCRCs) to attest to the department of financial services (DFS) that the CCRC's cybersecurity policies are consistent with cybersecurity regulations promulgated by the superintendent   SUMMARY OF PROVISIONS: Section one of the legislation adds a new subsection (d) to Section 1119 of the Insurance Law, to provide that CCRCs may adopt a written cyberse- curity policy that is designed to protect the confidentiality of nonpub- lic information and is in compliance with all applicable cybersecurity and privacy laws and protections governing nursing homes, adult care facilities and assisted living residences. This section would also require CCRCs to self-certify their cybersecurity policies and file such self-certification with DFS. Finally, this section would require the DFS to review the accuracy and reasonableness of the self-certification. Section two establishes the effective date.   JUSTIFICATION: DFS adopted final regulations (23 NYCRR Part 500) requiring most banks, insurers and other financial institutions within DFS's regulatory juris- diction to protect their customer information from cyberattacks. The regulations became effective March 1, 2017 and require all covered enti- ties to annually certify they are complying with the regulations begin- ning February 15, 2018. DFS just stated in writing in Feb. 2018 that CCRCs are covered by the requirements. New York's CCRCs are much smaller than most financial institutions and insurers that are subject to these regulations. The average CCRC has a total annual operating budget of approximately $20 million. Unlike banks and most insurers, which transact with thousands of customers, often through e-commerce, CCRCs typically collect funds from only 200-400 prospective and existing residents in the form of deposits, entrance fees and monthly fees. As health care providers, CCRCs are already subject to HIPAA privacy standards and safeguards. This bill would permit CCRCs to adopt a written cybersecurity policy and to self-certify to the DFS that such policies are in compliance with all applicable cybersecurity and privacy laws and protections, and that such policies are not inconsistent with the cybersecurity regulations adopted by the DFS.   LEGISLATIVE HISTORY: 2017-2018: A.10486 - Passed Assembly   FISCAL IMPLICATIONS: None.   EFFECTIVE DATE: This act shall take effect immediately.
Go to top

A01185 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          1185
 
                               2019-2020 Regular Sessions
 
                   IN ASSEMBLY
 
                                    January 14, 2019
                                       ___________
 
        Introduced by M. of A. CAHILL, LIFTON, LUPARDO -- read once and referred
          to the Committee on Insurance
 
        AN ACT to amend the insurance law, in relation to authorizing continuing
          care retirement communities to adopt a written cybersecurity policy
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. Section 1119 of the insurance law is amended  by  adding  a
     2  new subsection (d) to read as follows:
     3    (d) Such organization may adopt a written cybersecurity policy that is
     4  designed  to  protect  the  confidentiality,  integrity  and security of
     5  nonpublic information and is in compliance with: (i) the Health Informa-
     6  tion Technology for Economic and Clinical  Health  Act  ("HITECH"),  the
     7  Health  Insurance  Portability  and  Accountability  Act  ("HIPAA"), the
     8  Gramm-Leach-Bliley Act; and (ii) all other applicable cybersecurity  and
     9  privacy  protections  governing nursing homes, adult care facilities and
    10  assisted living residences to the extent the  protections  govern  those
    11  components  of  such organization's operations. The cybersecurity policy
    12  shall be self-certified by such  organization  and  such  self-certified
    13  cybersecurity  policy shall be filed with the superintendent.  The self-
    14  certification  shall  attest  that  the   policy   provides   sufficient
    15  protections of nonpublic information in a manner which is not inconsist-
    16  ent  with  the  goals of the cybersecurity policies adopted by financial
    17  services companies pursuant to regulations  promulgated  by  the  super-
    18  intendent.  Such  self-certification shall be deemed compliant with such
    19  regulations applicable to financial services companies. The  superinten-
    20  dent  shall  review  the accuracy and reasonableness of the attestation.
    21  Unless the superintendent objects to the attestation within  sixty  days
    22  from  the  date  it  is  submitted,  such  attestation  shall  be deemed
    23  approved.
    24    § 2. This act shall take effect immediately.
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD05987-01-9
Go to top