NY State Senate Bill S7940B

Archive: Last Bill Status Via A10486 - Vetoed by Governor

Introduced
In Committee
On Floor Calendar
- Passed Senate
- Passed Assembly
Delivered to Governor
Vetoed by Governor

Your Voice

Please enter your contact information

First Name *

Last Name *

Email Address *

A valid email address is required.

Home address search or enter your address manually *

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Leave this field blank

Actions

view actions (15)

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Dec 07, 2018	tabled vetoed memo.293
Nov 26, 2018	delivered to governor
Jun 18, 2018	returned to assembly passed senate 3rd reading cal.1387 substituted for s7940b
Jun 18, 2018	substituted by a10486b
Jun 14, 2018	amended on third reading 7940b
Jun 04, 2018	advanced to third reading
May 31, 2018	2nd report cal.
May 30, 2018	1st report cal.1387
May 01, 2018	print number 7940a
May 01, 2018	amend and recommit to insurance
Mar 12, 2018	referred to insurance

Votes

Bill Amendments

Original

B (Active)

Original

B (Active)

Co-Sponsors

S7940 - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in Other Legislative Sessions:: 2019-2020: A1185
2021-2022: A749

S7940 - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

S7940 - Sponsor Memo

 
BILL NUMBER: S7940

SPONSOR: SEWARD
 
TITLE OF BILL:

An act to amend the insurance law, in relation to clarifying that
continuing care retirement communities are not subject to department of
financial services cybersecurity regulations

 
PURPOSE:

The legislation clarifies existing Insurance Law to specify that
cybersecurity regulations adopted in 2017 by the Department of Financial
Services (DFS) do not apply to Continuing Care Retirement Communities
(CCRCs), which are authorized to operate by the CCRC Council and the
Department of Health (DOH), not by DFS.

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, existing law which specifies that CCRCs operating

under Article 46 of the public health law are not subject to licensure
by DFS and are required to comply with specific rules and regulations of
the Superintendent. Subsection (d) specifically identifies the DFS
cybersecurity regulations as being outside of the requirements on CCRCs.

Section two establishes the effective date. The DFS cybersecurity regu-
lations are already in effect.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.

New York's CCRCs are much smaller than most financial institutions and
insurers that are subject to these regulations. The average CCRC has a
total annual operating budget of approximately $20 million. Unlike banks
and most insurers, which transact with thousands of customers, often
through e-commerce, CCRCs typically collect funds from only 200-400
prospective and existing residents in the form of deposits, entrance
fees and monthly fees. As health care providers, CCRCs are already
subject to HIPAA privacy standards and safeguards.

Compliance with these regulations will be very expensive, with one New
York CCRC that has an $11 million total annual operating budget estimat-
ing a $100-125,000 first year cost and $100,000 annual cost.  Among the
initial requirements are retaining a Chief Information Security Officer
and other personnel; implementing a cybersecurity program to include
penetration testing and vulnerability assessments; and implementing
multi-factor authentication. The regulations would pose an undue burden
on CCRCs, and could lead to large increases in resident fees.

 
LEGISLATIVE HISTORY:

New Bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

S7940 - Bill Text download pdf


                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  7940

                            I N  S E N A T E

                             March 12, 2018
                               ___________

Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
  and when printed to be committed to the Committee on Insurance

AN ACT to amend the  insurance  law,  in  relation  to  clarifying  that
  continuing  care  retirement communities are not subject to department
  of financial services cybersecurity regulations

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section  1.  Section  1119 of the insurance law is amended by adding a
new subsection (d) to read as follows:
  (D) EXCEPT AS EXPRESSLY REQUIRED  BY  THIS  SECTION,  AN  ORGANIZATION
AUTHORIZED  TO  OPERATE UNDER ARTICLE FORTY-SIX OF THE PUBLIC HEALTH LAW
SHALL NOT BE SUBJECT TO  THE  JURISDICTION  OF  THE  SUPERINTENDENT  AND
REQUIRED  TO  COMPLY WITH RULES AND REGULATIONS OF THE SUPERINTENDENT ON
MATTERS UNRELATED TO THE PROVISIONS OF THIS SECTION, INCLUDING, BUT  NOT
LIMITED  TO,  REGULATIONS  RELATING  TO  CYBERSECURITY  REQUIREMENTS FOR
FINANCIAL SERVICES COMPANIES.
  § 2. This act shall take effect immediately.






 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD15067-01-8

Co-Sponsors

S7940A - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in Other Legislative Sessions:: 2019-2020: A1185
2021-2022: A749

S7940A - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

S7940A - Sponsor Memo

 
BILL NUMBER: S7940A

SPONSOR: SEWARD
 
TITLE OF BILL:

An act to amend the insurance law, in relation to clarifying that
continuing care retirement communities are not subject to department of
financial services cybersecurity regulations

 
PURPOSE:

The legislation clarifies existing Insurance Law to specify that
cybersecurity regulations adopted in 2017 by the Department of Financial
Services (DFS) do not apply to Continuing Care Retirement Communities
(CCRCs), which are authorized to operate by the CCRC Council and the
Department of Health (DOH), not by DFS.

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, existing law which specifies that CCRCs operating

under Article 46 of the public health law are not subject to licensure
by DFS and are required to comply with specific rules and regulations of
the Superintendent. Subsection (d) specifically identifies the DFS
cybersecurity regulations as being outside of the requirements on CCRCs,
and clarifies that such organizations will instead be subject to the
jurisdiction of the department of health regarding cybersecurity
requirements.

Section two establishes the effective date. The DFS cybersecurity regu-
lations are already in effect.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.  New York's CCRCs are much small-
er than most financial institutions and insurers that are subject to
these regulations. The average CCRC has a total annual operating budget
of approximately $20 million. Unlike banks and most insurers, which
transact with thousands of customers, often through e-commerce, CCRCs
typically collect funds from only 200-400 prospective and existing resi-
dents in the form of deposits, entrance fees and monthly fees. As health
care providers, CCRCs are already subject to HIPAA privacy standards and
safeguards.

Compliance with these regulations will be very expensive, with one New
York CCRC that has an $11 million total annual operating budget estimat-
ing a $100-125,000 first year cost and $100,000 annual cost.  Among the
initial requirements are retaining a Chief Information Security Officer
and other personnel; implementing a cybersecurity program to include
penetration testing and vulnerability assessments; and implementing
multi-factor authentication. The regulations would pose an undue burden
on CCRCs, and could lead to large increases in resident fees.

 
LEGISLATIVE HISTORY:

New Bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

S7940A - Bill Text download pdf


                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 7940--A

                            I N  S E N A T E

                             March 12, 2018
                               ___________

Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
  and when printed to be committed to  the  Committee  on  Insurance  --
  committee  discharged,  bill amended, ordered reprinted as amended and
  recommitted to said committee

AN ACT to amend the  insurance  law,  in  relation  to  clarifying  that
  continuing  care  retirement communities are not subject to department
  of financial services cybersecurity regulations

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section  1.  Section  1119 of the insurance law is amended by adding a
new subsection (d) to read as follows:
  (D) EXCEPT AS EXPRESSLY REQUIRED  BY  THIS  SECTION,  AN  ORGANIZATION
AUTHORIZED  TO  OPERATE UNDER ARTICLE FORTY-SIX OF THE PUBLIC HEALTH LAW
SHALL NOT BE SUBJECT TO  THE  JURISDICTION  OF  THE  SUPERINTENDENT  AND
REQUIRED  TO  COMPLY WITH RULES AND REGULATIONS OF THE SUPERINTENDENT ON
MATTERS UNRELATED TO THE PROVISIONS OF THIS SECTION, INCLUDING, BUT  NOT
LIMITED  TO,  REGULATIONS  RELATING  TO  CYBERSECURITY  REQUIREMENTS FOR
FINANCIAL SERVICES COMPANIES.    SUCH  ORGANIZATIONS  SHALL  INSTEAD  BE
SUBJECT  TO THE JURISDICTION OF THE DEPARTMENT OF HEALTH ON SUCH MATTERS
UNRELATED TO THE PROVISIONS OF THIS  SECTION,  INCLUDING  ANY  PERTINENT
REGULATIONS OR OVERSIGHT REGARDING CYBERSECURITY REQUIREMENTS.
  § 2. This act shall take effect immediately.





 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD15067-02-8

Co-Sponsors

S7940B (ACTIVE) - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in Other Legislative Sessions:: 2019-2020: A1185
2021-2022: A749

S7940B (ACTIVE) - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

S7940B (ACTIVE) - Sponsor Memo

 
BILL NUMBER: S7940B

SPONSOR: SEWARD
 
TITLE OF BILL:  An act to amend the insurance law, in relation to
clarifying that continuing care retirement communities are not subject
to department of financial services cybersecurity regulations

 
PURPOSE:

To permit a continuing care retirement community (CCRCs) to attest to
the department of financial services (DFS) that the CCRC's cybersecurity
policies are not inconsistent with cybersecurity regulations promulgated
by the superintendent

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, to provide that CCRCs may adopt a written cyberse-
curity policy that is designed to protect the confidentiality of nonpub-
lic information and is in compliance with all applicable cybersecurity
and privacy laws and protections governing nursing homes, adult care

facilities and assisted living residences. This section would also
require CCRCs to self-certify their cybersecurity policies and file such
self-certification with the DFS. Finally, this section would require the
DFS to review the accuracy and reasonableness of the self-certification.

Section two establishes the effective date.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.

New York's CCRCs are much smaller than most financial institutions and
insurers that are subject to these regulations. The average CCRC has a
total annual operating budget of approximately $20 million. Unlike banks
and most insurers, which transact with thousands of customers, often
through e-commerce, CCRCs typically collect funds from only 200-400
prospective and existing residents in the form of deposits, entrance
fees and monthly fees. As health care providers, CCRCs are already
subject to HIPAA privacy standards and safeguards.

This bill would permit CCRCs to adopt a written cybersecurity policy and
to self-certify to the DFS that such policies are in compliance with all
applicable cybersecurity and privacy laws and protections, and that such
policies are not inconsistent with the cybersecurity regulations adopted
by the DFS.

 
LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

S7940B (ACTIVE) - Bill Text download pdf


                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 7940--B
    Cal. No. 1387

                            I N  S E N A T E

                             March 12, 2018
                               ___________

Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
  and when printed to be committed to  the  Committee  on  Insurance  --
  committee  discharged,  bill amended, ordered reprinted as amended and
  recommitted to said committee -- reported favorably from said  commit-
  tee,  ordered  to first and second report, ordered to a third reading,
  amended and ordered reprinted, retaining its place  in  the  order  of
  third reading

AN  ACT  to  amend  the  insurance  law,  in relation to clarifying that
  continuing care retirement communities are not subject  to  department
  of financial services cybersecurity regulations

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Section 1119 of the insurance law is amended  by  adding  a
new subsection (d) to read as follows:
  (D) SUCH ORGANIZATION MAY ADOPT A WRITTEN CYBERSECURITY POLICY THAT IS
DESIGNED  TO  PROTECT  THE  CONFIDENTIALITY,  INTEGRITY  AND SECURITY OF
NONPUBLIC INFORMATION AND IS IN COMPLIANCE WITH: (I) THE HEALTH INFORMA-
TION TECHNOLOGY FOR ECONOMIC AND CLINICAL  HEALTH  ACT  ("HITECH"),  THE
HEALTH  INSURANCE  PORTABILITY  AND  ACCOUNTABILITY  ACT  ("HIPAA"), THE
GRAMM-LEACH-BLILEY ACT; AND (II) ALL OTHER APPLICABLE CYBERSECURITY  AND
PRIVACY  PROTECTIONS  GOVERNING NURSING HOMES, ADULT CARE FACILITIES AND
ASSISTED LIVING RESIDENCES TO THE EXTENT THE  PROTECTIONS  GOVERN  THOSE
COMPONENTS  OF  SUCH ORGANIZATION'S OPERATIONS. THE CYBERSECURITY POLICY
SHALL BE SELF-CERTIFIED BY SUCH  ORGANIZATION  AND  SUCH  SELF-CERTIFIED
CYBERSECURITY  POLICY SHALL BE FILED WITH THE SUPERINTENDENT.  THE SELF-
CERTIFICATION  SHALL  ATTEST  THAT  THE   POLICY   PROVIDES   SUFFICIENT
PROTECTIONS OF NONPUBLIC INFORMATION IN A MANNER WHICH IS NOT INCONSIST-
ENT  WITH  THE  GOALS OF THE CYBERSECURITY POLICIES ADOPTED BY FINANCIAL
SERVICES COMPANIES PURSUANT TO REGULATIONS  PROMULGATED  BY  THE  SUPER-
INTENDENT.  SUCH  SELF-CERTIFICATION SHALL BE DEEMED COMPLIANT WITH SUCH
REGULATIONS APPLICABLE TO FINANCIAL SERVICES COMPANIES. THE  SUPERINTEN-
DENT  SHALL  REVIEW  THE ACCURACY AND REASONABLENESS OF THE ATTESTATION.
UNLESS THE SUPERINTENDENT OBJECTS TO THE ATTESTATION WITHIN  SIXTY  DAYS
FROM  THE  DATE  IT  IS  SUBMITTED,  SUCH  ATTESTATION  SHALL  BE DEEMED
APPROVED.

  § 2. This act shall take effect immediately.

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD15067-09-8

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

The New York State Senate

senate Bill S7940B

Sponsored By

Archive: Last Bill Status Via A10486 - Vetoed by Governor

Your Voice

Actions

Votes

Jun 18, 2018 - floor Vote

Floor Vote: Jun 18, 2018

May 30, 2018 - Insurance committee Vote

Committee Vote: May 30, 2018

Bill Amendments

Co-Sponsors

S7940 - Details

S7940 - Summary

S7940 - Sponsor Memo

S7940 - Bill Text download pdf

Co-Sponsors

S7940A - Details

S7940A - Summary

S7940A - Sponsor Memo

S7940A - Bill Text download pdf

Co-Sponsors

S7940B (ACTIVE) - Details

S7940B (ACTIVE) - Summary

S7940B (ACTIVE) - Sponsor Memo

S7940B (ACTIVE) - Bill Text download pdf

Comments

senate Bill S7940B

Share this bill

Sponsored By

James L. Seward

Archive: Last Bill Status Via A10486 - Vetoed by Governor

Your Voice

Actions

Votes

Jun 18, 2018 - floor Vote

Floor Vote: Jun 18, 2018

May 30, 2018 - Insurance committee Vote

Committee Vote: May 30, 2018

Bill Amendments

Co-Sponsors

Fred Akshar

S7940 - Details

S7940 - Summary

S7940 - Sponsor Memo

S7940 - Bill Text download pdf

Co-Sponsors

Fred Akshar

S7940A - Details

S7940A - Summary

S7940A - Sponsor Memo

S7940A - Bill Text download pdf

Co-Sponsors

Fred Akshar

William J. Larkin, Jr.

S7940B (ACTIVE) - Details

S7940B (ACTIVE) - Summary

S7940B (ACTIVE) - Sponsor Memo

S7940B (ACTIVE) - Bill Text download pdf

Comments