NY State Senate Bill 2017-S6880

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2018	referred to consumer protection
Sep 20, 2017	referred to rules

co-Sponsors

View additional co-sponsors

2017-S6880 (ACTIVE) - Details

Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S2540
2021-2022: S5808
2023-2024: S2659

2017-S6880 (ACTIVE) - Summary

Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

2017-S6880 (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S6880

SPONSOR: COMRIE
 
TITLE OF BILL:

An act to amend the general business law, in relation to notification of
a data breach

 
SUMMARY OF PROVISIONS:

This bill amends existing subdivisions 2 and 3 of section 899-aa of the
general business law to provide that consumer reporting agencies that
experience a data breach must disclose such breach within 15 days.

 
JUSTIFICATION:

On September 7th, 2017, one of three major consumer credit reporting
agencies in the United States-Equifax-reported that hackers gained
access to company data that potentially compromised sensitive informa-
tion for 143 million American consumers - nearly 44% of the U.S. popu-
lation. The breach included: social security numbers, driver's license

numbers, names, addresses and birth dates. Keys that unlock consumers'
medical histories, bank accounts, and employee accounts have also been
compromised. Credit card numbers for 209,000 consumers were stolen, and
documents with personal information used in disputes for 182,000 people
were also stolen.

The attack on Equifax represents one of the largest risks to personally
sensitive information in recent years. This incident is the third major
cybersecurity threat for the agency since 2015. Just last year, identify
thieves successfully hacked critical W-2 tax and salary data from an
Equifax website. Earlier this year, thieves again stole W-2 tax data
from an Equifax subsidiary, TAM which provides online payroll, tax and
human resources services to some of the nation's largest corporations.
According to investigations, criminals gained access to certain files in
the company's system from mid-May to July, 2017 by exploiting a weak
point in website software.

Identity thieves can impersonate people with lenders, creditors, and
service providers who rely on personal identity information. Thieves can
also use stored information from Equifax and use it to open accounts
with creditors that use Experian or TransUnion.  Cybersecurity profes-
sionals criticized Equifax for not improving its security practices
after previous thefts. Critics also argue that Equifax should have
multiple layers of controls. Consumers complained of a 6-week lag
between the discovery of the attack and Equifax's public disclosure.
Equifax discovered the intrusion on July 29th but it first disclosed the
attack publicly on September 7th.

There seems to be a broad sense of uncertainty by experts and lawmakers
as to which federal regulator, if any, is charged with the responsibil-
ity to monitor and do regular supervision on cybersecurity. The Consumer
Financial Protection Bureau has authority to police violations of
consumer protection laws by consumer credit bureaus, but the agency
generally leaves data privacy enforcement to the Federal Trade Commis-
sion. However, the Trade Commission lacks the authority to impose big
fines or authorize fines for first time violations of certain rules.
Neither have commented on applicable law or jurisdiction. Although
federal lawmakers have promised legislation and public hearings, no
clear authority is forthcoming in short order. Thus, it is time for New
York State to lead on this issue, given the fact that millions of our
residents were exposed in this episode.  
TO THIS END, THIS LEGISLATION
PROVIDES A CLEAR CONSUMER PROTECTION MANDATE THAT WILL AGGRESSIVELY
PROTECT CONSUMERS BY MANDATING TIMELY DISCLOSURE OF DATA BEACHES BY
CREDIT REPORTING AGENCIES.

 
LEGISLATIVE HISTORY:

This is a new bill.

 
FISCAL IMPLICATIONS:

None noted for the state; the design of the legislation could signif-
icant save money for consumers.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2017-S6880 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6880
 
                        2017-2018 Regular Sessions
 
                             I N  S E N A T E
 
                            September 20, 2017
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Rules
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi-
 ness  law,  as  added by chapter 442 of the laws of 2005, are amended to
 read as follows:
   2. Any person or business which conducts business in New  York  state,
 and  which  owns  or  licenses  computerized data which includes private
 information shall disclose any breach of  the  security  of  the  system
 following discovery or notification of the breach in the security of the
 system  to any resident of New York state whose private information was,
 or is reasonably believed to have been, acquired  by  a  person  without
 valid  authorization. The disclosure shall be made in the most expedient
 time possible and without  unreasonable  delay,  [consistent  with]  AND
 SHALL  BE MADE WITHIN FIFTEEN DAYS AFTER THE BREACH HAS BEEN DISCOVERED,
 EXCEPT FOR the legitimate needs  of  law  enforcement,  as  provided  in
 subdivision  four  of this section[, or any measures necessary to deter-
 mine the scope of the breach and restore the reasonable integrity of the
 system].
   3. Any person or business  which  maintains  computerized  data  which
 includes  private information which such person or business does not own
 shall notify the owner or licensee of the information of any  breach  of
 the security of the system immediately AND WITHIN FIFTEEN DAYS following
 discovery,  if the private information was, or is reasonably believed to
 have been, acquired by a person without valid authorization.
   § 2. Paragraph (a) of subdivision 8 of section 899-aa of  the  general
 business  law,  as  amended  by section 6 of part N of chapter 55 of the
 laws of 2013, is amended to read as follows:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD13507-01-7

 S. 6880                             2
 
   (a) In the event that any New York residents are to be  notified,  the
 person  or business shall notify the state attorney general, the depart-
 ment of state [and], the division of state police AND THE STATE  DEPART-
 MENT OF FINANCIAL SERVICES as to the timing, content and distribution of
 the  notices  and  approximate  number  of affected persons. Such notice
 shall be made without delaying notice to affected New York residents.
   § 3. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S6880

Sponsored By

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

co-Sponsors

2017-S6880 (ACTIVE) - Details

2017-S6880 (ACTIVE) - Summary

2017-S6880 (ACTIVE) - Sponsor Memo

2017-S6880 (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S6880

Share this bill

Sponsored By

Leroy Comrie

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

co-Sponsors

Joseph P. Addabbo Jr.

Jamaal T. Bailey

John E. Brooks

Simcha Felder

2017-S6880 (ACTIVE) - Details

2017-S6880 (ACTIVE) - Summary

2017-S6880 (ACTIVE) - Sponsor Memo

2017-S6880 (ACTIVE) - Bill Text download pdf

Comments