S T A T E O F N E W Y O R K
________________________________________________________________________
10190
I N A S S E M B L Y
September 24, 2014
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. Dinowitz,
Gottfried, Galef, Titone, Cook, Abinanti, Englebright, Otis, Fahy,
Colton) -- read once and referred to the Committee on Consumer Affairs
and Protection
AN ACT to amend the general business law, in relation to the protection
of personal information by businesses
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Section 899-aa of the general business law, as added by
chapter 442 of the laws of 2005, paragraph (c) of subdivision 1, para-
graph (a) of subdivision 6 and subdivision 8 as amended by chapter 491
of the laws of 2005 and paragraph (a) of subdivision 8 as amended by
section 6 of part N of chapter 55 of the laws of 2013, is amended to
read as follows:
S 899-aa. SAFEGUARDING PERSONAL INFORMATION; [Notification;] NOTIFICA-
TION, person without valid authorization has acquired private informa-
tion. 1. As used in this section, the following terms shall have the
following meanings:
(a) "Personal information" shall mean any information concerning a
natural person which, because of name, number, personal mark, or other
identifier, can be used to identify such natural person;
(b) "Private information" shall mean personal information consisting
of any information in combination with any one or more of the following
data elements, when either the personal information or the data element
is not encrypted, or encrypted with an encryption key that has also been
acquired:
(1) social security number;
(2) driver's license number or non-driver identification card number;
or
(3) account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account;
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD15710-01-4
A. 10190 2
"Private information" does not include publicly available information
which is lawfully made available to the general public from federal,
state, or local government records.
(c) "Breach of the security of the system" shall mean unauthorized
acquisition or acquisition without valid authorization of computerized
data that compromises the security, confidentiality, or integrity of
personal information maintained by a business. Good faith acquisition of
personal information by an employee or agent of the business for the
purposes of the business is not a breach of the security of the system,
provided that the private information is not used or subject to unau-
thorized disclosure.
In determining whether information has been acquired, or is reasonably
believed to have been acquired, by an unauthorized person or a person
without valid authorization, such business may consider the following
factors, among others:
(1) indications that the information is in the physical possession and
control of an unauthorized person, such as a lost or stolen computer or
other device containing information; or
(2) indications that the information has been downloaded or copied; or
(3) indications that the information was used by an unauthorized
person, such as fraudulent accounts opened or instances of identity
theft reported.
(d) "Consumer reporting agency" shall mean any person which, for mone-
tary fees, dues, or on a cooperative nonprofit basis, regularly engages
in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means
or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports. A list of consumer reporting agencies shall
be compiled by the state attorney general and furnished upon request to
any person or business required to make a notification under subdivision
two of this section.
2. Any person or business which conducts business in New York state,
and which owns or licenses computerized data which includes private
information shall:
(A) DEVELOP, IMPLEMENT, AND MAINTAIN A COMPREHENSIVE INFORMATION SECU-
RITY PROGRAM WHICH MUST BE CONSISTENT WITH THE SAFEGUARDS FOR PROTECTION
OF PERSONAL INFORMATION AND INFORMATION OF A SIMILAR CHARACTER SET FORTH
IN ANY STATE OR FEDERAL LAWS OR REGULATIONS BY WHICH THE PERSON WHO OWNS
OR LICENSES SUCH INFORMATION MAY BE REGULATED, AND THAT IS WRITTEN IN
ONE OR MORE READILY ACCESSIBLE PARTS AND CONTAINS ADMINISTRATIVE, TECH-
NICAL, AND PHYSICAL SAFEGUARDS THAT ARE APPROPRIATE TO:
(I) THE SIZE, SCOPE, AND TYPE OF BUSINESS OF THE PERSON OBLIGATED TO
SAFEGUARD THE PERSONAL INFORMATION UNDER SUCH COMPREHENSIVE INFORMATION
SECURITY PROGRAM;
(II) THE AMOUNT OF RESOURCES AVAILABLE TO SUCH PERSON OR BUSINESS;
(III) THE AMOUNT OF STORED DATA; AND
(IV) THE NEED FOR SECURITY AND CONFIDENTIALITY OF INFORMATION OF
CUSTOMERS AND EMPLOYEES OF THE BUSINESS.
(B) disclose any breach of the security of the system following
discovery or notification of the breach in the security of the system to
any resident of New York state whose private information was, or is
reasonably believed to have been, acquired by a person without valid
authorization. The disclosure shall be made in the most expedient time
possible and without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in subdivision four of this
A. 10190 3
section, or any measures necessary to determine the scope of the breach
and restore the reasonable integrity of the system.
3. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, EVERY COMPREHEN-
SIVE INFORMATION SECURITY PROGRAM PURSUANT TO PARAGRAPH (A) OF SUBDIVI-
SION TWO SHALL INCLUDE, BUT NOT BE LIMITED TO:
(A) DESIGNATING ONE OR MORE EMPLOYEES TO MAINTAIN THE COMPREHENSIVE
INFORMATION SECURITY PROGRAM;
(B) IDENTIFYING AND ASSESSING REASONABLY FORESEEABLE INTERNAL AND
EXTERNAL RISKS TO THE SECURITY, CONFIDENTIALITY, AND/OR INTEGRITY OF ANY
ELECTRONIC, PAPER, OR OTHER RECORDS CONTAINING PERSONAL INFORMATION, AND
EVALUATING AND IMPROVING, WHERE NECESSARY, THE CURRENT SAFEGUARDS FOR
LIMITING SUCH RISKS, INCLUDING, BUT NOT LIMITED TO:
(I) PROVIDING ONGOING EMPLOYEE TRAINING;
(II) MONITORING EMPLOYEE COMPLIANCE WITH POLICIES AND PROCEDURES; AND
(III) IDENTIFYING MEANS FOR DETECTING AND PREVENTING SECURITY SYSTEM
FAILURES.
(C) DEVELOPING SECURITY POLICIES FOR EMPLOYEES RELATING TO THE STOR-
AGE, ACCESS, AND TRANSPORTATION OF RECORDS CONTAINING PERSONAL INFORMA-
TION OUTSIDE OF BUSINESS PREMISES;
(D) IMPOSING DISCIPLINARY MEASURES FOR VIOLATIONS OF THE COMPREHENSIVE
INFORMATION SECURITY PROGRAM RULES;
(E) PREVENTING TERMINATED OR FORMER EMPLOYEES FROM ASSESSING RECORDS
CONTAINING PERSONAL INFORMATION;
(F) OVERSEEING THIRD-PARTY SERVICE PROVIDERS BY:
(I) TAKING REASONABLE STEPS TO SELECT AND RETAIN THIRD-PARTY SERVICE
PROVIDERS THAT ARE CAPABLE OF MAINTAINING APPROPRIATE SECURITY MEASURES
TO PROTECT SUCH PERSONAL INFORMATION CONSISTENT WITH THESE PROVISIONS
AND ANY APPLICABLE FEDERAL LAWS OR REGULATIONS; AND
(II) REQUIRING SUCH THIRD-PARTY SERVICE PROVIDERS BY CONTRACT TO
IMPLEMENT AND MAINTAIN SUCH APPROPRIATE SECURITY MEASURES FOR PERSONAL
INFORMATION; PROVIDED, HOWEVER, THAT UNTIL OCTOBER FIRST, TWO THOUSAND
SEVENTEEN, A CONTRACT A PERSON OR BUSINESS HAS ENTERED INTO WITH A
THIRD-PARTY SERVICE PROVIDER TO PERFORM SERVICES FOR OR FUNCTIONS ON
BEHALF OF SUCH PERSON OR BUSINESS SATISFIES THE PROVISIONS OF THIS
SUBPARAGRAPH EVEN IF THE CONTRACT A PERSON OR BUSINESS HAS ENTERED INTO
WITH A THIRD-PARTY SERVICE PROVIDER DOES NOT INCLUDE A REQUIREMENT THAT
THE THIRD-PARTY SERVICE PROVIDER MAINTAINS SUCH APPROPRIATE SAFEGUARDS,
AS LONG AS SAID PERSON OR BUSINESS ENTERED INTO THE CONTRACT NO LATER
THAN OCTOBER FIRST, TWO THOUSAND FIFTEEN.
(G) PLACING REASONABLE RESTRICTIONS UPON PHYSICAL ACCESS TO RECORDS
CONTAINING PERSONAL INFORMATION, AND STORAGE OF SUCH RECORDS AND DATA IN
LOCKED FACILITIES, STORAGE AREAS, OR CONTAINERS;
(H) ENSURING THAT THE COMPREHENSIVE INFORMATION SECURITY PROGRAM IS
SEPARATING IN A MANNER REASONABLY CALCULATED TO PREVENT UNAUTHORIZED
ACCESS TO OR UNAUTHORIZED USE OF PERSONAL INFORMATION, AND UPGRADING
INFORMATION SAFEGUARDS AS NECESSARY TO LIMIT RISKS;
(I) REVIEWING THE SCOPE OF THE SECURITY MEASURES AT LEAST ANNUALLY OR
WHENEVER THERE IS A MATERIAL CHANGE IN BUSINESS PRACTICES THAT MAY
REASONABLY JEOPARDIZE THE SECURITY OR INTEGRITY OF RECORDS CONTAINING
PERSONAL INFORMATION; AND
(J) DOCUMENTING RESPONSIVE ACTIONS TAKEN IN CONNECTION WITH ANY INCI-
DENT INVOLVING A BREACH OF SECURITY, AND MANDATORY POST-INCIDENT REVIEW
OF EVENTS AND ACTIONS TAKEN, IF ANY, TO MAKE CHANGES IN BUSINESS PRAC-
TICES RELATING TO PROTECTION OF PERSONAL INFORMATION.
A. 10190 4
[3.]4. Any person or business which maintains computerized data which
includes private information which such person or business does not own
shall:
(A) INCLUDE IN ITS WRITTEN, COMPREHENSIVE INFORMATION SECURITY PROGRAM
THE ESTABLISHMENT AND MAINTENANCE OF A SECURITY SYSTEM COVERING ITS
COMPUTERS, INCLUDING ANY WIRELESS SYSTEM, THAT, AT A MINIMUM, AND TO THE
EXTENT TECHNICALLY FEASIBLE, INCLUDE THE FOLLOWING ELEMENTS:
(I) SECURE USER AUTHENTICATION PROTOCOLS INCLUDING:
(1) CONTROL OF USER IDENTIFICATIONS AND OTHER IDENTIFIERS;
(2) A REASONABLY SECURE METHOD OF ASSIGNING AND SELECTING PASSWORDS,
OR USE OF UNIQUE IDENTIFIER TECHNOLOGIES, SUCH AS BIOMETRICS OR TOKEN
DEVICES;
(3) CONTROL OF DATA SECURITY PASSWORDS TO ENSURE THAT SUCH PASSWORDS
ARE KEPT IN A LOCATION AND/OR FORMAT THAT DOES NOT COMPROMISE THE SECU-
RITY OF THE DATA THEY PROTECT;
(4) RESTRICTING ACCESS TO ACTIVE USERS AND ACTIVE USER ACCOUNTS ONLY;
AND
(5) BLOCKING ACCESS TO USER IDENTIFICATION AFTER MULTIPLE UNSUCCESSFUL
ATTEMPTS TO GAIN ACCESS OR THE LIMITATION PLACED ON ACCESS FOR THE
PARTICULAR SYSTEM;
(II) SECURE ACCESS CONTROL MEASURES THAT:
(1) RESTRICT ACCESS TO RECORDS AND FILES CONTAINING PERSONAL INFORMA-
TION TO THOSE WHO NEED SUCH INFORMATION TO PERFORM THEIR JOB DUTIES; AND
(2) ASSIGN UNIQUE IDENTIFICATIONS PLUS PASSWORDS, WHICH ARE NOT
VENDOR-SUPPLIED DEFAULT PASSWORDS, TO EACH PERSON WITH COMPUTER ACCESS
THAT ARE REASONABLY DESIGNED TO MAINTAIN THE INTEGRITY OF THE SECURITY
OF THE ACCESS CONTROLS;
(III) ENCRYPTION OF ALL TRANSMITTED RECORDS AND FILES CONTAINING
PERSONAL INFORMATION THAT WILL TRAVEL ACROSS PUBLIC NETWORKS, AND
ENCRYPTION OF ALL DATA CONTAINING PERSONAL INFORMATION TO BE TRANSMITTED
WIRELESSLY;
(IV) REASONABLE MONITORING OF SYSTEMS FOR UNAUTHORIZED USE OF OR
ACCESS TO PERSONAL INFORMATION;
(V) ENCRYPTION OF ALL PERSONAL INFORMATION STORED ON LAPTOPS OR OTHER
PORTABLE DEVICES;
(VI) FOR FILES CONTAINING PERSONAL INFORMATION ON A SYSTEM THAT IS
CONNECTED TO THE INTERNET, FIREWALL PROTECTION AND OPERATING SYSTEM
SECURITY PATCHES REASONABLY DESIGNED TO MAINTAIN THE INTEGRITY OF THE
PERSONAL INFORMATION;
(VII) SYSTEM SECURITY AGENT SOFTWARE WHICH MUST INCLUDE MALWARE
PROTECTION AND VIRUS DEFINITIONS, OR A VERSION OF SUCH SOFTWARE THAT CAN
STILL BE SUPPORTED WITH UP-TO-DATE PATCHES AND VIRUS DEFINITIONS, AND IS
SET TO RECEIVE THE MOST CURRENT SECURITY UPDATES ON A REGULAR BASIS; AND
(VIII) EDUCATION AND TRAINING OF EMPLOYEES ON THE PROPER USE OF THE
COMPUTER SECURITY SYSTEM AND THE IMPORTANCE OF PERSONAL INFORMATION
SECURITY.
(B) notify the owner or licensee of the information of any breach of
the security of the system immediately following discovery, if the
private information was, or is reasonably believed to have been,
acquired by a person without valid authorization.
[4.] 5. The notification required by this section may be delayed if a
law enforcement agency determines that such notification impedes a crim-
inal investigation. The notification required by this section shall be
made after such law enforcement agency determines that such notification
does not compromise such investigation.
A. 10190 5
[5.] 6. The notice required by this section shall be directly provided
to the affected persons by one of the following methods:
(a) written notice;
(b) electronic notice, provided that the person to whom notice is
required has expressly consented to receiving said notice in electronic
form and a log of each such notification is kept by the person or busi-
ness who notifies affected persons in such form; provided further,
however, that in no case shall any person or business require a person
to consent to accepting said notice in said form as a condition of
establishing any business relationship or engaging in any transaction.
(c) telephone notification provided that a log of each such notifica-
tion is kept by the person or business who notifies affected persons; or
(d) Substitute notice, if a business demonstrates to the state attor-
ney general that the cost of providing notice would exceed two hundred
fifty thousand dollars, or that the affected class of subject persons to
be notified exceeds five hundred thousand, or such business does not
have sufficient contact information. Substitute notice shall consist of
all of the following:
(1) e-mail notice when such business has an e-mail address for the
subject persons;
(2) conspicuous posting of the notice on such business's web site
page, if such business maintains one; and
(3) notification to major statewide media.
[6.] 7. (a) whenever the attorney general shall believe from evidence
satisfactory to him that there is a violation of this article he may
bring an action in the name and on behalf of the people of the state of
New York, in a court of justice having jurisdiction to issue an injunc-
tion, to enjoin and restrain the continuation of such violation. In
such action, preliminary relief may be granted under article sixty-three
of the civil practice law and rules. In such action the court may award
damages for actual costs or losses incurred by a person entitled to
notice pursuant to this article, if notification was not provided to
such person pursuant to this article, including consequential financial
losses. Whenever the court shall determine in such action that a person
or business violated this article knowingly or recklessly, the court may
impose a civil penalty of the greater of five thousand dollars or up to
ten dollars per instance of failed notification, provided that the
latter amount shall not exceed one hundred fifty thousand dollars.
(b) the remedies provided by this section shall be in addition to any
other lawful remedy available.
(c) no action may be brought under the provisions of this section
unless such action is commenced within two years immediately after the
date of the act complained of or the date of discovery of such act.
[7.] 8. Regardless of the method by which notice is provided, such
notice shall include contact information for the person or business
making the notification and a description of the categories of informa-
tion that were, or are reasonably believed to have been, acquired by a
person without valid authorization, including specification of which of
the elements of personal information and private information were, or
are reasonably believed to have been, so acquired.
[8.] 9. (a) In the event that any New York residents are to be noti-
fied, the person or business shall notify the state attorney general,
the department of state and the division of state police as to the
timing, content and distribution of the notices and approximate number
of affected persons. Such notice shall be made without delaying notice
to affected New York residents.
A. 10190 6
(b) In the event that more than five thousand New York residents are
to be notified at one time, the person or business shall also notify
consumer reporting agencies as to the timing, content and distribution
of the notices and approximate number of affected persons. Such notice
shall be made without delaying notice to affected New York residents.
[9.] 10. The provisions of this section shall be exclusive and shall
preempt any provisions of local law, ordinance or code, and no locality
shall impose requirements that are inconsistent with or more restrictive
than those set forth in this section.
S 2. This act shall take effect immediately; provided, however, that
the provisions of this act shall apply to any person or business who
owns or licenses personal information about a resident of New York with-
in eighteen months after such effective date, provided, further, that
any person or business may come into compliance before such effective
date.