•  Summary 
  •  Actions 
  •  Committee Votes 
  •  Floor Votes 
  •  Memo 
  •  Text 
  •  LFIN 
  •  Chamber Video/Transcript 

A08872 Summary:

Amd §899-aa, Gen Bus L
Provides that a business must provide notification of a data breach within 30 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
Go to top

A08872 Memo:

submitted in accordance with Assembly Rule III, Sec 1(f)
  TITLE OF BILL: An act to amend the general business law, in relation to notification of a data breach   SUMMARY OF PROVISIONS: This bill amends existing subdivisions 2 and 3 of section 899-aa of the general business law to provide that any person or business which owns or licenses computerized data which includes private information that experience a harmful data breach must disclose such breach within 30 days.   JUSTIFICATION: On September 7th, 2017, one of three major consumer credit reporting agencies in the United States-Equifax-reported that hackers gained access to company data that potentially compromised sensitive informa- tion for 143 million American consumers - nearly 44% of the U.S. popu- lation. The breach included: social security numbers, driver's license numbers, names, addresses and birth dates. Keys that unlock consumers' medical histories, bank accounts, and employee accounts have also been compromised. Credit card numbers for 209,000 consumers were stolen, and documents with personal information used in disputes for 182,000 people were also stolen. The attack on Equifax represents one of the largest risks to personally sensitive information in recent years. This incident is the third major cybersecurity threat for the agency since 2015. Just last year, identify thieves successfully hacked critical W-2 tax and salary data from an Equifax website. Earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TAM which provides online payroll, tax and human resources services to some of the nation's largest corporations. According to investigations, criminals gained access to certain files in the company's system from mid-May to July, 2017 by exploiting a weak point in website software.. Identity thieves can impersonate people with lenders, creditors, and service providers who rely on personal identity information. Thieves can also use stored information from Equifax and use it to open accounts with creditors that use Experian or TransUnion. Cybersecurity profes- sionals criticized Equifax for not improving its security practices after previous thefts. Critics also argue that Equifax should have multiple layers of controls. Consumers complained of a 6-week lag between the discovery of the attack and Equifax's public disclosure. Equifax discovered the intrusion on July 29th but it first disclosed the attack publicly on September 7th. There seems to be a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, is charged with the responsi- bility to monitor and do regular supervision on cybersecurity. The Consumer Financial Protection Bureau has authority to police violations of consumer protection laws by consumer credit bureaus, but the agency generally leaves data privacy enforcement to the Federal Commission. However, the Trade Commission lacks the authority to impose big fines or authorize fines for first time violations of certain rules. Neither have commented on applicable law or jurisdiction. Although federal lawmakers have promised legislation and public hearings, no clear authority is forthcoming in short order. Thus, it is time for New York State to lead on this issue, given the fact that millions of our residents were exposed in this episode. TO THIS END, THIS LEGISLATION PROVIDES A CLEAR CONSUMER PROTECTION MANDATE THAT WILL AGGRESSIVELY PROTECT CONSUMERS BY MANDATING TIMELY DISCLOSURE OF DATA BEACHES BY CREDIT REPORTING AGENCIES.   LEGISLATIVE HISTORY: S5808 2022 S6880 COMRIE No Same as ON FILE: 01/03/18 General Business Law   TITLE: to notification of a data breach 09/20/17 REFERRED TO RULES 01/03/18   REFERRED TO CONSUMER PROTECTION:   FISCAL IMPLICATIONS: None noted for, the state; the design of the legislation could signif- icantly save money for consumers.   EFFECTIVE DATE: This act shall take effect immediately.
Go to top