NY State Senate Bill 2017-S7940B

Senate Bill S7940B

Vetoed By Governor

2017-2018 Legislative Session

Relates to clarifying that continuing care retirement communities are not subject to certain cybersecurity regulations

download bill text pdf

Archive: Last Bill Status Via A10486 - Vetoed by Governor

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Vetoed By Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Dec 07, 2018	tabled vetoed memo.293
Nov 26, 2018	delivered to governor
Jun 18, 2018	returned to assembly passed senate 3rd reading cal.1387 substituted for s7940b
Jun 18, 2018	substituted by a10486b
Jun 14, 2018	amended on third reading 7940b
Jun 04, 2018	advanced to third reading
May 31, 2018	2nd report cal.
May 30, 2018	1st report cal.1387
May 01, 2018	print number 7940a
May 01, 2018	amend and recommit to insurance
Mar 12, 2018	referred to insurance

Votes

- Jun 18, 2018 - Floor Vote
  A10486
  
  62
  
  Aye
  
  0
  
  Nay
  
  0
  
  Absent
  
  1
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Jun 18, 2018
      
      aye (62)
      
      Addabbo Jr.
      
      Akshar
      
      Alcantara
      
      Amedore
      
      Avella
      
      Bailey
      
      Benjamin
      
      Bonacic
      
      Boyle
      
      Breslin
      
      Brooks
      
      Carlucci
      
      Comrie
      
      DeFrancisco
      
      Dilan
      
      Felder
      
      Flanagan
      
      Funke
      
      Gallivan
      
      Gianaris
      
      Golden
      
      Griffo
      
      Hamilton
      
      Hannon
      
      Helming
      
      Hoylman-Sigal
      
      Jacobs
      
      Kaminsky
      
      Kavanagh
      
      Kennedy
      
      Klein
      
      Krueger
      
      LaValle
      
      Lanza
      
      Larkin
      
      Little
      
      Marcellino
      
      Marchione
      
      Mayer
      
      Montgomery
      
      Murphy
      
      O'Mara
      
      Ortt
      
      Parker
      
      Peralta
      
      Persaud
      
      Phillips
      
      Ranzenhofer
      
      Ritchie
      
      Rivera
      
      Robach
      
      Sanders Jr.
      
      Savino
      
      Sepúlveda
      
      Serino
      
      Serrano
      
      Seward
      
      Stavisky
      
      Stewart-Cousins
      
      Tedisco
      
      Valesky
      
      Young
      
      excused (1)
      
      Croci
  May 30, 2018 - Insurance Committee Vote
  S7940B
  
  18
  
  Aye
  
  0
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Insurance Committee Vote: May 30, 2018
      
      aye (18)
      
      Akshar
      
      Benjamin
      
      Breslin
      
      Brooks
      
      Hamilton
      
      Jacobs
      
      Kennedy
      
      LaValle
      
      Lanza
      
      Larkin
      
      Mayer
      
      Murphy
      
      O'Mara
      
      Parker
      
      Rivera
      
      Savino
      
      Serino
      
      Seward
      
      aye wr (1)
      
      Golden

Bill Amendments

Original

B (Active)

co-Sponsors

2017-S7940 - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in 2017-2018 Legislative Session:: S7940, A10486

2017-S7940 - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

2017-S7940 - Sponsor Memo

                                
 
BILL NUMBER: S7940

SPONSOR: SEWARD
 
TITLE OF BILL:

An act to amend the insurance law, in relation to clarifying that
continuing care retirement communities are not subject to department of
financial services cybersecurity regulations

 
PURPOSE:

The legislation clarifies existing Insurance Law to specify that
cybersecurity regulations adopted in 2017 by the Department of Financial
Services (DFS) do not apply to Continuing Care Retirement Communities
(CCRCs), which are authorized to operate by the CCRC Council and the
Department of Health (DOH), not by DFS.

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, existing law which specifies that CCRCs operating

under Article 46 of the public health law are not subject to licensure
by DFS and are required to comply with specific rules and regulations of
the Superintendent. Subsection (d) specifically identifies the DFS
cybersecurity regulations as being outside of the requirements on CCRCs.

Section two establishes the effective date. The DFS cybersecurity regu-
lations are already in effect.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.

New York's CCRCs are much smaller than most financial institutions and
insurers that are subject to these regulations. The average CCRC has a
total annual operating budget of approximately $20 million. Unlike banks
and most insurers, which transact with thousands of customers, often
through e-commerce, CCRCs typically collect funds from only 200-400
prospective and existing residents in the form of deposits, entrance
fees and monthly fees. As health care providers, CCRCs are already
subject to HIPAA privacy standards and safeguards.

Compliance with these regulations will be very expensive, with one New
York CCRC that has an $11 million total annual operating budget estimat-
ing a $100-125,000 first year cost and $100,000 annual cost.  Among the
initial requirements are retaining a Chief Information Security Officer
and other personnel; implementing a cybersecurity program to include
penetration testing and vulnerability assessments; and implementing
multi-factor authentication. The regulations would pose an undue burden
on CCRCs, and could lead to large increases in resident fees.

 
LEGISLATIVE HISTORY:

New Bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2017-S7940 - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   7940
 
                             I N  S E N A T E
 
                              March 12, 2018
                                ___________
 
 Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
   and when printed to be committed to the Committee on Insurance
 
 AN ACT to amend the  insurance  law,  in  relation  to  clarifying  that
   continuing  care  retirement communities are not subject to department
   of financial services cybersecurity regulations
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Section  1119 of the insurance law is amended by adding a
 new subsection (d) to read as follows:
   (D) EXCEPT AS EXPRESSLY REQUIRED  BY  THIS  SECTION,  AN  ORGANIZATION
 AUTHORIZED  TO  OPERATE UNDER ARTICLE FORTY-SIX OF THE PUBLIC HEALTH LAW
 SHALL NOT BE SUBJECT TO  THE  JURISDICTION  OF  THE  SUPERINTENDENT  AND
 REQUIRED  TO  COMPLY WITH RULES AND REGULATIONS OF THE SUPERINTENDENT ON
 MATTERS UNRELATED TO THE PROVISIONS OF THIS SECTION, INCLUDING, BUT  NOT
 LIMITED  TO,  REGULATIONS  RELATING  TO  CYBERSECURITY  REQUIREMENTS FOR
 FINANCIAL SERVICES COMPANIES.
   § 2. This act shall take effect immediately.
 
 
 
 
 
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD15067-01-8

co-Sponsors

2017-S7940A - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in 2017-2018 Legislative Session:: S7940, A10486

2017-S7940A - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

2017-S7940A - Sponsor Memo

                                
 
BILL NUMBER: S7940A

SPONSOR: SEWARD
 
TITLE OF BILL:

An act to amend the insurance law, in relation to clarifying that
continuing care retirement communities are not subject to department of
financial services cybersecurity regulations

 
PURPOSE:

The legislation clarifies existing Insurance Law to specify that
cybersecurity regulations adopted in 2017 by the Department of Financial
Services (DFS) do not apply to Continuing Care Retirement Communities
(CCRCs), which are authorized to operate by the CCRC Council and the
Department of Health (DOH), not by DFS.

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, existing law which specifies that CCRCs operating

under Article 46 of the public health law are not subject to licensure
by DFS and are required to comply with specific rules and regulations of
the Superintendent. Subsection (d) specifically identifies the DFS
cybersecurity regulations as being outside of the requirements on CCRCs,
and clarifies that such organizations will instead be subject to the
jurisdiction of the department of health regarding cybersecurity
requirements.

Section two establishes the effective date. The DFS cybersecurity regu-
lations are already in effect.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.  New York's CCRCs are much small-
er than most financial institutions and insurers that are subject to
these regulations. The average CCRC has a total annual operating budget
of approximately $20 million. Unlike banks and most insurers, which
transact with thousands of customers, often through e-commerce, CCRCs
typically collect funds from only 200-400 prospective and existing resi-
dents in the form of deposits, entrance fees and monthly fees. As health
care providers, CCRCs are already subject to HIPAA privacy standards and
safeguards.

Compliance with these regulations will be very expensive, with one New
York CCRC that has an $11 million total annual operating budget estimat-
ing a $100-125,000 first year cost and $100,000 annual cost.  Among the
initial requirements are retaining a Chief Information Security Officer
and other personnel; implementing a cybersecurity program to include
penetration testing and vulnerability assessments; and implementing
multi-factor authentication. The regulations would pose an undue burden
on CCRCs, and could lead to large increases in resident fees.

 
LEGISLATIVE HISTORY:

New Bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2017-S7940A - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  7940--A
 
                             I N  S E N A T E
 
                              March 12, 2018
                                ___________
 
 Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
   and when printed to be committed to  the  Committee  on  Insurance  --
   committee  discharged,  bill amended, ordered reprinted as amended and
   recommitted to said committee
 
 AN ACT to amend the  insurance  law,  in  relation  to  clarifying  that
   continuing  care  retirement communities are not subject to department
   of financial services cybersecurity regulations
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Section  1119 of the insurance law is amended by adding a
 new subsection (d) to read as follows:
   (D) EXCEPT AS EXPRESSLY REQUIRED  BY  THIS  SECTION,  AN  ORGANIZATION
 AUTHORIZED  TO  OPERATE UNDER ARTICLE FORTY-SIX OF THE PUBLIC HEALTH LAW
 SHALL NOT BE SUBJECT TO  THE  JURISDICTION  OF  THE  SUPERINTENDENT  AND
 REQUIRED  TO  COMPLY WITH RULES AND REGULATIONS OF THE SUPERINTENDENT ON
 MATTERS UNRELATED TO THE PROVISIONS OF THIS SECTION, INCLUDING, BUT  NOT
 LIMITED  TO,  REGULATIONS  RELATING  TO  CYBERSECURITY  REQUIREMENTS FOR
 FINANCIAL SERVICES COMPANIES.    SUCH  ORGANIZATIONS  SHALL  INSTEAD  BE
 SUBJECT  TO THE JURISDICTION OF THE DEPARTMENT OF HEALTH ON SUCH MATTERS
 UNRELATED TO THE PROVISIONS OF THIS  SECTION,  INCLUDING  ANY  PERTINENT
 REGULATIONS OR OVERSIGHT REGARDING CYBERSECURITY REQUIREMENTS.
   § 2. This act shall take effect immediately.
 
 
 
 
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD15067-02-8

co-Sponsors

2017-S7940B (ACTIVE) - Details

See Assembly Version of this Bill:: A10486
Law Section:: Insurance Law
Laws Affected:: Amd §1119, Ins L
Versions Introduced in 2017-2018 Legislative Session:: S7940, A10486

2017-S7940B (ACTIVE) - Summary

Authorizes continuing care retirement communities to adopt a written cybersecurity policy and requires such policies to be self-certified and approved by the superintendent.

2017-S7940B (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S7940B

SPONSOR: SEWARD
 
TITLE OF BILL:  An act to amend the insurance law, in relation to
clarifying that continuing care retirement communities are not subject
to department of financial services cybersecurity regulations

 
PURPOSE:

To permit a continuing care retirement community (CCRCs) to attest to
the department of financial services (DFS) that the CCRC's cybersecurity
policies are not inconsistent with cybersecurity regulations promulgated
by the superintendent

 
SUMMARY OF PROVISIONS:

Section one of the legislation adds a new subsection (d) to Section 1119
of the Insurance Law, to provide that CCRCs may adopt a written cyberse-
curity policy that is designed to protect the confidentiality of nonpub-
lic information and is in compliance with all applicable cybersecurity
and privacy laws and protections governing nursing homes, adult care

facilities and assisted living residences. This section would also
require CCRCs to self-certify their cybersecurity policies and file such
self-certification with the DFS. Finally, this section would require the
DFS to review the accuracy and reasonableness of the self-certification.

Section two establishes the effective date.

 
JUSTIFICATION:

DFS adopted final regulations (23 NYCRR Part 500) requiring most banks,
insurers and other financial institutions within DFS's regulatory juris-
diction to protect their customer information from cyberattacks. The
regulations became effective March 1, 2017, and require all covered
entities to annually certify they are complying with the regulations
beginning Feb. 15, 2018. DFS just stated in writing in Feb. 2018 that
CCRCs are covered by the requirements.

New York's CCRCs are much smaller than most financial institutions and
insurers that are subject to these regulations. The average CCRC has a
total annual operating budget of approximately $20 million. Unlike banks
and most insurers, which transact with thousands of customers, often
through e-commerce, CCRCs typically collect funds from only 200-400
prospective and existing residents in the form of deposits, entrance
fees and monthly fees. As health care providers, CCRCs are already
subject to HIPAA privacy standards and safeguards.

This bill would permit CCRCs to adopt a written cybersecurity policy and
to self-certify to the DFS that such policies are in compliance with all
applicable cybersecurity and privacy laws and protections, and that such
policies are not inconsistent with the cybersecurity regulations adopted
by the DFS.

 
LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPLICATIONS:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2017-S7940B (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  7940--B
     Cal. No. 1387
 
                             I N  S E N A T E
 
                              March 12, 2018
                                ___________
 
 Introduced  by  Sens.  SEWARD, AKSHAR -- read twice and ordered printed,
   and when printed to be committed to  the  Committee  on  Insurance  --
   committee  discharged,  bill amended, ordered reprinted as amended and
   recommitted to said committee -- reported favorably from said  commit-
   tee,  ordered  to first and second report, ordered to a third reading,
   amended and ordered reprinted, retaining its place  in  the  order  of
   third reading
 
 AN  ACT  to  amend  the  insurance  law,  in relation to clarifying that
   continuing care retirement communities are not subject  to  department
   of financial services cybersecurity regulations
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. Section 1119 of the insurance law is amended  by  adding  a
 new subsection (d) to read as follows:
   (D) SUCH ORGANIZATION MAY ADOPT A WRITTEN CYBERSECURITY POLICY THAT IS
 DESIGNED  TO  PROTECT  THE  CONFIDENTIALITY,  INTEGRITY  AND SECURITY OF
 NONPUBLIC INFORMATION AND IS IN COMPLIANCE WITH: (I) THE HEALTH INFORMA-
 TION TECHNOLOGY FOR ECONOMIC AND CLINICAL  HEALTH  ACT  ("HITECH"),  THE
 HEALTH  INSURANCE  PORTABILITY  AND  ACCOUNTABILITY  ACT  ("HIPAA"), THE
 GRAMM-LEACH-BLILEY ACT; AND (II) ALL OTHER APPLICABLE CYBERSECURITY  AND
 PRIVACY  PROTECTIONS  GOVERNING NURSING HOMES, ADULT CARE FACILITIES AND
 ASSISTED LIVING RESIDENCES TO THE EXTENT THE  PROTECTIONS  GOVERN  THOSE
 COMPONENTS  OF  SUCH ORGANIZATION'S OPERATIONS. THE CYBERSECURITY POLICY
 SHALL BE SELF-CERTIFIED BY SUCH  ORGANIZATION  AND  SUCH  SELF-CERTIFIED
 CYBERSECURITY  POLICY SHALL BE FILED WITH THE SUPERINTENDENT.  THE SELF-
 CERTIFICATION  SHALL  ATTEST  THAT  THE   POLICY   PROVIDES   SUFFICIENT
 PROTECTIONS OF NONPUBLIC INFORMATION IN A MANNER WHICH IS NOT INCONSIST-
 ENT  WITH  THE  GOALS OF THE CYBERSECURITY POLICIES ADOPTED BY FINANCIAL
 SERVICES COMPANIES PURSUANT TO REGULATIONS  PROMULGATED  BY  THE  SUPER-
 INTENDENT.  SUCH  SELF-CERTIFICATION SHALL BE DEEMED COMPLIANT WITH SUCH
 REGULATIONS APPLICABLE TO FINANCIAL SERVICES COMPANIES. THE  SUPERINTEN-
 DENT  SHALL  REVIEW  THE ACCURACY AND REASONABLENESS OF THE ATTESTATION.
 UNLESS THE SUPERINTENDENT OBJECTS TO THE ATTESTATION WITHIN  SIXTY  DAYS
 FROM  THE  DATE  IT  IS  SUBMITTED,  SUCH  ATTESTATION  SHALL  BE DEEMED
 APPROVED.

   § 2. This act shall take effect immediately.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD15067-09-8

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S7940B

Share this bill

Sponsored By

James L. Seward

Archive: Last Bill Status Via A10486 - Vetoed by Governor

Bill Amendments

co-Sponsors

Fred Akshar

2017-S7940 - Details

2017-S7940 - Summary

2017-S7940 - Sponsor Memo

2017-S7940 - Bill Text download pdf

co-Sponsors

Fred Akshar

2017-S7940A - Details

2017-S7940A - Summary

2017-S7940A - Sponsor Memo

2017-S7940A - Bill Text download pdf

co-Sponsors

Fred Akshar

William Larkin

2017-S7940B (ACTIVE) - Details

2017-S7940B (ACTIVE) - Summary

2017-S7940B (ACTIVE) - Sponsor Memo

2017-S7940B (ACTIVE) - Bill Text download pdf

Comments