Senate Bill S3760

2009-2010 Legislative Session

Provides for notification of persons whose private information is subject to an unauthorized acquisition

download bill text pdf

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 06, 2010	referred to consumer protection
Mar 31, 2009	referred to consumer protection

2009-S3760 (ACTIVE) - Details

Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L; amd §208, St Tech L

2009-S3760 (ACTIVE) - Summary

Provides for notification of persons whose private information is subject to an unauthorized acquisition.

2009-S3760 (ACTIVE) - Sponsor Memo

                                 BILL NUMBER:  S3760

 TITLE OF BILL :

An act to amend the general business law and the state technology law,
in relation to the information security breach and notification act


 PURPOSE :

This bill effects a number of technical amendments to the Information
Security Breach and Notification Act (Act) that are intended to
improve the efficacy of the Act and facilitate compliance by
businesses and State entities.

 SUMMARY OF PROVISIONS :

Section 1 of the bill amends General Business Law § 899-aa to effect
the following changes:

- provide a definition of the term "encrypted";
- clarify the definition of the term "private information";
- clarify the definition of "breach of the security of the system" and
the exception for "good faith acquisition" of private information;
- revise the definition of "consumer reporting agency" and the
provision relating to the compilation of a list of such agencies by

the Attorney General;
- impose a requirement that private information be protected with
reasonable security procedures and practices;
- revise the requirements applicable to a person or business
maintaining computerized data which such person or business does not
own;
- provide for the filing of written evidence of determinations by law
enforcement agencies in certain instances;
- revise the requirements applicable to the provision of substitute
notice of breaches;
- revise the contents of the required breach notification; and
- provide for additional notification relating to mitigation
activities in response to breaches involving more than 500,000
persons.

Section 2 of the bill amends State Technology Law (STL) § 208 to
effect corresponding changes in that statute.

Section 3 of the bill contains the effective date.

 EXISTING LAW :

The Information Security Breach and Notification Act (Chapters 442 and
491 of the Laws of 2005) was enacted to require businesses and State
agencies to provide notification to New York residents whose private
information has been compromised by a breach in the security of
computerized data.

 LEGISLATIVE HISTORY :

This bill was introduced in the Senate in 2008 (S.7355). The bill was
reported out of the Consumer Protection Committee, advanced to the
third reading, and committed to the Rules Committee.

 STATEMENT IN SUPPORT :

The Information Security Breach and Notification Act, which was based
on an earlier California statute, was enacted in 2005 to require
businesses and State agencies to provide timely notification to
persons whose private information has or is reasonably believed to
have been acquired by an unauthorized person. The Act constituted an
important first step in providing New York State residents with
information necessary to mitigate the potential risks and damages that
are associated with breaches in the security of computerized data.
During the first ten months of 2008, 425 breach notifications were
filed under the provisions of the Act indicating that more than 1.7
million records have been the subject of breaches.

Although the Act has clearly advanced the interests of New York State
residents by providing warnings when private information may have been
disclosed, it is also evident from an analysis of the legislative
history of the Act and from the experience of the Office of Cyber
Security and Critical Infrastructure Coordination (CSCIC), the
Consumer Protection Board (CPB), and the Office of the Attorney
General (GAG) in administering specific aspects of the Act, that
certain terms used in the Act are not adequately defined, other terms
are not used consistently, and some provisions of the Act are capable
of a variety of interpretations. These issues have made it difficult
for businesses and State agencies to implement the provisions of the
Act consistently and effectively. In addition, the operation of the
provisions of the Act over the past three years have also highlighted
the potential for certain other changes in the Act that are likely to
improve the process by which individuals are informed and the
information that is provided to those individuals.  As a whole, the
proposed amendments to the Act will further reduce the risk of harm
from security breaches, including identity theft.

Among the proposed amendments is the addition of a definition of the
term "encrypted." Given that the Act provides an exemption from the
breach notification requirements in those instances in which the
private information subject to the breach has been encrypted and that
not all encryption presents a significant barrier to unauthorized
acquisition of the encrypted information, it is important to limit the
exemption to those instances in which the encryption employed actually
provides adequate protection. As amended, the Act would reference a
generally accepted industry standard for encryption that would exempt
the person or business from the breach notification requirements.

Further, the proposed amendments would refine the definition of
"private information." Specifically, the definition would be amended
to eliminate the requirement that account numbers and credit or debit
card numbers be disclosed in combination with the codes or passwords
necessary to permit access to an account. Apart from the difficulty in
applying a standard that requires a determination of which data
elements actually permit access, it is our view that risks presented
in the disclosure of personal information, as defined in the Act, in
combination with account or card numbers should be sufficient to
necessitate notification under the Act.

The provisions of STL § 208 would be amended to clarify the
applicability of the requirement that certain entities other than
State entities adopt policies or local laws that are consistent with
section 208. The use of the undefined term "local agencies" does not
provide adequate guidance on the applicability of section 208 to
entities such as school districts and boards of cooperative
educational services. The bill incorporates language used in the
recently enacted State Finance Law §.188 to specify which local
governments are required to adopt policies or local laws. Based on the
effective dale of the bill, any entity that falls within the amended
definition and has not already adopted a policy or local law will have
180 days to do so. The bill would also require an entity other than a
State entity to file a copy of its policy or local law with the
Consumer Protection Board within 90 days of its adoption.

Under the existing Act, the required notifications may be delayed if a
law enforcement agency determines that notification would impede a
criminal investigation and the notification is to be made only after
the law enforcement agency indicates that notification will not
compromise the investigation. No provision is made for documenting the
determinations by law enforcement that serve as the basis for delaying
notification.  This bill would amend the Act to require the person,
business, or State entity that experienced the breach to submit
written documentation of the determinations of the law enforcement
agency with the notification filed with CSCIC, CPB, and OAG. The
submission of this evidence will assist the agencies in evaluating the
reasonableness of any delay in notification.

The bill also amends the provisions of the Act relating to the
contents of the notification to affected persons. As amended, the Act
would require that the notification include contact information for
the person, business, or State entity that experienced the breach and
information concerning steps to mitigate the risks associated with
identity theft.

In addition, the notification would be required to include contact
information for the CPB, a practice modeled on those implemented in
other states. In our opinion, the revised notifications will be more
useful to the affected persons and assist them in acting to reduce the
likelihood that they will suffer monetary or other damages as a result
of the disclosure of their private information.

In relation to mitigating the effects of breaches in the security of
computerized data, the bill provides that persons, businesses, and
State entities required to make notifications under the Act be
required to include information on steps individuals c;;m take to
protect against losses from identity theft. This additional
information will help provide individuals with the direction and tools
needed to manage the risks associated with breaches in the security of
computerized data.

In addition, persons, businesses, and State entities that experience
breaches in the security of computerized data affecting more than
500,000 persons would be required to provide a second notification
describing the steps taken to mitigate the effects of the breach. The
second notification would be required to be provided within 120 days
of the initial notice and would be filed with CSCIC, CPB and OAG. In
light of the potential impact of large scale breaches, the second
notification would permit those agencies to evaluate that response and
the effectiveness of the Act.

 BUDGET IMPLICATIONS :

None.

 EFFECTIVE DATE :
This bill will take effect 180 days after it shall have become law.

2009-S3760 (ACTIVE) - Bill Text download pdf

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  3760

                       2009-2010 Regular Sessions

                            I N  S E N A T E

                             March 31, 2009
                               ___________

Introduced  by  Sen.  ADAMS  -- read twice and ordered printed, and when
  printed to be committed to the Committee on Consumer Protection

AN ACT to amend the general business law and the state  technology  law,
  in relation to the information security breach and notification act

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Section 899-aa of the general business  law,  as  added  by
chapter  442  of the laws of 2005, paragraph (c) of subdivision 1, para-
graph (a) of subdivision 6 and subdivision 8 as amended by  chapter  491
of the laws of 2005, is amended to read as follows:
  S  899-aa.  Notification;  [person  without  valid  authorization  has
acquired] UNAUTHORIZED ACQUISITION OF private information. 1. As used in
this section, the following terms shall have the following meanings:
  (a) "ENCRYPTED" SHALL MEAN THE PROTECTION OF  PRIVATE  INFORMATION  IN
ELECTRONIC  FORM IN STORAGE OR IN TRANSIT USING AN ENCRYPTION TECHNOLOGY
THAT HAS BEEN ADOPTED BY A STANDARDS SETTING BODY  GENERALLY  RECOGNIZED
IN  THE  INFORMATION TECHNOLOGY INDUSTRY, INCLUDING, BUT NOT LIMITED TO,
THE FEDERAL DEPARTMENT OF COMMERCE'S NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY, THE INTERNATIONAL STANDARDS ORGANIZATION,  AND  THE  PAYMENT
CARD INDUSTRY SECURITY STANDARDS COUNCIL.
  (B)  "Personal  information"  shall  mean any information concerning a
natural person  which,  because  of  name,  number,  [personal]  SYMBOL,
mark[,] or other identifier, can be used to identify [such] THAT natural
person;
  [(b)]  (C)  "Private  information"  shall  mean  personal  information
[consisting of any information] in combination with any one or  more  of
the following data elements, when [either] BOTH the personal information
[or]  AND the data element [is] ARE not encrypted[, or encrypted with an
encryption key that has also been acquired]:
  (1) social security number;

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD08460-03-9

S. 3760                             2

  (2) driver's license number or non-driver identification card  number;
or
  (3)  FINANCIAL account number, credit or debit card number[, in combi-
nation with any required security code, access code,  or  password  that
would permit access to an individual's financial account;].
  "Private  information" does not include publicly available information
which is lawfully made available to the  general  public  from  federal,
state, or local government records.
  PRIVATE  INFORMATION  SHALL  NOT  BE  CONSIDERED  TO  BE ENCRYPTED FOR
PURPOSES OF THIS SECTION IF IT IS ACQUIRED IN COMBINATION WITH  ANY  KEY
REQUIRED TO ENABLE DECRYPTION OF THAT PRIVATE INFORMATION.
  [(c)] (D) "Breach of the security of the system" shall mean: (1) unau-
thorized  acquisition  [or  acquisition  without valid authorization] of
computerized data that compromises  the  security,  confidentiality,  or
integrity of [personal] PRIVATE information maintained by a business; OR
(2)  WHEN  IT  IS REASONABLY BELIEVED THAT SUCH UNAUTHORIZED ACQUISITION
HAS OCCURRED.   Good faith  OR  INADVERTENT  acquisition  of  [personal]
PRIVATE  information  by  an  employee  or agent of the business for the
purposes of the business is not a breach of the security of the system[,
provided that the private information is not used or  subject  to  unau-
thorized disclosure].
  In  determining  whether  PRIVATE information has been acquired, or is
reasonably believed to have been acquired, by an unauthorized person [or
a person without valid authorization], such business  may  consider  the
following factors, among others:
  [(1)]  (I) indications that the PRIVATE information is in the physical
possession and control of an unauthorized person,  such  as  a  lost  or
stolen computer or other device containing PRIVATE information; or
  [(2)]  (II)  indications  that  the PRIVATE information has been down-
loaded or copied; or
  [(3)] (III) indications that the PRIVATE information was  used  by  an
unauthorized  person, such as fraudulent accounts opened or instances of
identity theft reported.
  [(d)] (E) "Consumer reporting agency" shall mean  any  [person  which,
for  monetary fees, dues, or on a cooperative nonprofit basis, regularly
engages in whole or in part in the practice of assembling or  evaluating
consumer  credit  information  or other information on consumers for the
purpose of furnishing consumer reports to third parties, and which  uses
any  means or facility of interstate commerce for the purpose of prepar-
ing or furnishing  consumer  reports]  CONSUMER  REPORTING  AGENCY  THAT
COMPILES  AND  MAINTAINS  FILES  ON  CONSUMERS ON A NATIONWIDE BASIS, AS
DEFINED BY 15 U.S.C.  S 1681A(P).  A list of consumer reporting agencies
shall be compiled by the state attorney  general.  SUCH  LIST  SHALL  BE
UPDATED  BY  THE  ATTORNEY  GENERAL ANNUALLY and SHALL BE furnished upon
request IN A FORMAT OR FORMATS PRESCRIBED BY THE ATTORNEY GENERAL to any
person or business required to make a notification under subdivision two
of this section.
  2. Any person or business which conducts business in New  York  state,
and  which  owns  or  licenses  computerized data which includes private
information shall: (A) IMPLEMENT AND MAINTAIN REASONABLE SECURITY  SAFE-
GUARDS,  APPROPRIATE  TO THE NATURE OF THE INFORMATION, TO PREVENT UNAU-
THORIZED ACCESS TO OR UNAUTHORIZED DESTRUCTION,  USE,  MODIFICATION,  OR
DISCLOSURE  OF  THE  PRIVATE INFORMATION; AND (B) disclose any breach of
the security of the system following discovery or  notification  of  the
breach  in  the security of the system to any resident of New York state
whose private information was[, or is reasonably believed to have  been,

S. 3760                             3

acquired  by a person without valid authorization] SUBJECT TO THE BREACH
OF THE SECURITY OF THE SYSTEM. The disclosure shall be made in the  most
expedient  time possible and without unreasonable delay, consistent with
the legitimate needs of law enforcement, as provided in subdivision four
of this section, or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the system.
  3.  Any  person  or  business  which maintains computerized data which
includes private information which such person or business does not  own
shall: (A) IMPLEMENT AND MAINTAIN REASONABLE SECURITY SAFEGUARDS, APPRO-
PRIATE  TO THE NATURE OF THE INFORMATION, TO PREVENT UNAUTHORIZED ACCESS
TO OR UNAUTHORIZED DESTRUCTION, USE, MODIFICATION, OR DISCLOSURE OF  THE
PRIVATE  INFORMATION; AND (B) notify the owner or licensee of the infor-
mation of any breach of the security of the system immediately following
discovery[, if the private information was, or is reasonably believed to
have been, acquired by a person  without  valid  authorization]  OF  THE
BREACH  OF THE SECURITY OF THE SYSTEM AND SHALL COOPERATE WITH THE OWNER
OR LICENSEE TO DETERMINE THE SCOPE OF THE BREACH AND RESTORE THE REASON-
ABLE INTEGRITY OF THE SYSTEM. UNLESS THE PERSON OR  BUSINESS  WHO  MAIN-
TAINS  COMPUTERIZED DATA WHICH IT DOES NOT OWN AND THE OWNER OR LICENSEE
OF THAT DATA HAVE AGREED OTHERWISE IN WRITING, THE  PERSON  OR  BUSINESS
WHO  MAINTAINS  COMPUTERIZED  DATA WHICH IT DOES NOT OWN SHALL BE LIABLE
FOR THE COSTS ASSOCIATED WITH PROVIDING THE  NOTIFICATIONS  REQUIRED  BY
SUBDIVISIONS  FIVE AND EIGHT OF THIS SECTION IF THE BREACH WAS CAUSED BY
NEGLIGENT OR WILLFUL ACTS OR OMISSIONS OF THE PERSON OR BUSINESS, OR THE
NEGLIGENT OR WILLFUL ACTS OR OMISSIONS OF AGENTS, OFFICERS, EMPLOYEES OR
SUBCONTRACTORS OF THE PERSON OR BUSINESS.
  4. The [notification] NOTIFICATIONS required by SUBDIVISIONS FIVE  AND
EIGHT  OF this section may be delayed if a law enforcement agency deter-
mines that such notification impedes a criminal investigation,  PROVIDED
THAT  SUCH  DETERMINATION  IS  MADE IN WRITING OR THE PERSON OR BUSINESS
DOCUMENTS THE DETERMINATION CONTEMPORANEOUSLY IN WRITING, INCLUDING  THE
NAME OF THE LAW ENFORCEMENT OFFICER MAKING THE DETERMINATION AND THE LAW
ENFORCEMENT  AGENCY  ENGAGED  IN  THE  INVESTIGATION. The [notification]
NOTIFICATIONS required by SUBDIVISIONS FIVE AND EIGHT  OF  this  section
shall  be made IN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASON-
ABLE DELAY after  such  law  enforcement  agency  determines  that  such
notification  [does  not] WOULD NO LONGER compromise such investigation.
WRITTEN DOCUMENTATION OF THE FOREGOING DETERMINATIONS BY A LAW  ENFORCE-
MENT  AGENCY  SHALL  ACCOMPANY  THE NOTIFICATION REQUIRED BY SUBDIVISION
EIGHT OF THIS SECTION.
  5. The notice required by this section shall be directly  provided  to
the affected persons by one of the following methods:
  (a) written notice, WHICH SHALL BE IN AT LEAST TWELVE POINT TYPE;
  (b)  electronic notice, [provided that the] FOR THOSE AFFECTED PERSONS
FOR WHOM THE PERSON OR BUSINESS HAS A VALID E-MAIL ADDRESS ONLY IF:  (1)
THE  PERSON  OR  BUSINESS DOES NOT HAVE THE AFFECTED PERSON'S ADDRESS OR
TELEPHONE CONTACT INFORMATION AND THE  PERSON'S  OR  BUSINESS'S  PRIMARY
METHOD OF COMMUNICATION WITH THE AFFECTED PERSON IS BY ELECTRONIC MEANS;
OR  (2)  THE  AFFECTED person [to whom notice is required] has expressly
consented to receiving said notice in electronic form [and].  ELECTRONIC
NOTICES  AUTHORIZED  UNDER THIS PARAGRAPH SHALL NOT REQUEST OR CONTAIN A
HYPERTEXT LINK TO A REQUEST THAT THE  AFFECTED  PERSON  PROVIDE  PRIVATE
INFORMATION  AND  SHALL  INCLUDE A CONSPICUOUS WARNING THAT THE AFFECTED
PERSON SHOULD NOT PROVIDE PRIVATE INFORMATION IN RESPONSE TO  ELECTRONIC
COMMUNICATIONS REGARDING SECURITY BREACHES. THE PERSON OR BUSINESS SHALL
KEEP  a log of each such notification [is kept by the person or business

S. 3760                             4

who notifies affected persons in such form; provided  further,  however,
that  in].  IN  no case shall any person or business require a person to
consent to accepting said notice in [said] ELECTRONIC form as  a  condi-
tion of establishing any business relationship or engaging in any trans-
action[.];
  (c)  telephone notification provided that a log of each such notifica-
tion is kept by the person or business who notifies affected persons; or
  (d) Substitute notice, if a PERSON OR  business  demonstrates  to  the
state  attorney  general  that the cost of providing notice would exceed
two hundred fifty thousand  dollars,  or  that  the  affected  class  of
subject  persons  to  be notified exceeds five hundred thousand, or such
PERSON OR business does not have sufficient contact information. Substi-
tute notice shall consist of all of the following:
  (1) e-mail notice when such PERSON OR business has an  e-mail  address
for the subject persons;
  (2)  conspicuous  posting of the notice on such PERSON'S OR business's
web site page, if such PERSON OR business maintains one; and
  (3) notification to [major statewide] APPROPRIATE media IN  THE  AREAS
IN  WHICH THE PERSON OR BUSINESS REASONABLY DETERMINES THAT THE NEW YORK
RESIDENTS TO BE NOTIFIED RESIDE.
  6. (a) whenever the  attorney  general  shall  believe  from  evidence
satisfactory  to  him  that  there is a violation of this article he may
bring an action in the name and on behalf of the people of the state  of
New  York, in a court of justice having jurisdiction to issue an injunc-
tion, to enjoin and restrain the continuation of  such  violation.    In
such action, preliminary relief may be granted under article sixty-three
of  the civil practice law and rules. In such action the court may award
damages for actual costs or losses incurred  by  a  person  entitled  to
notice  pursuant  to  this  article, if notification was not provided to
such person pursuant to this article, including consequential  financial
losses.  Whenever the court shall determine in such action that a person
or business violated this article knowingly or recklessly, the court may
impose a civil penalty of the greater of five thousand dollars or up  to
ten  dollars  per  instance  of  failed  notification, provided that the
latter amount shall not exceed one hundred fifty thousand dollars.
  (b) the remedies provided by this section shall be in addition to  any
other lawful remedy available.
  (c)  no  action  may  be  brought under the provisions of this section
unless such action is commenced within two years immediately  after  the
date of the act complained of or the date of discovery of such act.
  7.  Regardless  of the method by which notice is provided, such notice
shall include, AT A MINIMUM: (A) contact information for the  person  or
business  making  the  notification  [and], INCLUDING:   (1) A TELEPHONE
NUMBER OR A TOLL-FREE TELEPHONE NUMBER, IF  ONE  IS  MAINTAINED  BY  THE
PERSON OR BUSINESS; (2) A MAILING ADDRESS; AND (3) AN E-MAIL ADDRESS, IF
ONE IS MAINTAINED BY THE PERSON OR BUSINESS;
  (B)  a description of the categories of information [that were, or are
reasonably believed to have been, acquired by  a  person  without  valid
authorization],  including  specification  of [which of] the elements of
personal information and private information, THAT were[, or are reason-
ably believed to have been, so acquired] SUBJECT TO THE  BREACH  OF  THE
SECURITY OF THE SYSTEM;
  (C)  A  WARNING TO AFFECTED PERSONS NOT TO PROVIDE PRIVATE INFORMATION
IN RESPONSE TO ELECTRONIC COMMUNICATIONS REGARDING SECURITY BREACHES;
  (D) INFORMATION  RELATING  TO  OBTAINING  AND  REVIEWING  FREE  CREDIT
REPORTS  AND  PLACING  FREE  SECURITY FREEZES AND FRAUD ALERTS ON CREDIT

S. 3760                             5

REPORTS,  INCLUDING  TOLL-FREE  TELEPHONE  NUMBERS,  E-MAIL   ADDRESSES,
WEBSITE  ADDRESSES,  AND  MAILING  ADDRESSES  FOR THE CONSUMER REPORTING
AGENCIES;
  (E)  A  RECOMMENDATION  THAT  INCIDENTS  OF IDENTITY THEFT BE REPORTED
PROMPTLY TO LAW ENFORCEMENT AGENCIES, THE CONSUMER PROTECTION BOARD, THE
FEDERAL TRADE COMMISSION, AND THE CONSUMER REPORTING AGENCIES; AND
  (F) THE TOLL-FREE TELEPHONE NUMBER, E-MAIL ADDRESS,  WEBSITE  ADDRESS,
AND MAILING ADDRESS OF THE CONSUMER PROTECTION BOARD.
  8.  (a)  In  the event that any New York residents are to be notified,
the person or business shall notify  the  state  attorney  general,  the
consumer  protection  board,  and the state office of cyber security and
critical infrastructure coordination  as  to  the  timing,  content  and
distribution  of  the  notices [and], THE approximate number of affected
persons, AND THE APPROXIMATE NUMBER OF AFFECTED NEW YORK RESIDENTS. Such
notice shall be made without delaying notice to affected New York  resi-
dents.
  (b) In the event that more than [five] ONE thousand New York residents
are to be notified at one time, the person or business shall also notify
consumer  reporting  agencies as to the timing, content and distribution
of the notices and approximate number of affected persons.  Such  notice
shall be made without delaying notice to affected New York residents.
  (C)  IN  THE  EVENT  THAT  THE AFFECTED CLASS OF SUBJECT PERSONS TO BE
NOTIFIED EXCEEDS FIVE HUNDRED THOUSAND, THE PERSON  OR  BUSINESS  SHALL,
WITHIN  ONE HUNDRED TWENTY DAYS OF THE NOTIFICATION REQUIRED BY SUBDIVI-
SION FIVE OF THIS SECTION, FILE A REPORT WITH THE ATTORNEY GENERAL,  THE
CONSUMER  PROTECTION  BOARD,  AND THE STATE OFFICE OF CYBER SECURITY AND
CRITICAL INFRASTRUCTURE COORDINATION DESCRIBING THE STEPS TAKEN TO MITI-
GATE THE EFFECTS OF THE BREACH IN THE SECURITY OF THE SYSTEM, INCLUDING,
BUT NOT LIMITED TO, IMPLEMENTATION OF PROCEDURES FOR DETECTING,  REPORT-
ING, AND RESPONDING TO SUCH BREACHES, PROVIDED, HOWEVER, THAT THE PERSON
OR  BUSINESS  SHALL NOT BE REQUIRED TO INCLUDE INFORMATION IN THE REPORT
THAT IS SPECIFICALLY EXEMPTED FROM DISCLOSURE BY STATE OR FEDERAL LAW OR
THAT WOULD, IF DISCLOSED, JEOPARDIZE THE PERSON'S OR BUSINESS'S CAPACITY
TO GUARANTEE THE SECURITY OF INFORMATION TECHNOLOGY ASSETS, SUCH  ASSETS
ENCOMPASSING BOTH ELECTRONIC INFORMATION SYSTEMS AND INFRASTRUCTURES.
  9. The provisions of this section shall be exclusive and shall preempt
any  provisions  of  local law, ordinance or code, and no locality shall
impose requirements that are inconsistent with or more restrictive  than
those set forth in this section.
  S  2. Section 208 of the state technology law, as added by chapter 442
of the laws of 2005, paragraph (b) of subdivision 1 and subdivisions  2,
6  and  7  as amended, paragraph (c) of subdivision 5 as added and para-
graph (d) of subdivision 5 as relettered by chapter 491 of the  laws  of
2005, is amended to read as follows:
  S 208. Notification; [person without valid authorization has acquired]
UNAUTHORIZED  ACQUISITION  OF  private  information.  1. As used in this
section, the following terms shall have the following meanings:
  (a) "ENCRYPTED" SHALL MEAN THE PROTECTION OF  PRIVATE  INFORMATION  IN
ELECTRONIC  FORM IN STORAGE OR IN TRANSIT USING AN ENCRYPTION TECHNOLOGY
THAT HAS BEEN ADOPTED BY A STANDARDS SETTING BODY  GENERALLY  RECOGNIZED
IN  THE  INFORMATION TECHNOLOGY INDUSTRY, INCLUDING, BUT NOT LIMITED TO,
THE FEDERAL DEPARTMENT OF COMMERCE'S NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY, THE INTERNATIONAL STANDARDS ORGANIZATION,  AND  THE  PAYMENT
CARD INDUSTRY SECURITY STANDARDS COUNCIL.
  (B)  "PERSONAL INFORMATION" SHALL MEAN PERSONAL INFORMATION AS DEFINED
BY SUBDIVISION FIVE OF SECTION TWO HUNDRED TWO OF THIS ARTICLE.

S. 3760                             6

  (C) "Private information" shall mean personal information in  combina-
tion  with any one or more of the following data elements, when [either]
BOTH the personal information [or] AND the data  element  [is]  ARE  not
encrypted  [or  encrypted  with  an  encryption  key  that has also been
acquired]:
  (1) social security number;
  (2)  driver's license number or non-driver identification card number;
or
  (3) FINANCIAL account number, credit or debit card number[, in  combi-
nation  with  any required security code, access code, or password which
would permit access to an individual's financial account].
  "Private information" does not include publicly available  information
that  is  lawfully  made  available  to the general public from federal,
state, or local government records.
  PRIVATE INFORMATION SHALL  NOT  BE  CONSIDERED  TO  BE  ENCRYPTED  FOR
PURPOSES  OF  THIS SECTION IF IT IS ACQUIRED IN COMBINATION WITH ANY KEY
REQUIRED TO ENABLE DECRYPTION OF THAT PRIVATE INFORMATION.
  [(b)] (D) "Breach of the security of the system" shall mean: (1) unau-
thorized acquisition [or acquisition  without  valid  authorization]  of
computerized  data  which  compromises the security, confidentiality, or
integrity of  [personal]  PRIVATE  information  maintained  by  a  state
entity;  OR  (2)  WHEN  IT IS REASONABLY BELIEVED THAT SUCH UNAUTHORIZED
ACQUISITION HAS OCCURRED.   Good faith  OR  INADVERTENT  acquisition  of
[personal] PRIVATE information by an employee or agent of a state entity
for  the  purposes  of the agency is not a breach of the security of the
system[, provided that the private information is not used or subject to
unauthorized disclosure].
  In determining whether PRIVATE information has been  acquired,  or  is
reasonably believed to have been acquired, by an unauthorized person [or
a  person  without  valid authorization], such state entity may consider
the following factors, among others:
  [(1)] (I) indications that the PRIVATE information is in the  physical
possession  and  control  of  an  unauthorized person, such as a lost or
stolen computer or other device containing PRIVATE information; or
  [(2)] (II) indications that the PRIVATE  information  has  been  down-
loaded or copied; or
  [(3)]  (III)  indications  that the PRIVATE information was used by an
unauthorized person, such as fraudulent accounts opened or instances  of
identity theft reported.
  [(c)] (E) "State entity" shall mean any state board, bureau, division,
committee,  commission,  council,  department,  public authority, public
benefit corporation, office or other governmental  entity  performing  a
governmental or proprietary function for the state of New York, except:
  (1) the judiciary; and
  (2)  [all cities, counties, municipalities, villages, towns, and other
local agencies] COUNTIES, CITIES,  TOWNS,  VILLAGES,  SCHOOL  DISTRICTS,
BOARDS  OF COOPERATIVE EDUCATIONAL SERVICES, LOCAL PUBLIC BENEFIT CORPO-
RATIONS AND OTHER MUNICIPAL CORPORATIONS OR  POLITICAL  SUBDIVISIONS  OF
THE STATE.
  [(d)]  (F)  "Consumer  reporting agency" shall mean any [person which,
for monetary fees, dues, or on a cooperative nonprofit basis,  regularly
engages  in whole or in part in the practice of assembling or evaluating
consumer credit information or other information on  consumers  for  the
purpose  of furnishing consumer reports to third parties, and which uses
any means or facility of interstate commerce for the purpose of  prepar-
ing  or  furnishing  consumer  reports]  CONSUMER  REPORTING AGENCY THAT

S. 3760                             7

COMPILES AND MAINTAINS FILES ON CONSUMERS  ON  A  NATIONWIDE  BASIS,  AS
DEFINED  BY 15 U.S.C. S 1681A(P).  A list of consumer reporting agencies
shall be compiled by the state attorney general.   SUCH  LIST  SHALL  BE
UPDATED  BY  THE  ATTORNEY  GENERAL ANNUALLY and SHALL BE furnished upon
request IN A FORMAT OR FORMATS PRESCRIBED BY THE ATTORNEY GENERAL to ANY
state [entities] ENTITY required to make a notification  under  subdivi-
sion two of this section.
  2.  Any  state  entity  that  owns  or licenses computerized data that
includes private information shall: (A) CONSISTENT WITH ITS  OBLIGATIONS
UNDER  THE  PERSONAL  PRIVACY  PROTECTION  LAW,  IMPLEMENT  AND MAINTAIN
REASONABLE SECURITY SAFEGUARDS, APPROPRIATE TO THE NATURE OF THE  INFOR-
MATION,  TO  PREVENT UNAUTHORIZED ACCESS TO OR UNAUTHORIZED DESTRUCTION,
USE, MODIFICATION, OR DISCLOSURE OF THE  PRIVATE  INFORMATION;  AND  (B)
disclose any breach of the security of the system following discovery or
notification of the breach in the security of the system to any resident
of  New  York  state  whose  private  information was[, or is reasonably
believed to have been, acquired by a person without valid authorization]
SUBJECT TO THE BREACH OF THE SECURITY  OF  THE  SYSTEM.  The  disclosure
shall  be made in the most expedient time possible and without unreason-
able delay, consistent with the legitimate needs of law enforcement,  as
provided  in subdivision four of this section, or any measures necessary
to determine the scope of the breach and restore the reasonable integri-
ty of the data system.  The state entity shall consult  with  the  state
office  of  cyber  security  and critical infrastructure coordination to
determine the scope of the breach and restoration measures.
  3. Any state entity that maintains  computerized  data  that  includes
private information which such agency does not own shall: (A) CONSISTENT
WITH  ITS  OBLIGATIONS UNDER THE PERSONAL PRIVACY PROTECTION LAW, IMPLE-
MENT AND MAINTAIN REASONABLE SECURITY  SAFEGUARDS,  APPROPRIATE  TO  THE
NATURE  OF  THE  INFORMATION, TO PREVENT UNAUTHORIZED ACCESS TO OR UNAU-
THORIZED DESTRUCTION, USE, MODIFICATION, OR DISCLOSURE  OF  THE  PRIVATE
INFORMATION;  AND (B) notify the owner or licensee of the information of
any breach of the security of the system immediately  following  discov-
ery[,  if the private information was, or is reasonably believed to have
been, acquired by a person without valid authorization] OF THE BREACH OF
THE SECURITY OF THE SYSTEM AND SHALL  COOPERATE  WITH  THE  CONSULTATION
DESCRIBED IN SUBDIVISION TWO OF THIS SECTION.
  4.  The [notification] NOTIFICATIONS required by SUBDIVISIONS FIVE AND
SEVEN OF this section may be delayed if a law enforcement agency  deter-
mines  that  such notification impedes a criminal investigation PROVIDED
THAT SUCH DETERMINATION IS MADE IN WRITING OR THE STATE ENTITY DOCUMENTS
THE DETERMINATION CONTEMPORANEOUSLY IN WRITING, INCLUDING  THE  NAME  OF
THE  LAW  ENFORCEMENT  OFFICER  MAKING  THE  DETERMINATION  AND  THE LAW
ENFORCEMENT AGENCY ENGAGED  IN  THE  INVESTIGATION.  The  [notification]
NOTIFICATIONS  required  by  SUBDIVISIONS FIVE AND SEVEN OF this section
shall be made IN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT  UNREASON-
ABLE  DELAY  after  such  law  enforcement  agency  determines that such
notification [does not] WOULD NO LONGER compromise  such  investigation.
WRITTEN  DOCUMENTATION OF THE FOREGOING DETERMINATIONS BY A LAW ENFORCE-
MENT AGENCY SHALL ACCOMPANY THE  NOTIFICATION  REQUIRED  BY  SUBDIVISION
SEVEN OF THIS SECTION.
  5.  The  notice required by this section shall be directly provided to
the affected persons by one of the following methods:
  (a) written notice, WHICH SHALL BE IN AT LEAST TWELVE POINT TYPE;
  (b) electronic notice, [provided that] FOR THOSE AFFECTED PERSONS  FOR
WHOM  THE STATE ENTITY HAS A VALID E-MAIL ADDRESS ONLY IF: (1) THE STATE

S. 3760                             8

ENTITY DOES NOT HAVE THE AFFECTED PERSON'S ADDRESS OR TELEPHONE  CONTACT
INFORMATION  AND THE STATE ENTITY'S PRIMARY METHOD OF COMMUNICATION WITH
THE AFFECTED PERSON IS BY ELECTRONIC MEANS; OR (2) the  AFFECTED  person
[to  whom  notice is required] has expressly consented to receiving said
notice in electronic form [and].  ELECTRONIC  NOTICES  AUTHORIZED  UNDER
THIS  PARAGRAPH  SHALL  NOT  REQUEST  OR  CONTAIN  A HYPERTEXT LINK TO A
REQUEST THAT THE AFFECTED PERSON PROVIDE PRIVATE INFORMATION  AND  SHALL
INCLUDE  A  CONSPICUOUS  WARNING  THAT  THE  AFFECTED  PERSON SHOULD NOT
PROVIDE PRIVATE INFORMATION IN  RESPONSE  TO  ELECTRONIC  COMMUNICATIONS
REGARDING  SECURITY  BREACHES. THE STATE ENTITY SHALL KEEP a log of each
such notification [is kept by the state  entity  who  notifies  affected
persons  in  such  form; provided further, however, that in]. IN no case
shall any [person or business] STATE ENTITY require a person to  consent
to  accepting  said  notice  in [said] ELECTRONIC form as a condition of
establishing any business relationship or engaging in any transaction;
  (c) telephone notification provided that a log of each such  notifica-
tion is kept by the state entity who notifies affected persons; or
  (d)  Substitute  notice,  if  a state entity demonstrates to the state
attorney general that the cost of  providing  notice  would  exceed  two
hundred  fifty  thousand  dollars, or that the affected class of subject
persons to be notified exceeds five hundred  thousand,  or  such  agency
does  not  have  sufficient contact information. Substitute notice shall
consist of all of the following:
  (1) e-mail notice when such state entity has an e-mail address for the
subject persons;
  (2) conspicuous posting of the notice on such state entity's web  site
page, if such [agency] STATE ENTITY maintains one; and
  (3)  notification  to [major statewide] APPROPRIATE media IN THE AREAS
IN WHICH THE STATE ENTITY REASONABLY DETERMINES THAT THE NEW YORK  RESI-
DENTS TO BE NOTIFIED RESIDE.
  6.  Regardless  of the method by which notice is provided, such notice
shall include, AT A MINIMUM: (A) contact information for the state enti-
ty making the notification, INCLUDING:  (1)  A  TELEPHONE  NUMBER  OR  A
TOLL-FREE  TELEPHONE  NUMBER,  IF ONE IS MAINTAINED BY THE STATE ENTITY;
(2) A MAILING ADDRESS; AND (3) AN E-MAIL ADDRESS, IF ONE  IS  MAINTAINED
BY THE STATE ENTITY; (B) and a description of the categories of informa-
tion  [that were, or are reasonably believed to have been, acquired by a
person without valid authorization], including specification  of  [which
of] the elements of personal information and private information, were[,
or  are  reasonably  believed  to have been, so acquired] SUBJECT TO THE
BREACH OF THE SECURITY OF THE SYSTEM; (C) A WARNING TO AFFECTED  PERSONS
NOT  TO  PROVIDE  PRIVATE INFORMATION IN RESPONSE TO ELECTRONIC COMMUNI-
CATIONS REGARDING SECURITY BREACHES; (D) INFORMATION RELATING TO OBTAIN-
ING AND REVIEWING FREE CREDIT REPORTS AND PLACING FREE SECURITY  FREEZES
AND  FREE  FRAUD ALERTS ON CREDIT REPORTS, INCLUDING TOLL-FREE TELEPHONE
NUMBERS, E-MAIL ADDRESSES, WEBSITE ADDRESSES, AND MAILING ADDRESSES  FOR
THE  CONSUMER REPORTING AGENCIES; (E) A RECOMMENDATION THAT INCIDENTS OF
IDENTITY THEFT BE REPORTED PROMPTLY TO  LAW  ENFORCEMENT  AGENCIES,  THE
CONSUMER PROTECTION BOARD, THE FEDERAL TRADE COMMISSION, AND THE CONSUM-
ER  REPORTING  AGENCIES;  AND (F) THE TOLL-FREE TELEPHONE NUMBER, E-MAIL
ADDRESS, WEBSITE ADDRESS, AND MAILING ADDRESS OF THE CONSUMER PROTECTION
BOARD.
  7. (a) In the event that any New York residents are  to  be  notified,
the  state  entity shall notify the state attorney general, the consumer
protection board, and the state office of cyber  security  and  critical
infrastructure  coordination  as to the timing, content and distribution

S. 3760                             9

of the notices [and], THE approximate number of  affected  persons,  AND
THE  APPROXIMATE  NUMBER  OF  AFFECTED NEW YORK RESIDENTS.   Such notice
shall be made without delaying notice to affected New York residents.
  (b) In the event that more than [five] ONE thousand New York residents
are  to  be  notified  at  one  time, the state entity shall also notify
consumer reporting agencies as to the timing, content  and  distribution
of  the  notices and approximate number of affected persons. Such notice
shall be made without delaying notice to affected New York residents.
  (C) IN THE EVENT THAT THE AFFECTED CLASS  OF  SUBJECT  PERSONS  TO  BE
NOTIFIED  EXCEEDS  FIVE HUNDRED THOUSAND, THE STATE ENTITY SHALL, WITHIN
ONE HUNDRED TWENTY DAYS OF THE NOTICE REQUIRED BY  SUBDIVISION  FIVE  OF
THIS SECTION, FILE A REPORT WITH THE STATE ATTORNEY GENERAL, THE CONSUM-
ER PROTECTION BOARD, AND THE STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE  COORDINATION  DESCRIBING THE STEPS TAKEN TO MITIGATE THE
EFFECTS OF THE BREACH IN THE SECURITY OF THE SYSTEM, INCLUDING, BUT  NOT
LIMITED  TO,  IMPLEMENTATION OF PROCEDURES FOR DETECTING, REPORTING, AND
RESPONDING TO SUCH BREACHES, PROVIDED, HOWEVER, THAT  THE  STATE  ENTITY
SHALL  NOT  BE  REQUIRED  TO  INCLUDE  INFORMATION IN THE REPORT THAT IS
SPECIFICALLY EXEMPTED FROM DISCLOSURE BY STATE OR FEDERAL  LAW  OR  THAT
WOULD, IF DISCLOSED, JEOPARDIZE THE STATE ENTITY'S CAPACITY TO GUARANTEE
THE  SECURITY  OF  ITS INFORMATION TECHNOLOGY ASSETS, SUCH ASSETS ENCOM-
PASSING BOTH ELECTRONIC INFORMATION SYSTEMS AND INFRASTRUCTURES.
  8. Any entity listed in subparagraph two of  paragraph  [(c)]  (E)  of
subdivision  one  of  this section shall adopt a notification policy [no
more than one hundred twenty days  after  the  effective  date  of  this
section.  Such  entity  may  develop  a  notification  policy]  which is
consistent with this section or alternatively shall adopt  a  local  law
which is consistent with this section.  SUCH ENTITY SHALL FILE A COPY OF
ITS POLICY OR LOCAL LAW WITH THE CONSUMER PROTECTION BOARD WITHIN NINETY
DAYS OF ITS ADOPTION.
  S 3. This act shall take effect on the one hundred eightieth day after
it shall have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S3760

Sponsored By

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Actions

2009-S3760 (ACTIVE) - Details

2009-S3760 (ACTIVE) - Summary

2009-S3760 (ACTIVE) - Sponsor Memo

2009-S3760 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2009-S3760

Senate Bill S3760

Share this bill

Sponsored By

Eric Adams

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Actions

2009-S3760 (ACTIVE) - Details

2009-S3760 (ACTIVE) - Summary

2009-S3760 (ACTIVE) - Sponsor Memo

2009-S3760 (ACTIVE) - Bill Text download pdf

Comments