[ ] is old law to be omitted.
LBD03808-01-9
A. 465 2
WITH CUSTOMARILY ACCEPTED SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST
PRACTICES; PROTECT AGAINST UNAUTHORIZED ACCESS, THREATS OR HAZARDS TO
THE SECURITY OR INTEGRITY OF SUCH INFORMATION AS BEST AS CAN BE ANTIC-
IPATED; AND PROTECT AGAINST UNAUTHORIZED ACCESS TO, OR THE UNAUTHORIZED
USE OF, SUCH INFORMATION THAT MAY RESULT IN SERIOUS, SIGNIFICANT OR
SUBSTANTIAL HARM OR INCONVENIENCE. THE LEGISLATURE ADDITIONALLY FINDS
AND DETERMINES THAT TO PROMOTE IMPROVED PROTECTION OF PERSONAL INFORMA-
TION THE STATE TECHNOLOGY LAW SHOULD BE AMENDED TO ESTABLISH SAFEGUARDS,
STANDARDS, PROTOCOLS AND BEST PRACTICES FOR THE PROTECTION OF PERSONAL
INFORMATION BY PUBLIC AND PRIVATE ENTITIES, AND THIS CHAPTER SHOULD BE
AMENDED TO ESTABLISH A PERSONAL INFORMATION BILL OF RIGHTS, WITH SUCH
BEING PUBLISHED AND POSTED BY THE OFFICE OF GENERAL SERVICES.
§ 46. PERSONAL INFORMATION BILL OF RIGHTS. THE STATE OF NEW YORK
HEREBY ESTABLISHES A PERSONAL INFORMATION BILL OF RIGHTS, TO DECLARE THE
RIGHT OF ALL NEW YORKERS TO HAVE THEIR PERSONAL INFORMATION, SUCH AS,
BUT NOT LIMITED TO, PERSONAL IDENTIFYING INFORMATION, PROTECTED AS
FOLLOWS:
1. THAT ALL PERSONS OR ENTITIES THAT RECEIVE AND MAINTAIN CUSTODY OF
PERSONAL INFORMATION SHALL HAVE A LEGAL DUTY TO PROTECT SUCH INFORMATION
FROM UNAUTHORIZED ACCESS AND/OR UNAUTHORIZED USE.
2. THAT ALL PERSONS OR ENTITIES THAT RECEIVE AND MAINTAIN CUSTODY OF
PERSONAL INFORMATION, IN ORDER TO PROTECT THE PERSONAL INFORMATION OVER
WHICH THEY MAINTAIN CUSTODY, SHALL ESTABLISH A COMPREHENSIVE SECURITY
PROGRAM, WITH SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES.
3. THAT THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, IN ORDER TO
FACILITATE THE ESTABLISHMENT OF QUALITY COMPREHENSIVE SECURITY PROGRAMS,
SHALL DESIGN, PRODUCE AND PUBLISH MODEL COMPREHENSIVE SECURITY PROGRAMS,
WITH SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES, TO PROVIDE FOR
THE PROTECTION OF PERSONAL INFORMATION HELD BY PERSONS AND ENTITIES,
WITH SUCH MODEL PROGRAMS TAILORED TO THE SIZE AND SCOPE OF ALL SUCH
PERSONS OR ENTITIES.
4. THAT THE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL FURTHER
APPROVE THE COMPREHENSIVE SECURITY PROGRAM OF ALL AGENCIES OF STATE
GOVERNMENT, AND ALL REGULATORY AGENCIES OF STATE GOVERNMENT SHALL
APPROVE THE COMPREHENSIVE SECURITY PROGRAM OF EACH OF THEIR RESPECTIVE
REGULATED ENTITIES.
5. THAT THE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL ADDI-
TIONALLY INCORPORATE COMPUTER SYSTEM SECURITY REQUIREMENTS WITHIN ITS
MODEL COMPREHENSIVE SECURITY PROGRAMS, AND SHALL REQUIRE SUCH SAFE-
GUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES TO BE INCLUDED WITHIN
ALL APPROVED SECURITY PROGRAMS.
6. THAT ALL PERSONS AND ENTITIES THAT RECEIVE AND MAINTAIN CUSTODY OF
PERSONAL INFORMATION SHALL HAVE A LEGAL DUTY TO NOTIFY THE DIVISION OF
STATE POLICE WITHIN TEN DAYS OF THEIR DISCOVERY OF ANY BREACH OF SECURI-
TY OF THE PERSONAL INFORMATION UNDER THEIR CUSTODY, AND ALL PERSONS AND
ENTITIES THAT ARE REQUIRED TO HAVE THEIR COMPREHENSIVE SECURITY PROGRAM
APPROVED, SHALL HAVE A LEGAL DUTY TO ALSO NOTIFY THE APPROVING ENTITY
WITHIN FIVE DAYS OF THEIR DISCOVERY OF ANY BREACH OF SECURITY OF THE
PERSONAL INFORMATION UNDER THEIR CUSTODY.
7. THAT IN THE EVENT A SECURITY BREACH OF PERSONAL INFORMATION IS
DISCOVERED THAT WILL ADVERSELY IMPACT A PERSONAL INFORMATION SUBJECT,
THE PERSON OR ENTITY THAT MAINTAINED CUSTODY OF SUCH PERSONAL INFORMA-
TION SHALL FURTHER BE REQUIRED TO NOTIFY ALL SUCH PERSONAL INFORMATION
SUBJECTS OF THE FACT THAT THERE HAS BEEN A BREACH OF SECURITY INVOLVING
THEIR PERSONAL INFORMATION.
A. 465 3
8. THAT IN THE EVENT A SECURITY BREACH OF PERSONAL INFORMATION IS
DISCOVERED THAT WILL ADVERSELY IMPACT A PERSONAL INFORMATION SUBJECT,
AND THE PERSON OR ENTITY THAT MAINTAINED CUSTODY OF SUCH PERSONAL INFOR-
MATION DID NOT ESTABLISH OR MAINTAIN A COMPREHENSIVE SECURITY PROGRAM,
OR DID NOT SUBSTANTIALLY FOLLOW THE SAFEGUARDS, STANDARDS, PROTOCOLS
AND/OR BEST PRACTICES CONTAINED WITHIN SUCH PROGRAM, THEN THE PERSONAL
INFORMATION SUBJECT SHALL BE ENTITLED TO BRING AN ACTION AGAINST, AND
MAINTAIN A RECOVERY FROM, THE PERSON OR ENTITY THAT MAINTAINED CUSTODY
OF SUCH PERSONAL INFORMATION, TOGETHER WITH COSTS, DISBURSEMENTS AND
ATTORNEY FEES.
9. THAT IN THE EVENT A SECURITY BREACH OF PERSONAL INFORMATION IS
DISCOVERED THAT WILL ADVERSELY IMPACT A PERSONAL INFORMATION SUBJECT,
AND THE PERSON OR ENTITY THAT MAINTAINED CUSTODY OF SUCH PERSONAL INFOR-
MATION DID ESTABLISH AND SUBSTANTIALLY MAINTAIN A COMPREHENSIVE SECURITY
PROGRAM, AND DID SUBSTANTIALLY FOLLOW THE SAFEGUARDS, STANDARDS, PROTO-
COLS AND BEST PRACTICES CONTAINED WITHIN SUCH PROGRAM, THEN THE PERSON
OR ENTITY THAT MAINTAINED CUSTODY OF SUCH PERSONAL INFORMATION SHALL BE
ENTITLED TO A DEFENSE AGAINST ANY ACTION BROUGHT BY A PERSONAL INFORMA-
TION SUBJECT.
10. THAT TO FURTHER PROTECT THE SECURITY OF PERSONAL INFORMATION, THE
OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL FURTHER ESTABLISH AND
MAINTAIN AN INFORMATION SHARING AND ANALYSIS PROGRAM, TO INCREASE THE
VOLUME, TIMELINESS, AND QUALITY OF CYBER THREAT INFORMATION SHARED WITH
STATE PUBLIC AND PRIVATE SECTOR ENTITIES SO THAT THESE ENTITIES MAY
BETTER PROTECT AND DEFEND THEMSELVES AGAINST CYBER THREATS AND TO
PROMOTE THE DEVELOPMENT OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT,
AND PROTECT AGAINST, CYBER THREATS AND ATTACKS, AND THEREBY BETTER
PROTECT PERSONAL INFORMATION STORED AND/OR MAINTAINED IN ELECTRONIC
FORMAT.
§ 47. PUBLICATION AND POSTING OF THE PERSONAL INFORMATION BILL OF
RIGHTS. THE OFFICE OF GENERAL SERVICES SHALL PUBLISH AND PROMINENTLY
POST IN ALL STATE OFFICES, A COPY OF THE PERSONAL INFORMATION BILL OF
RIGHTS ESTABLISHED IN THIS ARTICLE. IT SHALL FURTHER PRINT AND PRODUCE A
PAMPHLET ON SUCH PERSONAL INFORMATION BILL OF RIGHTS FOR DISTRIBUTION
ACROSS THE STATE. THE OFFICE OF GENERAL SERVICES MAY SELL ADVERTISING TO
BE INCLUDED ON SUCH PAMPHLET TO REDUCE THE COST OF THE PRODUCTION AND
DISTRIBUTION OF THE SAME.
§ 3. The state technology law is amended by adding a new article 4 to
read as follows:
ARTICLE IV
SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES
FOR THE PROTECTION OF PERSONAL INFORMATION
SECTION 401. DEFINITIONS OF TERMS.
402. DUTY TO PROTECT PERSONAL INFORMATION.
403. COMPREHENSIVE SECURITY PROGRAM SAFEGUARDS, STANDARDS,
PROTOCOLS AND BEST PRACTICES.
404. DEVELOPMENT OF SECURITY PROGRAM SAFEGUARDS, STANDARDS,
PROTOCOLS AND BEST PRACTICES.
405. APPROVAL OF COMPREHENSIVE SECURITY PROGRAMS.
406. COMPUTER SYSTEM SECURITY REQUIREMENTS.
407. BREACH OF SECURITY.
408. CAUSES OF ACTION.
409. LIABILITY PROTECTION.
410. INFORMATION SHARING AND ANALYSIS PROGRAM.
A. 465 4
§ 401. DEFINITIONS OF TERMS. THE FOLLOWING DEFINITIONS ARE APPLICABLE
TO THIS ARTICLE, EXCEPT WHERE DIFFERENT MEANINGS ARE EXPRESSLY SPECI-
FIED:
1. "PERSONAL INFORMATION SUBJECT" MEANS ANY NATURAL PERSON WHO HAS HIS
OR HER PERSONAL INFORMATION COLLECTED OR MAINTAINED BY A PERSONAL INFOR-
MATION RECIPIENT.
2. "PERSONAL INFORMATION RECIPIENT" MEANS ANY NATURAL PERSON, CORPO-
RATION, PARTNERSHIP, LIMITED LIABILITY COMPANY, UNINCORPORATED ASSOCI-
ATION, GOVERNMENT, OR OTHER ENTITY, THAT, IN THE COURSE OF THEIR
PERSONAL, BUSINESS, COMMERCIAL, CORPORATE, ASSOCIATION OR GOVERNMENTAL
OPERATIONS, COLLECTS, RECEIVES, STORES, MAINTAINS, PROCESSES, OR OTHER-
WISE HAS ACCESS TO, PERSONAL INFORMATION.
3. "PERSONAL INFORMATION COLLECTOR" MEANS ANY PERSONAL INFORMATION
RECIPIENT, THAT DOES NOT MAINTAIN OR STORE SUCH PERSONAL INFORMATION, OR
MAINTAIN ACCESS TO SUCH PERSONAL INFORMATION, FOR MORE THAN FIVE
MINUTES, AND WAS PROVIDED WITH THE PERSONAL INFORMATION BY THE PERSONAL
INFORMATION SUBJECT.
4. "PERSONAL INFORMATION HOLDER" MEANS ANY PERSONAL INFORMATION RECIP-
IENT, THAT MAINTAINS OR STORES SUCH PERSONAL INFORMATION, OR MAINTAINS
ACCESS TO SUCH PERSONAL INFORMATION, FOR MORE THAN FIVE MINUTES, AND WAS
PROVIDED WITH THE PERSONAL INFORMATION BY THE PERSONAL INFORMATION
SUBJECT.
5. "THIRD PARTY PERSONAL INFORMATION HOLDER" MEANS ANY PERSONAL INFOR-
MATION RECIPIENT, THAT AGREES TO COLLECT, RECEIVE, STORE, MAINTAIN,
PROCESS, OR OTHERWISE HAVE ACCESS TO, PERSONAL INFORMATION, AND WAS
PROVIDED WITH SUCH PERSONAL INFORMATION FROM A PERSONAL INFORMATION
COLLECTOR, A PERSONAL INFORMATION HOLDER, OR ANOTHER THIRD PARTY
PERSONAL INFORMATION HOLDER.
6. "PERSONAL INFORMATION" (A) MEANS ANY INFORMATION, INCLUDING PAPER-
BASED INFORMATION OR ELECTRONIC INFORMATION, THAT CONTAINS A NEW YORK
STATE RESIDENT'S FIRST NAME AND LAST NAME, OR A NEW YORK STATE RESI-
DENT'S FIRST INITIAL AND LAST NAME, IN COMBINATION WITH ANY ONE OR MORE
OF THE FOLLOWING OTHER INFORMATIONAL ELEMENTS THAT RELATE TO SUCH RESI-
DENT:
(1) A GOVERNMENTALLY ISSUED IDENTIFICATION NUMBER, INCLUDING:
(I) SOCIAL SECURITY NUMBER;
(II) DRIVER'S LICENSE NUMBER;
(III) STATE ISSUED IDENTIFICATION CARD NUMBER;
(IV) MILITARY IDENTIFICATION CARD NUMBER;
(V) STUDENT IDENTIFICATION NUMBER; OR
(VI) A UNITED STATES PASSPORT NUMBER;
(2) PERSONAL FINANCIAL INFORMATION, INCLUDING:
(I) FINANCIAL ACCOUNT INFORMATION, INCLUDING:
(A) BANK ACCOUNT INFORMATION;
(B) INVESTMENT ACCOUNT INFORMATION;
(C) RETIREMENT ACCOUNT INFORMATION;
(D) DEFERRED COMPENSATION ACCOUNT INFORMATION;
(E) MORTGAGE ACCOUNT INFORMATION;
(F) CAR LOAN ACCOUNT INFORMATION;
(G) CREDIT LINE ACCOUNT INFORMATION;
(H) PERSONAL LOAN ACCOUNT INFORMATION; OR
(I) ANY OTHER MONETARY FUND OR LOAN ACCOUNT INFORMATION; INCLUDING:
(I) THE NUMBER OF SUCH FINANCIAL ACCOUNT;
(II) ANY RECORD OF SUCH FINANCIAL ACCOUNT;
(III) A TRANSACTION HISTORY OF SUCH ACCOUNT;
(IV) A BALANCE OF SUCH ACCOUNT; AND/OR
A. 465 5
(V) ANY SECURITY CODE, ACCESS CODE, PERSONAL IDENTIFICATION NUMBER OR
PASSWORD, THAT WOULD PERMIT ACCESS TO, OR USE OF, SUCH FINANCIAL
ACCOUNT;
(II) CREDIT OR DEBIT CARD INFORMATION, INCLUDING:
(A) THE NUMBER OF SUCH CREDIT CARD OR DEBIT CARD;
(B) THE EXPIRATION DATE OF SUCH CREDIT OR DEBIT CARD;
(C) THE CARD VERIFICATION VALUE CODE NUMBER OF SUCH CREDIT OR DEBIT
CARD;
(D) ANY RECORD OF SUCH CREDIT OR DEBIT CARD ACCOUNT;
(E) ANY TRANSACTION HISTORY OF SUCH CREDIT OR DEBIT CARD;
(F) ANY BALANCE OF SUCH CREDIT OR DEBIT CARD; AND/OR
(G) ANY REQUIRED SECURITY CODE, ACCESS CODE, PERSONAL IDENTIFICATION
NUMBER OR PASSWORD, THAT WOULD PERMIT ACCESS TO, OR USE OF, SUCH CREDIT
OR DEBIT CARD; OR
(III) CREDIT STATUS INFORMATION, INCLUDING:
(A) CREDIT SCORE;
(B) CREDIT HISTORY; OR
(C) ANY INFORMATION DESCRIBING CREDIT TRANSACTIONS OF THE PERSONAL
INFORMATION SUBJECT;
(3) PHYSICAL CHARACTERISTIC INFORMATION, INCLUDING:
(I) THE HEIGHT OF THE PERSONAL INFORMATION SUBJECT;
(II) THE WEIGHT OF THE PERSONAL INFORMATION SUBJECT;
(III) THE HAIR COLOR OF THE PERSONAL INFORMATION SUBJECT;
(IV) THE EYE COLOR OF THE PERSONAL INFORMATION SUBJECT; AND/OR
(V) ANY OTHER DISTINGUISHING CHARACTERISTICS OF THE PERSONAL INFORMA-
TION SUBJECT;
(4) BIOMETRIC INFORMATION, INCLUDING:
(I) FINGERPRINTS OF THE PERSONAL INFORMATION SUBJECT;
(II) VOICE-PRINTS OF THE PERSONAL INFORMATION SUBJECT;
(III) EYE SCANS OF THE PERSONAL INFORMATION SUBJECT;
(IV) BLOOD SAMPLES OF THE PERSONAL INFORMATION SUBJECT;
(V) DEOXYRIBONUCLEIC ACID (DNA) BASED SAMPLES OF THE PERSONAL INFORMA-
TION SUBJECT;
(VI) SKIN SAMPLES OF THE PERSONAL INFORMATION SUBJECT;
(VII) HAIR SAMPLES OF THE PERSONAL INFORMATION SUBJECT; AND/OR
(VIII) ANY OTHER BIOMETRIC INFORMATION WHICH IS INTENDED OR COLLECTED
FOR THE PURPOSE OF IDENTIFICATION OF THE PERSONAL INFORMATION SUBJECT;
OR
(5) MEDICAL INFORMATION, INCLUDING BUT NOT LIMITED TO, ANY INFORMATION
COLLECTED OR MAINTAINED ABOUT A PERSONAL INFORMATION SUBJECT PURSUANT TO
EXAMINATION, TESTING OR TREATMENT FOR PHYSICAL OR MENTAL ILLNESS OR
WELLNESS, OR ANY OTHER INFORMATION COLLECTED OR MAINTAINED ON A PERSONAL
INFORMATION SUBJECT BY A HEALTH CARE PROVIDER OR HEALTH CARE INSURER;
(B) SHALL NOT INCLUDE:
(1) PERSONAL INFORMATION THAT IS LAWFULLY OBTAINED FROM PUBLICLY
AVAILABLE INFORMATION, OR FROM FEDERAL, STATE OR LOCAL GOVERNMENT
RECORDS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC; OR
(2) PAPER-BASED INFORMATION THAT HAS BEEN INTENTIONALLY DISCARDED OR
ABANDONED BY THE PERSONAL INFORMATION SUBJECT.
7. "BREACH OF SECURITY" MEANS THE UNAUTHORIZED ACCESS, VIEWING, ACQUI-
SITION, COPYING, DUPLICATION, REMOVAL OR ANY OTHER USE OF PERSONAL
INFORMATION, EITHER IN UNENCRYPTED FORM OR IN ENCRYPTED FORM TOGETHER
WITH THE CONFIDENTIAL PROCESS OR KEY THAT IS CAPABLE OF COMPROMISING THE
SECURITY, CONFIDENTIALITY, OR INTEGRITY OF PERSONAL INFORMATION. A GOOD
FAITH UNAUTHORIZED ACCESS, VIEWING OR ACQUISITION OF PERSONAL INFORMA-
TION, FOR THE LAWFUL PURPOSES OF A PERSONAL INFORMATION COLLECTOR, SHALL
A. 465 6
NOT BE DEEMED TO BE A BREACH OF SECURITY UNLESS THE PERSONAL INFORMATION
IS THEREAFTER USED IN AN UNAUTHORIZED MANNER OR IS SUBJECT TO FURTHER
UNAUTHORIZED DISCLOSURE, AS A RESULT OF SUCH GOOD FAITH UNAUTHORIZED
ACCESS OR ACQUISITION.
8. "RECORD" MEANS ANY INFORMATION UPON WHICH WRITTEN, DRAWN, SPOKEN,
VISUAL, OR ELECTROMAGNETIC DATA OR IMAGES ARE RECORDED OR PRESERVED,
EITHER AS PAPER-BASED INFORMATION OR ELECTRONIC INFORMATION.
9. "PAPER-BASED INFORMATION" MEANS PERSONAL INFORMATION COLLECTED OR
MAINTAINED VIA PAPER, WRITING OR OTHER DRAWING MEDIUM, OR ANY OTHER
PHYSICAL BASED, TANGIBLE, RECORDING MEDIUM.
10. "ELECTRONIC INFORMATION" MEANS PERSONAL INFORMATION COLLECTED OR
MAINTAINED VIA COMPUTER, TELEPHONE, INTERNET, COMPUTER NETWORK OR OTHER
ELECTRICAL, DIGITAL, MAGNETIC, WIRELESS, OPTICAL, ELECTROMAGNETIC OR
SIMILAR DEVICE.
11. "ENCRYPTION" MEANS THE TRANSFORMATION OF DATA INTO A FORM IN WHICH
THE MEANING OF SUCH DATA CANNOT BE ACCESSED WITHOUT THE USE OF A CONFI-
DENTIAL PROCESS OR KEY.
12. "OFFICE" MEANS THE OFFICE OF INFORMATION TECHNOLOGY SERVICES.
§ 402. DUTY TO PROTECT PERSONAL INFORMATION. EVERY PERSONAL INFORMA-
TION RECIPIENT SHALL HAVE A LEGAL DUTY TO PROTECT THE SECURITY AND
INTEGRITY OF ALL PERSONAL INFORMATION IN THEIR CUSTODY FROM UNAUTHORIZED
ACCESS OR UNAUTHORIZED USE.
§ 403. COMPREHENSIVE SECURITY PROGRAM SAFEGUARDS, STANDARDS, PROTOCOLS
AND BEST PRACTICES. 1. COMPREHENSIVE SECURITY PROGRAMS FOR PERSONAL
INFORMATION RECIPIENTS. EVERY PERSONAL INFORMATION RECIPIENT SHALL
DEVELOP, IMPLEMENT, AND MAINTAIN A COMPREHENSIVE PERSONAL INFORMATION
SECURITY PROGRAM THAT IS WRITTEN IN ONE OR MORE READILY ACCESSIBLE
PARTS, AND CONTAINS ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS,
STANDARDS, PROTOCOLS AND BEST PRACTICES DETAILING THE MEANS, METHODS AND
PRACTICES TO BE USED REGARDING THE PERSONAL INFORMATION RECIPIENT'S
OBLIGATIONS TO SAFEGUARD, PROTECT AND SECURE THE PERSONAL INFORMATION
UNDER SUCH COMPREHENSIVE INFORMATION SECURITY PROGRAM, APPROPRIATE TO:
(A) THE SIZE, SCOPE AND TYPE OF THE PERSONAL, BUSINESS, COMMERCIAL,
CORPORATE, ASSOCIATION OR GOVERNMENTAL OPERATION OF THE PERSONAL INFOR-
MATION RECIPIENT;
(B) THE AMOUNT OF VOLUNTEERS, EMPLOYEES AND/OR FINANCIAL RESOURCES
AVAILABLE TO SUCH PERSONAL INFORMATION RECIPIENT;
(C) THE AMOUNT OF PERSONAL INFORMATION IN THE CUSTODY OF THE PERSONAL
INFORMATION RECIPIENT; AND
(D) THE NEED FOR SECURITY AND CONFIDENTIALITY OF THE PERSONAL INFORMA-
TION.
2. SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES FOR PROTECTION
OF PERSONAL INFORMATION. THE SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST
PRACTICES CONTAINED IN THE COMPREHENSIVE PERSONAL INFORMATION SECURITY
PROGRAM REQUIRED BY THIS SECTION SHALL BE CONSISTENT WITH THE SAFE-
GUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES FOR PROTECTION OF
PERSONAL INFORMATION, CONTAINED WITHIN THE MODEL COMPREHENSIVE SECURITY
PROGRAMS PUBLISHED BY THE OFFICE IN ACCORDANCE WITH SECTION FOUR HUNDRED
FOUR OF THIS ARTICLE, OR AS SET FORTH IN ANY STATE OR FEDERAL REGU-
LATIONS PRODUCED BY AN EXECUTIVE AGENCY UNDER WHICH THE HOLDER OF
PERSONAL INFORMATION MAY BE REGULATED.
3. COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAMS MAY BE INDI-
VIDUALLY TAILORED. THE REQUIREMENT SET FORTH IN SUBDIVISION TWO OF THIS
SECTION, THAT THE SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES
CONTAINED IN THE COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM
SHALL BE CONSISTENT WITH THE SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST
A. 465 7
PRACTICES FOR PROTECTION OF PERSONAL INFORMATION CONTAINED WITHIN THE
MODEL COMPREHENSIVE SECURITY PROGRAMS PUBLISHED BY THE OFFICE IN ACCORD-
ANCE WITH SECTION FOUR HUNDRED FOUR OF THIS ARTICLE, SHALL NOT REQUIRE
THAT THE PERSONAL INFORMATION RECIPIENT MUST ADOPT A MODEL COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM PUBLISHED BY THE OFFICE IN ORDER
TO DEVELOP, IMPLEMENT AND MAINTAIN A COMPREHENSIVE PERSONAL INFORMATION
SECURITY PROGRAM THAT IS IN COMPLIANCE WITH THIS ARTICLE. ANY INDIVID-
UALLY TAILORED COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM THAT
PROVIDES BETTER OR EQUAL SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRAC-
TICES FOR PROTECTION OF PERSONAL INFORMATION THAN A MODEL COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM PUBLISHED BY THE OFFICE IN ACCORD-
ANCE WITH SECTION FOUR HUNDRED FOUR OF THIS ARTICLE, FOR A PERSON OR
ENTITY OF EQUIVALENT SIZE AND SCOPE AS THE PERSON OR ENTITY SEEKING TO
DEVELOP, IMPLEMENT OR MAINTAIN AN INDIVIDUALLY TAILORED COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM, SHALL BE DEEMED IN COMPLIANCE
WITH THIS ARTICLE.
4. INDIVIDUALLY TAILORED COMPREHENSIVE PERSONAL INFORMATION SECURITY
PROGRAMS. ANY PERSONAL INFORMATION RECIPIENT THAT WISHES TO DEVELOP,
IMPLEMENT AND MAINTAIN AN INDIVIDUALLY TAILORED COMPREHENSIVE PERSONAL
INFORMATION SECURITY PROGRAM THAT IS NOT A MODEL COMPREHENSIVE PERSONAL
INFORMATION SECURITY PROGRAM PUBLISHED BY THE OFFICE, MAY SUBMIT THEIR
INDIVIDUALLY TAILORED PROGRAM TO THE OFFICE FOR A SECURITY REVIEW TO
DETERMINE, AND OBTAIN APPROVAL FROM THE OFFICE, THAT SUCH INDIVIDUALLY
TAILORED PROGRAM PROVIDES BETTER OR EQUAL SAFEGUARDS, STANDARDS, PROTO-
COLS AND BEST PRACTICES FOR PROTECTION OF PERSONAL INFORMATION, THAN A
MODEL COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM PUBLISHED BY
THE OFFICE FOR A PERSON OR ENTITY OF EQUIVALENT SIZE AND SCOPE OF THE
PERSON OR ENTITY SEEKING TO DEVELOP, IMPLEMENT OR MAINTAIN THE INDIVID-
UALLY TAILORED COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM. IF
THE OFFICE DETERMINES THAT SUCH INDIVIDUALLY TAILORED PROGRAM SUBMITTED
FOR SECURITY REVIEW AND APPROVAL DOES NOT PROVIDE SUCH BETTER OR EQUAL
SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES FOR PROTECTION OF
PERSONAL INFORMATION, THE OFFICE SHALL SPECIFY, WITH DETAIL, THEIR
REASONS FOR DENIAL OF APPROVAL OF SUCH PLAN, TOGETHER WITH RECOMMENDA-
TIONS ON HOW SUCH PLAN CAN BE AMENDED TO BE IN COMPLIANCE WITH THIS
ARTICLE AND PROVIDE SUCH BETTER OR EQUAL SAFEGUARDS, STANDARDS, PROTO-
COLS AND BEST PRACTICES FOR PROTECTION OF PERSONAL INFORMATION. IF THE
OFFICE DOES NOT PROVIDE THE PERSON OR ENTITY THAT HAS SUBMITTED THEIR
INDIVIDUALLY TAILORED PLAN FOR REVIEW AND APPROVAL, WITH AN APPROVAL OR
SUCH DETAILED DENIAL OF APPROVAL OF THE INDIVIDUALLY TAILORED PLAN,
WITHIN NINETY DAYS OF THE SUBMISSION, THEN SUCH INDIVIDUALLY TAILORED
PLAN SHALL BE DEEMED APPROVED.
5. FAILURE TO SUBMIT AN INDIVIDUALLY TAILORED PROGRAM FOR APPROVAL.
THE FAILURE OF A PERSON OR ENTITY TO SUBMIT AN INDIVIDUALLY TAILORED
COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM TO THE OFFICE FOR A
SECURITY REVIEW AND APPROVAL, AS PROVIDED BY SUBDIVISION FOUR OF THIS
SECTION, SHALL NOT REQUIRE A COURT IN ACCORDANCE WITH SECTION FOUR
HUNDRED EIGHT OR FOUR HUNDRED NINE OF THIS ARTICLE, TO DEEM SUCH INDI-
VIDUALLY TAILORED PLAN AS NOT IN COMPLIANCE WITH THIS ARTICLE. SUCH
FAILURE, SHALL HOWEVER, REQUIRE THE COURT TO DETERMINE WHETHER SUCH
INDIVIDUALLY TAILORED PLAN IN QUESTION WAS ACTUALLY DESIGNED TO PROVIDE
BETTER OR EQUAL SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES FOR
PROTECTION OF PERSONAL INFORMATION THAN A MODEL COMPREHENSIVE PERSONAL
INFORMATION SECURITY PROGRAM PUBLISHED BY THE OFFICE FOR A PERSON OR
ENTITY OF EQUIVALENT SIZE AND SCOPE AS THE DEFENDANT, BEFORE SUCH COURT
A. 465 8
WILL GRANT SUCH DEFENDANT THE LIABILITY PROTECTIONS CONTAINED WITHIN
SECTION FOUR HUNDRED NINE OF THIS ARTICLE.
§ 404. DEVELOPMENT OF SECURITY PROGRAM SAFEGUARDS, STANDARDS, PROTO-
COLS AND BEST PRACTICES. 1. THE OFFICE SHALL PUBLISH MODEL COMPREHEN-
SIVE SECURITY PROGRAMS CONTAINING RECOMMENDED STANDARDS, SAFEGUARDS,
PROTOCOLS AND BEST PRACTICES FOR PERSONAL INFORMATION RECIPIENTS. SUCH
MODEL PLANS SHALL BE TAILORED IN CONSIDERATION OF THE FOLLOWING FACTORS
OF THE PERSONAL INFORMATION RECIPIENT:
(A) THE SIZE, SCOPE AND TYPE OF THE PERSONAL, BUSINESS, COMMERCIAL,
CORPORATE, ASSOCIATION OR GOVERNMENTAL OPERATION OF THE PERSONAL INFOR-
MATION RECIPIENT;
(B) THE AMOUNT OF VOLUNTEERS, EMPLOYEES AND/OR FINANCIAL RESOURCES
AVAILABLE TO SUCH PERSONAL INFORMATION RECIPIENT;
(C) THE AMOUNT OF PERSONAL INFORMATION IN THE CUSTODY OF THE PERSONAL
INFORMATION RECIPIENT; AND
(D) THE NEED FOR SECURITY AND CONFIDENTIALITY OF THE PERSONAL INFORMA-
TION.
2. REQUIREMENTS FOR MODEL COMPREHENSIVE SECURITY PROGRAMS. EVERY MODEL
COMPREHENSIVE INFORMATION SECURITY PROGRAM SHALL INCLUDE, BUT SHALL NOT
BE LIMITED TO:
(A) DESIGNATING ONE OR MORE PERSONS, OR IN THE CASE OF A BUSINESS WITH
ONE OR MORE EMPLOYEES, TO MAINTAIN THE COMPREHENSIVE INFORMATION SECURI-
TY PROGRAM;
(B) CLEARLY IDENTIFYING AND ASSESSING REASONABLY FORESEEABLE INTERNAL
AND EXTERNAL RISKS TO THE SECURITY, CONFIDENTIALITY, AND/OR INTEGRITY OF
ANY ELECTRONIC INFORMATION, PAPER-BASED INFORMATION OR OTHER RECORDS
CONTAINING PERSONAL INFORMATION, IN THE CUSTODY OF THE PERSONAL INFORMA-
TION RECIPIENT, AND EVALUATING AND IMPROVING, WHERE NECESSARY, THE
EFFECTIVENESS OF THE CURRENT SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST
PRACTICES CONTAINED WITHIN THE COMPREHENSIVE PERSONAL INFORMATION SECU-
RITY PROGRAM FOR LIMITING SUCH RISKS, INCLUDING BUT NOT LIMITED TO:
(1) ONGOING PERSONAL, VOLUNTEER, AND/OR EMPLOYEE TRAINING;
(2) PERSONAL, VOLUNTEER, AND/OR EMPLOYEE COMPLIANCE WITH POLICIES AND
PROCEDURES;
(3) THE MEANS FOR DETECTING AND PREVENTING SECURITY SYSTEM RISKS;
AND/OR
(4) THE MEANS FOR DETECTING AND PREVENTING SECURITY SYSTEM FAILURES;
(C) DEVELOPING SAFEGUARDS, STANDARDS, PROTOCOLS, BEST PRACTICES AND
SECURITY POLICIES FOR PERSONS, VOLUNTEERS AND/OR EMPLOYEES RELATING TO
THE STORAGE, ACCESS AND TRANSPORTATION OF RECORDS CONTAINING PERSONAL
INFORMATION ON THE PREMISES AND IN THE SYSTEMS AND RECORD STORAGE OF THE
PERSONAL INFORMATION RECIPIENT;
(D) DEVELOPING SAFEGUARDS, STANDARDS, PROTOCOLS, BEST PRACTICES AND
SECURITY POLICIES FOR PERSONS, VOLUNTEERS AND/OR EMPLOYEES RELATING TO
THE STORAGE, ACCESS AND TRANSPORTATION OF RECORDS CONTAINING PERSONAL
INFORMATION OUTSIDE THE PREMISES, SYSTEMS OR RECORD STORAGE OF THE
PERSONAL INFORMATION RECIPIENT;
(E) IMPOSING DISCIPLINARY MEASURES FOR VIOLATIONS OF THE COMPREHENSIVE
INFORMATION SECURITY PROGRAM RULES;
(F) PREVENTING DISASSOCIATED PERSONS OR VOLUNTEERS, AND/OR FORMER OR
TERMINATED EMPLOYEES FROM ACCESSING RECORDS CONTAINING PERSONAL INFORMA-
TION;
(G) OVERSIGHT OF THIRD PARTY PERSONAL INFORMATION RECIPIENTS, BY:
(1) TAKING REASONABLE STEPS TO SELECT AND RETAIN THIRD PARTY PERSONAL
INFORMATION RECIPIENTS THAT ARE CAPABLE OF MAINTAINING APPROPRIATE SECU-
RITY MEASURES, SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES TO
A. 465 9
PROTECT SUCH PERSONAL INFORMATION, CONSISTENT WITH THIS ARTICLE AND ANY
OTHER APPLICABLE FEDERAL OR STATE STATUTES OR REGULATIONS; AND
(2) REQUIRING SUCH THIRD PARTY INFORMATION RECIPIENTS BY CONTRACT TO
IMPLEMENT AND MAINTAIN SUCH APPROPRIATE SECURITY MEASURES FOR PERSONAL
INFORMATION;
(H) REASONABLE RESTRICTIONS UPON PHYSICAL ACCESS TO ANY ELECTRONIC
INFORMATION, PAPER-BASED INFORMATION OR OTHER RECORDS CONTAINING
PERSONAL INFORMATION, AND STORAGE OF SUCH INFORMATION AND/OR RECORDS AND
DATA IN LOCKED, SECURE, AND/OR PROTECTED FACILITIES, STORAGE AREAS OR
CONTAINERS;
(I) REGULAR MONITORING TO ENSURE THAT THE COMPREHENSIVE INFORMATION
SECURITY PROGRAM IS OPERATING IN A MANNER REASONABLY CALCULATED TO
PREVENT UNAUTHORIZED ACCESS TO, OR UNAUTHORIZED USE OF, PERSONAL INFOR-
MATION; AND UPGRADING INFORMATION SAFEGUARDS, STANDARDS, PROTOCOLS AND
BEST PRACTICES AS NECESSARY TO LIMIT AND MINIMIZE SUCH RISKS;
(J) REVIEWING THE SCOPE OF THE SAFEGUARDS, STANDARDS, PROTOCOLS, BEST
PRACTICES AND SECURITY MEASURES, NOT LESS THAN QUARTERLY, OR WHENEVER
THERE IS A MATERIAL CHANGE IN THE PERSONAL, BUSINESS, COMMERCIAL, CORPO-
RATE, ASSOCIATION OR GOVERNMENTAL OPERATION PRACTICES OF THE PERSONAL
INFORMATION RECIPIENT THAT MAY REASONABLY EFFECT THE SECURITY OR INTEG-
RITY OF RECORDS CONTAINING PERSONAL INFORMATION;
(K) DOCUMENTING RESPONSIVE ACTIONS TO BE TAKEN IN CONNECTION WITH ANY
INCIDENT INVOLVING A BREACH OF SECURITY, AND MANDATORY POST-INCIDENT
REVIEW OF EVENTS AND ACTIONS TAKEN, IF ANY, TO MAKE CHANGES IN THE
PERSONAL, BUSINESS, COMMERCIAL, CORPORATE, ASSOCIATION OR GOVERNMENTAL
OPERATION PRACTICES OF THE PERSONAL INFORMATION RECIPIENT, RELATING TO
PROTECTION OF PERSONAL INFORMATION; AND
(L) DETAILING ALL PHYSICAL SECURITY, SAFEGUARDS, STANDARDS, PROTOCOLS,
AND BEST PRACTICES, AS WELL AS ALL ENCRYPTION METHODS THAT WILL BE USED
BY THE PERSONAL INFORMATION RECIPIENT TO SAFEGUARD THE PERSONAL INFORMA-
TION.
§ 405. APPROVAL OF COMPREHENSIVE SECURITY PROGRAMS. ON OR BEFORE THE
FIRST DAY OF APRIL, EVERY PERSONAL INFORMATION HOLDER AND EVERY THIRD
PARTY PERSONAL INFORMATION HOLDER, THAT IS A STATE GOVERNMENT AGENCY, OR
A CONTRACTOR PAID BY STATE GOVERNMENT, SHALL ANNUALLY SUBMIT ITS COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM, FOR APPROVAL TO THE
OFFICE.
§ 406. COMPUTER SYSTEM SECURITY REQUIREMENTS. 1. COMPUTER SYSTEM
SECURITY PROGRAM. EVERY PERSONAL INFORMATION HOLDER OR THIRD PARTY
PERSONAL INFORMATION HOLDER WHO ELECTRONICALLY STORES OR TRANSMITS
PERSONAL INFORMATION SHALL INCLUDE IN ITS WRITTEN, COMPREHENSIVE INFOR-
MATION SECURITY PROGRAM THE ESTABLISHMENT AND MAINTENANCE OF A COMPUTER
SECURITY SYSTEM PROGRAM COVERING ALL OF ITS COMPUTERS, ELECTRONIC
SYSTEMS AND/OR NETWORKS, INCLUDING ANY WIRELESS SYSTEM.
2. MINIMUM STANDARDS FOR COMPUTER SYSTEM SECURITY PROGRAM. EVERY
PERSONAL INFORMATION HOLDER WITH MORE THAN FIFTY EMPLOYEES, OR WITH MORE
THAN ONE HUNDRED VOLUNTEERS, AND/OR WITH MORE THAN ONE MILLION DOLLARS
IN ANNUAL REVENUE, SHALL ADDITIONALLY, ESTABLISH A COMPUTER SYSTEM SECU-
RITY PROGRAM, THAT, AT A MINIMUM, AND TO THE EXTENT TECHNICALLY FEASI-
BLE, HAS THE FOLLOWING ELEMENTS:
(A) SECURE USER AUTHENTICATION PROTOCOLS INCLUDING:
(1) CONTROL OF USER IDS, USER NAMES, PASSWORDS AND OTHER UNIQUE IDEN-
TIFIERS;
(2) A REASONABLY SECURE METHOD OF ASSIGNING AND SELECTING PASSWORDS,
OR USE OF UNIQUE IDENTIFIER TECHNOLOGIES, SUCH AS BIOMETRICS OR TOKEN
DEVICES;
A. 465 10
(3) CONTROL OF DATA SECURITY PASSWORDS TO ENSURE THAT SUCH PASSWORDS
ARE KEPT IN A LOCATION AND/OR FORMAT THAT DOES NOT COMPROMISE THE SECU-
RITY OF THE DATA THEY PROTECT;
(4) A PROGRAM OF RESTRICTING ACCESS TO ACTIVE USERS AND ACTIVE USER
ACCOUNTS ONLY; AND
(5) A REQUIREMENT TO BLOCK ACCESS TO USER IDENTIFICATION AFTER MULTI-
PLE UNSUCCESSFUL ATTEMPTS TO GAIN ACCESS OR THE LIMITATION PLACED ON
ACCESS FOR THE PARTICULAR SYSTEM;
(B) SECURE ACCESS CONTROL MEASURES THAT:
(1) RESTRICT ACCESS TO RECORDS AND FILES CONTAINING PERSONAL INFORMA-
TION TO THOSE WHO NEED SUCH INFORMATION TO PERFORM THEIR JOB DUTIES; AND
(2) ASSIGN UNIQUE IDENTIFICATIONS PLUS PASSWORDS, WHICH ARE NOT VENDOR
SUPPLIED DEFAULT PASSWORDS, TO EACH PERSON WITH COMPUTER ACCESS, THAT
ARE REASONABLY DESIGNED TO MAINTAIN THE INTEGRITY OF THE SECURITY OF THE
ACCESS CONTROLS;
(C) ENCRYPTION OF ALL TRANSMITTED RECORDS AND FILES CONTAINING
PERSONAL INFORMATION THAT WILL TRAVEL ACROSS PUBLIC NETWORKS, OR AN
ALTERNATIVE SYSTEM OF DATA PROTECTION AND SECURITY THAT HAS BEEN
ACCEPTED BY COMPUTER INDUSTRY STANDARDS AS EQUIVALENT OR SUPERIOR;
(D) ENCRYPTION OF ALL DATA CONTAINING PERSONAL INFORMATION TO BE TRAN-
SMITTED WIRELESSLY, OR AN ALTERNATIVE SYSTEM OF DATA PROTECTION AND
SECURITY THAT HAS BEEN ACCEPTED BY COMPUTER INDUSTRY STANDARDS AS EQUIV-
ALENT OR SUPERIOR;
(E) REASONABLE MONITORING OF SYSTEMS, FOR UNAUTHORIZED USE OF OR
ACCESS TO PERSONAL INFORMATION;
(F) ENCRYPTION OF ALL PERSONAL INFORMATION STORED ON LAPTOPS OR OTHER
PORTABLE DEVICES, OR AN ALTERNATIVE SYSTEM OF DATA PROTECTION AND SECU-
RITY THAT HAS BEEN ACCEPTED BY COMPUTER INDUSTRY STANDARDS AS EQUIVALENT
OR SUPERIOR;
(G) PROTOCOLS FOR ESTABLISHING STATE OF THE ART, AIR-GAPPED SYSTEMS
FOR THE STORAGE AND MAINTENANCE OF PERSONAL INFORMATION, OR AN ALTERNA-
TIVE SYSTEM OF DATA PROTECTION AND SECURITY THAT HAS BEEN ACCEPTED BY
COMPUTER INDUSTRY STANDARDS AS EQUIVALENT OR SUPERIOR;
(H) FOR FILES CONTAINING PERSONAL INFORMATION ON A SYSTEM THAT IS
CONNECTED TO THE INTERNET, REASONABLY UP-TO-DATE FIREWALL PROTECTION AND
OPERATING SYSTEM SECURITY PATCHES, REASONABLY DESIGNED TO MAINTAIN THE
INTEGRITY OF THE PERSONAL INFORMATION, OR AN ALTERNATIVE SYSTEM OF DATA
PROTECTION AND SECURITY THAT HAS BEEN ACCEPTED BY COMPUTER INDUSTRY
STANDARDS AS EQUIVALENT OR SUPERIOR;
(I) REASONABLY UP-TO-DATE VERSIONS OF SYSTEM SECURITY AGENT SOFTWARE
WHICH INCLUDE MALWARE PROTECTION AND REASONABLY UP-TO-DATE PATCHES AND
VIRUS DEFINITIONS, OR A VERSION OF SUCH SOFTWARE THAT CAN STILL BE
SUPPORTED WITH UP-TO-DATE PATCHES AND VIRUS DEFINITIONS, SET TO RECEIVE
THE MOST CURRENT SECURITY UPDATES ON A REGULAR BASIS, OR AN ALTERNATIVE
SYSTEM OF DATA PROTECTION AND SECURITY THAT HAS BEEN ACCEPTED BY COMPUT-
ER INDUSTRY STANDARDS AS EQUIVALENT OR SUPERIOR; AND
(J) EDUCATION AND TRAINING OF PERSONS, VOLUNTEERS AND/OR EMPLOYEES ON
THE PROPER USE OF THE COMPUTER SECURITY SYSTEM AND THE IMPORTANCE OF
PERSONAL INFORMATION SECURITY.
3. REVIEW OF COMPUTER SYSTEM SECURITY PROGRAMS. EVERY PERSONAL INFOR-
MATION HOLDER OR THIRD PARTY PERSONAL INFORMATION HOLDER WHO ELECTRON-
ICALLY STORES OR TRANSMITS PERSONAL INFORMATION SHALL FURTHER REVIEW AND
UPDATE ITS WRITTEN, APPROVED, COMPREHENSIVE PERSONAL INFORMATION SECURI-
TY PROGRAM NOT LESS THAN ANNUALLY, TO INCLUDE ALL FEASIBLE RECENTLY
DEVELOPED TECHNOLOGICAL SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRAC-
A. 465 11
TICES THAT COULD ENHANCE THE PROTECTION OF THE COLLECTION, STORAGE AND
MAINTENANCE OF SUCH PERSONAL INFORMATION.
§ 407. BREACH OF SECURITY. 1. NOTIFICATION TO THE DIVISION OF STATE
POLICE. IN ADDITION TO ANY OTHER REQUIREMENTS CONTAINED WITHIN ANY OTHER
PROVISION OF LAW, NOT LATER THAN TEN DAYS AFTER DISCOVERING A SECURITY
BREACH INVOLVING PERSONAL INFORMATION, ANY PERSONAL INFORMATION RECIPI-
ENT THAT HAS EXPERIENCED A BREACH OF SECURITY INVOLVING PERSONAL INFOR-
MATION, SHALL MAKE A COMPREHENSIVE REPORT TO THE DIVISION OF STATE
POLICE, IN THE FORM AND MANNER REQUIRED BY SUCH DIVISION, NOTIFYING THE
DIVISION OF STATE POLICE OF SUCH SECURITY BREACH.
2. NOTIFICATION OF COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM
APPROVAL ENTITY. IF SUCH PERSONAL INFORMATION RECIPIENT OR THIRD PARTY
PERSONAL INFORMATION RECIPIENT IS REQUIRED IN ACCORDANCE WITH SECTION
FOUR HUNDRED FIVE OF THIS ARTICLE TO OBTAIN APPROVAL OF ITS COMPREHEN-
SIVE PERSONAL INFORMATION SECURITY PROGRAM, THEN SUCH PERSONAL INFORMA-
TION RECIPIENT OR THIRD PARTY PERSONAL INFORMATION RECIPIENT SHALL ALSO
MAKE A COMPREHENSIVE REPORT TO THE ENTITY FROM WHICH THE PERSONAL INFOR-
MATION RECIPIENT OR THIRD PARTY INFORMATION RECIPIENT IS REQUIRED TO
OBTAIN APPROVAL FOR ITS COMPREHENSIVE PERSONAL INFORMATION SECURITY
PROGRAM, IN THE FORM AND MANNER REQUIRED BY SUCH APPROVAL ENTITY, NOTI-
FYING SUCH APPROVAL ENTITY OF THE SECURITY BREACH.
3. NOTIFICATION OF THE CHIEF INFORMATION OFFICER. NOT MORE THAN FIVE
DAYS AFTER RECEIVING THE NOTIFICATION REQUIRED PURSUANT TO SUBDIVISION
ONE OR TWO OF THIS SECTION, THE DIVISION OF STATE POLICE, AND/OR THE
ENTITY REQUIRED TO APPROVE THE COMPREHENSIVE PERSONAL INFORMATION SECU-
RITY PROGRAM PURSUANT TO SECTION FOUR HUNDRED FIVE OF THIS ARTICLE,
SHALL PROVIDE THE COMPREHENSIVE REPORT PROVIDED TO SUCH DIVISION AND/OR
APPROVAL ENTITY TO THE CHIEF INFORMATION OFFICER OF THE OFFICE. UPON
SUCH NOTIFICATION, THE CHIEF INFORMATION OFFICER SHALL ADD THE PERTINENT
INFORMATION CONCERNING SUCH BREACH TO THE INFORMATION SHARING AND ANALY-
SIS PROGRAM ESTABLISHED IN ACCORDANCE WITH SECTION FOUR HUNDRED TEN OF
THIS ARTICLE.
4. NOTIFICATION OF PERSONAL INFORMATION SUBJECTS. IN ADDITION TO ANY
OTHER REQUIREMENTS PURSUANT TO ANY OTHER PROVISION OF LAW, UPON THE
RECEIPT OF THE COMPREHENSIVE REPORT REQUIRED BY SUBDIVISION THREE OF
THIS SECTION, THE CHIEF INFORMATION OFFICER OF THE OFFICE MAY REQUIRE,
IN A SPECIFIED TIMEFRAME, AND IN A SPECIFIED FORM AND MANNER, THAT THE
PERSONAL INFORMATION RECIPIENT, OR THIRD PARTY PERSONAL INFORMATION
RECIPIENT, WHICH SUSTAINED THE BREACH OF SECURITY OF THE PERSONAL INFOR-
MATION, NOTIFY ALL PERSONAL INFORMATION SUBJECTS IMPACTED BY THE SECURI-
TY BREACH, OF THE FACT THAT THERE HAS BEEN A BREACH OF SECURITY INVOLV-
ING THEIR PERSONAL INFORMATION. IF THE CHIEF INFORMATION OFFICER
REASONABLY BELIEVES THAT THE PERSONAL INFORMATION SUBJECT WILL BE
ADVERSELY IMPACTED IN ANY MANNER BY THE DISCOVERED BREACH OF SECURITY,
THEN THE CHIEF INFORMATION OFFICER SHALL REQUIRE THAT THE PERSONAL
INFORMATION RECIPIENT, OR THIRD PARTY PERSONAL INFORMATION RECIPIENT,
NOTIFY ALL SUCH PERSONAL INFORMATION SUBJECTS, OF THE FACT THAT THERE
HAS BEEN A BREACH OF SECURITY INVOLVING THEIR PERSONAL INFORMATION.
§ 408. CAUSES OF ACTION. 1. LIMITATION ON CIVIL ACTIONS. ANY PERSONAL
INFORMATION SUBJECT MAY BRING A CIVIL ACTION, AGAINST A PERSONAL INFOR-
MATION HOLDER IN THE SUPREME COURT OF ANY COUNTY IN WHICH THE PERSONAL
INFORMATION RECIPIENT RESIDES OR CONDUCTS BUSINESS OPERATIONS, FOR
DAMAGES OR EQUITABLE RELIEF, ARISING FROM A BREACH OF SECURITY, AND IN
ACCORDANCE WITH THE PROVISIONS OF THIS SECTION. A CIVIL ACTION FOR
DAMAGES OR EQUITABLE RELIEF, SHALL NOT, HOWEVER, BE BROUGHT BY A
PERSONAL INFORMATION SUBJECT, IN ANY OTHER STATE COURT OF COMPETENT
A. 465 12
JURISDICTION, OTHER THAN IN ACCORDANCE WITH THE PROVISIONS OF THIS
SECTION, IF SUCH CIVIL ACTION ARISES OUT OF A BREACH OF SECURITY BY A
PERSONAL INFORMATION HOLDER. NO ACTION SHALL BE BROUGHT UNDER THIS
SECTION AGAINST A PERSONAL INFORMATION COLLECTOR OR A THIRD PARTY
PERSONAL INFORMATION COLLECTOR UNLESS BROUGHT IN ACCORDANCE WITH THE
PROVISIONS OF SUBPARAGRAPH FOUR OF PARAGRAPH (C) OF SUBDIVISION TWO OF
THIS SECTION.
2. CIVIL ACTIONS THAT MAY BE BROUGHT BY A PERSONAL INFORMATION SUBJECT
AGAINST A PERSONAL INFORMATION RECIPIENT.
(A) TIMELINESS OF ACTIONS. A CIVIL ACTION MAY BE BROUGHT IN ACCORDANCE
WITH THIS SECTION IF SUCH CIVIL ACTION IS BROUGHT WITHIN SIX YEARS OF
THE DATE OF THE REPORTING OF THE BREACH OF SECURITY AS REQUIRED BY
SECTION FOUR HUNDRED SEVEN OF THIS ARTICLE, OR IN THE EVENT NO SUCH
REPORT WAS EVER MADE, WITHIN ANY TIME AFTER THE DATE OF THE DISCOVERY OF
THE BREACH OF SECURITY BY THE PERSONAL INFORMATION SUBJECT.
(B) EQUITABLE ACTION. ANY ACTION BROUGHT IN ACCORDANCE WITH THIS
SECTION, MAY SEEK EITHER DAMAGES OR EQUITABLE RELIEF. IF A PERSONAL
INFORMATION SUBJECT SEEKS EQUITABLE RELIEF FOR A BREACH OF SECURITY
INVOLVING A SECURITY BREACH OF PERSONAL INFORMATION FROM A PERSONAL
INFORMATION RECIPIENT, AND THE COURT DETERMINES THAT SUCH EQUITABLE
RELIEF IS JUST AND PROPER AND SHOULD BE AWARDED, THEN IN ADDITION TO
SUCH EQUITABLE RELIEF, THE COURT MAY ALSO AWARD THE PERSONAL INFORMATION
SUBJECT COSTS, DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. NO ACTION
BROUGHT UNDER THIS SECTION FOR EQUITABLE RELIEF SHALL PROHIBIT A
PERSONAL INFORMATION SUBJECT FROM ALSO BRINGING ANY ADDITIONAL CAUSE OF
ACTION FOR DAMAGES, WHEN SUCH ADDITIONAL CAUSE OF ACTION IS ALLOWED
UNDER THIS ARTICLE.
(C) ACTIONS INVOLVING DAMAGES. ANY ACTION BROUGHT IN ACCORDANCE WITH
THIS SECTION, SEEKING DAMAGES FOR A BREACH OF SECURITY INVOLVING A SECU-
RITY BREACH OF PERSONAL INFORMATION FROM A PERSONAL INFORMATION RECIPI-
ENT, SHALL BE BROUGHT AS FOLLOWS:
(1) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF TEN MILLION DOLLARS OR MORE. ANY
PERSONAL INFORMATION HOLDER, OR THIRD PARTY PERSONAL INFORMATION HOLDER,
THAT HAS ANNUAL REVENUES OF TEN MILLION DOLLARS OR MORE, THAT FAILS TO
MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE
PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPREHENSIVE
INFORMATION SECURITY PROGRAM, OR THAT FAILS TO ESTABLISH A COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM AS REQUIRED BY THIS ARTICLE, AND
THAT EXPERIENCES A BREACH OF SECURITY INVOLVING SUCH PERSONAL INFORMA-
TION, SHALL BE LIABLE IN A CIVIL ACTION BROUGHT IN ACCORDANCE WITH THIS
SECTION, FOR DAMAGES, IF THE PERSONAL INFORMATION SUBJECT INVOLVED IN
THE BREACH OF SECURITY SUSTAINS ANY DAMAGES AS A RESULT OF SUCH BREACH.
SUCH LIABILITY SHALL EXTEND TO DAMAGES IN THE AMOUNT OF THREE TIMES THE
AMOUNT OF SUCH DAMAGES SUSTAINED BY THE PERSONAL INFORMATION SUBJECT, OR
AN AMOUNT OF UP TO TEN THOUSAND DOLLARS, WHICHEVER IS LESS, TOGETHER
WITH COSTS, DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. WHERE THE
COURT FINDS THAT THE PERSONAL INFORMATION HOLDER OR A THIRD PARTY
PERSONAL INFORMATION HOLDER, INTENTIONALLY FAILED TO ESTABLISH A COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM, OR INTENTIONALLY FAILED
TO SEEK AND OBTAIN APPROVAL FOR A COMPREHENSIVE PERSONAL INFORMATION
SECURITY PROGRAM, WHERE REQUIRED, OR INTENTIONALLY FAILED TO MAINTAIN
THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE
PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM, THEN THE COURT MAY ALSO AWARD
A. 465 13
PUNITIVE DAMAGES TO THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS SUBDI-
VISION.
(2) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF BETWEEN ONE MILLION DOLLARS AND TEN
MILLION DOLLARS. ANY PERSONAL INFORMATION HOLDER, OR THIRD PARTY
PERSONAL INFORMATION HOLDER, THAT HAS ANNUAL REVENUES OF BETWEEN ONE
MILLION DOLLARS AND TEN MILLION DOLLARS, AND THAT FAILS TO MAINTAIN THE
SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE PROTECTION OF
PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPREHENSIVE PERSONAL INFOR-
MATION SECURITY PROGRAM, OR THAT FAILS TO ESTABLISH A COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM AS REQUIRED BY THIS ARTICLE, AND
THAT EXPERIENCES A BREACH OF SECURITY INVOLVING SUCH PERSONAL INFORMA-
TION, SHALL BE LIABLE IN A CIVIL ACTION BROUGHT IN ACCORDANCE WITH THIS
SECTION, FOR DAMAGES, IF THE PERSONAL INFORMATION SUBJECT INVOLVED IN
THE BREACH OF SECURITY SUSTAINS ANY DAMAGES AS A RESULT OF SUCH BREACH.
SUCH LIABILITY SHALL EXTEND TO DAMAGES IN THE AMOUNT OF THREE TIMES THE
AMOUNT OF SUCH DAMAGES SUSTAINED BY THE PERSONAL INFORMATION SUBJECT, OR
AN AMOUNT OF UP TO FIVE THOUSAND DOLLARS, WHICHEVER IS LESS, TOGETHER
WITH COSTS, DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. WHERE THE
COURT FINDS THAT THE PERSONAL INFORMATION HOLDER OR A THIRD PARTY
PERSONAL INFORMATION HOLDER, INTENTIONALLY FAILED TO ESTABLISH A COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM, OR INTENTIONALLY FAILED
TO SEEK AND OBTAIN APPROVAL FOR A COMPREHENSIVE PERSONAL INFORMATION
SECURITY PROGRAM, WHERE REQUIRED, OR INTENTIONALLY FAILED TO MAINTAIN
THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE
PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM, THEN THE COURT MAY ALSO AWARD
PUNITIVE DAMAGES TO THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS SUBDI-
VISION.
(3) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF LESS THAN ONE MILLION DOLLARS. ANY
PERSONAL INFORMATION HOLDER, OR THIRD PARTY PERSONAL INFORMATION HOLDER,
THAT HAS ANNUAL REVENUES OF LESS THAN ONE MILLION DOLLARS, AND THAT
FAILS TO MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES
FOR THE PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM, OR THAT FAILS TO ESTAB-
LISH A COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM AS REQUIRED
BY THIS ARTICLE, AND THAT EXPERIENCES A BREACH OF SECURITY INVOLVING
SUCH PERSONAL INFORMATION, SHALL BE LIABLE IN A CIVIL ACTION BROUGHT IN
ACCORDANCE WITH THIS SECTION, FOR DAMAGES, IF THE PERSONAL INFORMATION
SUBJECT INVOLVED IN THE BREACH OF SECURITY SUSTAINS ANY DAMAGES AS A
RESULT OF SUCH BREACH. SUCH LIABILITY SHALL EXTEND TO DAMAGES IN THE
AMOUNT OF THREE TIMES THE AMOUNT OF SUCH DAMAGES SUSTAINED BY THE
PERSONAL INFORMATION SUBJECT, OR AN AMOUNT OF UP TO ONE THOUSAND
DOLLARS, WHICHEVER IS LESS, TOGETHER WITH COSTS, DISBURSEMENTS AND
ATTORNEYS FEES OF THE ACTION. WHERE THE COURT FINDS THAT THE PERSONAL
INFORMATION HOLDER OR A THIRD PARTY PERSONAL INFORMATION HOLDER, INTEN-
TIONALLY FAILED TO ESTABLISH A COMPREHENSIVE PERSONAL INFORMATION SECU-
RITY PROGRAM, OR INTENTIONALLY FAILED TO SEEK AND OBTAIN APPROVAL FOR A
COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM, WHERE REQUIRED, OR
INTENTIONALLY FAILED TO MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR
BEST PRACTICES FOR THE PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED
IN ITS COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM, THEN THE
COURT MAY ALSO AWARD PUNITIVE DAMAGES TO THE PLAINTIFF OF AN ACTION
BROUGHT UNDER THIS SUBDIVISION.
A. 465 14
(4) PERSONAL INFORMATION COLLECTORS. ANY PERSONAL INFORMATION COLLEC-
TOR THAT FAILS TO MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST
PRACTICES FOR THE PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN
ITS COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM, OR THAT FAILS
TO ESTABLISH A COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM AS
REQUIRED BY THIS ARTICLE, AND THAT EXPERIENCES A BREACH OF SECURITY
INVOLVING SUCH PERSONAL INFORMATION, SHALL BE LIABLE IN A CIVIL ACTION
FOR DAMAGES BROUGHT IN ACCORDANCE WITH THIS SECTION, IN THE AMOUNT OF
SUCH DAMAGES SO SUSTAINED. WHERE THE COURT FINDS THAT THE PERSONAL
INFORMATION COLLECTOR INTENTIONALLY FAILED TO ESTABLISH A COMPREHENSIVE
PERSONAL INFORMATION SECURITY PROGRAM, OR INTENTIONALLY FAILED TO SEEK
AND OBTAIN APPROVAL FOR A COMPREHENSIVE PERSONAL INFORMATION SECURITY
PROGRAM, WHERE REQUIRED, OR INTENTIONALLY FAILED TO MAINTAIN THE SAFE-
GUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE PROTECTION OF
PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPREHENSIVE PERSONAL INFOR-
MATION SECURITY PROGRAM, THEN THE COURT MAY ALSO AWARD PUNITIVE DAMAGES
TO THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS SUBDIVISION.
(5) NO ACTION BROUGHT UNDER THIS SECTION FOR DAMAGES SHALL PROHIBIT A
PERSONAL INFORMATION SUBJECT FROM ALSO BRINGING ANY ADDITIONAL CAUSE OF
ACTION FOR EQUITABLE RELIEF, WHEN SUCH ADDITIONAL CAUSE OF ACTION IS
ALSO ALLOWED UNDER THIS ARTICLE.
§ 409. LIABILITY PROTECTION. 1. IT SHALL BE A COMPLETE DEFENSE TO ANY
CIVIL ACTION BROUGHT IN ACCORDANCE WITH SECTION FOUR HUNDRED EIGHT OF
THIS ARTICLE, FOR THE PERSONAL INFORMATION RECIPIENT THAT IS THE DEFEND-
ANT IN SUCH ACTION, THAT SUCH PERSONAL INFORMATION RECIPIENT ESTABLISHED
AND MAINTAINED A COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM, AS
REQUIRED BY THIS ARTICLE, AND SUBSTANTIALLY FOLLOWED AND COMPLIED WITH
ALL PROVISIONS OF SUCH COMPREHENSIVE PERSONAL INFORMATION SECURITY
PROGRAM, AND SUBSTANTIALLY MAINTAINED, IF REQUIRED, ALL COMPUTER SYSTEM
SECURITY REQUIREMENTS, IN ACCORDANCE WITH SECTION FOUR HUNDRED SIX OF
THIS ARTICLE, AND SUBSTANTIALLY MAINTAINED, IF REQUIRED, THE PROPER
APPROVAL FOR SUCH COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM,
IN ACCORDANCE WITH SECTION FOUR HUNDRED FIVE OF THIS ARTICLE, AT THE
TIME OF THE BREACH OF SUCH SECURITY.
2. ANY CIVIL ACTION BROUGHT BY A PERSONAL INFORMATION SUBJECT, IN ANY
COURT OF COMPETENT JURISDICTION, INVOLVING DAMAGES ARISING FROM A BREACH
OF SECURITY THAT IS NOT BROUGHT IN ACCORDANCE WITH THE PROVISIONS OF
SECTION FOUR HUNDRED EIGHT OF THIS ARTICLE, SHALL BE DISMISSED WITHOUT
PREJUDICE, AGAINST SUCH PERSONAL INFORMATION RECIPIENT OR THIRD PARTY
PERSONAL INFORMATION RECIPIENT, BUT THAT SUCH PERSONAL INFORMATION
SUBJECT MAY BRING A NEW, SUBSEQUENT ACTION, IF TIMELY, IN ACCORDANCE
WITH THE PROVISIONS OF SECTION FOUR HUNDRED EIGHT OF THIS ARTICLE.
§ 410. INFORMATION SHARING AND ANALYSIS PROGRAM. 1. THE OFFICE SHALL
ESTABLISH AND MAINTAIN A VOLUNTARY NEW YORK STATE CYBER SECURITY INFOR-
MATION SHARING AND ANALYSIS PROGRAM.
2. IT SHALL BE THE PURPOSE OF THE NEW YORK STATE CYBER SECURITY INFOR-
MATION SHARING AND ANALYSIS PROGRAM TO INCREASE THE VOLUME, TIMELINESS,
AND QUALITY OF CYBER THREAT INFORMATION SHARED WITH STATE PUBLIC AND
PRIVATE SECTOR ENTITIES SO THAT THESE ENTITIES MAY BETTER PROTECT AND
DEFEND THEMSELVES AGAINST CYBER THREATS AND TO PROMOTE THE DEVELOPMENT
OF EFFECTIVE DEFENSES AND STRATEGIES TO COMBAT, AND PROTECT AGAINST,
CYBER THREATS AND ATTACKS.
3. TO FACILITATE THE PURPOSES OF THE NEW YORK STATE CYBER SECURITY
INFORMATION SHARING AND ANALYSIS PROGRAM, THE OFFICE SHALL PROMULGATE
REGULATIONS, IN ACCORDANCE WITH THE PROVISIONS OF THIS SECTION.
A. 465 15
4. THE REGULATIONS PROMULGATED PURSUANT TO SUBDIVISION THREE OF THIS
SECTION SHALL:
(A) PROVIDE FOR THE TIMELY PRODUCTION OF UNCLASSIFIED REPORTS OF CYBER
THREATS TO THE STATE AND ITS PUBLIC AND PRIVATE SECTOR ENTITIES, INCLUD-
ING, BUT NOT LIMITED TO, ALL PARTICIPANTS IN THE INFORMATION SHARING AND
ANALYSIS PROGRAM, WITH EXPRESS DETAILS ON THREATS THAT IDENTIFY A
SPECIFIC TARGETED ENTITY OR SPECIFIC THREAT TYPE OR ACTIVITY;
(B) ADDRESS THE NEED TO PROTECT INTELLIGENCE AND LAW ENFORCEMENT
SOURCES, METHODS, OPERATIONS, AND INVESTIGATIONS;
(C) ESTABLISH A PROCESS THAT RAPIDLY DISSEMINATES THE REPORTS PRODUCED
PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION, TO ANY TARGETED ENTITY,
ANY PROGRAM PARTICIPANT, AND SUCH OTHER AND FURTHER PUBLIC AND PRIVATE
ENTITIES AS THE OFFICE SHALL DEEM NECESSARY TO ADVANCE THE PURPOSES OF
THIS SUBDIVISION;
(D) PROVIDE FOR PROTECTIONS FROM LIABILITY FOR ENTITIES SHARING AND
RECEIVING INFORMATION WITH THE NEW YORK STATE CYBER SECURITY INFORMATION
AND ANALYSIS PROGRAM, SO LONG AS THE ENTITY ACTED IN GOOD FAITH;
(E) ESTABLISH A SYSTEM FOR TRACKING THE PRODUCTION, DISSEMINATION, AND
DISPOSITION OF THE REPORTS PRODUCED IN ACCORDANCE WITH THE PROVISIONS OF
THIS SUBDIVISION;
(F) ESTABLISH AN ENHANCED CYBER SECURITY SERVICES PROGRAM, WITHIN THE
STATE, TO PROVIDE FOR PROCEDURES, METHODS AND DIRECTIVES, FOR A VOLUN-
TARY INFORMATION SHARING PROGRAM, THAT WILL PROVIDE CYBER THREAT AND
TECHNICAL INFORMATION COLLECTED FROM BOTH PUBLIC AND PRIVATE SECTOR
ENTITIES, TO ALL PARTICIPANTS IN THE INFORMATION SHARING AND ANALYSIS
PROGRAM AND ALL SUCH PRIVATE AND PUBLIC SECTOR ENTITIES AS THE OFFICE
DEEMS PRUDENT, AND TO ALSO ADVISE ALL CRITICAL INFRASTRUCTURE COMPANIES
OR COMMERCIAL SERVICE PROVIDERS THAT OFFER SECURITY SERVICES TO CRITICAL
INFRASTRUCTURE ON CYBER SECURITY THREATS AND DEFENSE MEASURES;
(G) SEEK TO DEVELOP STRATEGIES TO MAXIMIZE THE UTILITY OF CYBER THREAT
INFORMATION SHARING BETWEEN AND ACROSS THE PRIVATE AND PUBLIC SECTORS;
(H) PROMOTE THE USE OF PRIVATE AND PUBLIC SECTOR SUBJECT MATTER
EXPERTS TO ADDRESS CYBER SECURITY NEEDS IN THE STATE, WITH THESE SUBJECT
MATTER EXPERTS PROVIDING ADVICE REGARDING THE CONTENT, STRUCTURE, AND
TYPES OF INFORMATION MOST USEFUL TO CRITICAL INFRASTRUCTURE OWNERS AND
OPERATORS IN REDUCING AND MITIGATING CYBER RISKS;
(I) ESTABLISH A CONSULTATIVE PROCESS TO COORDINATE IMPROVEMENTS TO THE
CYBER SECURITY OF CRITICAL INFRASTRUCTURE, WHERE AS PART OF THE CONSUL-
TATIVE PROCESS, THE PUBLIC AND PRIVATE ENTITIES OF THE STATE SHALL
ENGAGE;
(J) PROVIDE THAT THE OFFICE SHALL SEEK AND CONSIDER THE ADVICE OF THE
DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES, THE DIVISION OF
STATE POLICE, THE CENTER FOR INTERNET SECURITY, AND SUCH OTHER AND
FURTHER PRIVATE AND PUBLIC SECTOR ENTITIES, UNIVERSITIES, AND CYBER
SECURITY EXPERTS AS THE OFFICE MAY DEEM PRUDENT; AND
(K) ESTABLISH A BASELINE FRAMEWORK TO REDUCE CYBER RISK TO CRITICAL
INFRASTRUCTURE AND PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS AND
OPERATIONS.
5. THE OFFICE SHALL USE THE INFORMATION SHARING AND ANALYSIS PROGRAM
DEVELOPED UNDER THIS SECTION TO LEAD IN THE DEVELOPMENT OF A VOLUNTARY
FRAMEWORK TO REDUCE CYBER RISKS TO CRITICAL INFRASTRUCTURE AND PUBLIC
AND PRIVATE COMPUTER SYSTEMS, NETWORKS AND OPERATIONS, TO BE KNOWN AS
THE CYBER SECURITY FRAMEWORK.
6. THE DEVELOPMENT OF THE CYBER SECURITY FRAMEWORK SHALL:
A. 465 16
(A) INCLUDE A SET OF STANDARDS, METHODOLOGIES, PROCEDURES, AND PROC-
ESSES THAT ALIGN POLICY, BUSINESS, AND TECHNOLOGICAL APPROACHES TO
ADDRESS CYBER RISKS;
(B) INCORPORATE VOLUNTARY CONSENSUS STANDARDS, SAFEGUARDS, PROTOCOLS
AND BEST PRACTICES TO THE FULLEST EXTENT POSSIBLE;
(C) PROVIDE A PRIORITIZED, FLEXIBLE, REPEATABLE, PERFORMANCE-BASED,
AND COST-EFFECTIVE APPROACH, INCLUDING INFORMATION SECURITY MEASURES AND
CONTROLS, TO HELP OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE AND
PUBLIC AND PRIVATE COMPUTER SYSTEMS, NETWORKS AND OPERATIONS, TO IDENTI-
FY, ASSESS, AND MANAGE CYBER RISK;
(D) FOCUS ON IDENTIFYING CROSS-SECTOR SECURITY STANDARDS AND GUIDE-
LINES APPLICABLE TO CRITICAL INFRASTRUCTURE AND PUBLIC AND PRIVATE
COMPUTER SYSTEMS, NETWORKS AND OPERATIONS;
(E) IDENTIFY AREAS FOR IMPROVEMENT THAT SHOULD BE ADDRESSED THROUGH
FUTURE COLLABORATION WITH PARTICULAR SECTORS AND STANDARDS-DEVELOPING
ORGANIZATIONS;
(F) ENABLE TECHNICAL INNOVATION AND ACCOUNT FOR ORGANIZATIONAL DIFFER-
ENCES, TO PROVIDE GUIDANCE THAT IS TECHNOLOGY NEUTRAL AND THAT ENABLES
CRITICAL INFRASTRUCTURE SECTORS AND PUBLIC AND PRIVATE COMPUTER SYSTEMS,
NETWORKS AND OPERATIONS, TO BENEFIT FROM A COMPETITIVE MARKET FOR
PRODUCTS AND SERVICES THAT MEET THE STANDARDS, METHODOLOGIES, PROCE-
DURES, PROCESSES, SAFEGUARDS, PROTOCOLS AND BEST PRACTICES TO BE DEVEL-
OPED TO ADDRESS CYBER RISKS;
(G) INCLUDE GUIDANCE FOR MEASURING THE PERFORMANCE OF AN ENTITY IN
IMPLEMENTING THE CYBER SECURITY FRAMEWORK;
(H) INCLUDE METHODOLOGIES TO IDENTIFY AND MITIGATE IMPACTS OF THE
CYBER SECURITY FRAMEWORK AND ASSOCIATED INFORMATION SECURITY MEASURES OR
CONTROLS ON BUSINESS CONFIDENTIALITY, AND TO PROTECT INDIVIDUAL PRIVACY
AND CIVIL LIBERTIES; AND
(I) ENGAGE IN THE REVIEW OF THREAT AND VULNERABILITY INFORMATION AND
TECHNICAL EXPERTISE.
7. THE REGULATIONS PROMULGATED PURSUANT TO SUBDIVISION THREE OF THIS
SECTION SHALL ADDITIONALLY ESTABLISH A VOLUNTARY CRITICAL INFRASTRUCTURE
CYBER SECURITY PROGRAM TO SUPPORT THE ADOPTION OF THE CYBER SECURITY
FRAMEWORK BY OWNERS AND OPERATORS OF CRITICAL INFRASTRUCTURE AND ANY
OTHER INTERESTED ENTITIES, WHERE UNDER THIS PROGRAM IMPLEMENTATION GUID-
ANCE OR SUPPLEMENTAL MATERIALS WOULD BE DEVELOPED TO ADDRESS SECTOR-SPE-
CIFIC RISKS AND OPERATING ENVIRONMENTS.
8. IN DEVELOPING THE NEW YORK STATE CYBER SECURITY INFORMATION SHARING
AND ANALYSIS PROGRAM IN ACCORDANCE WITH THE PROVISIONS OF THIS SECTION,
THE OFFICE, IN CONSULTATION WITH THE DIVISION OF HOMELAND SECURITY AND
EMERGENCY SERVICES AND THE DIVISION OF STATE POLICE, SHALL PRODUCE AND
SUBMIT A REPORT, TO THE GOVERNOR, THE TEMPORARY PRESIDENT OF THE SENATE,
AND THE SPEAKER OF THE ASSEMBLY, MAKING RECOMMENDATIONS ON THE FEASIBIL-
ITY, SECURITY BENEFITS, AND RELATIVE MERITS OF INCORPORATING SECURITY
SAFEGUARDS, STANDARDS, PROTOCOLS AND BEST PRACTICES INTO ACQUISITION
PLANNING AND CONTRACT ADMINISTRATION. SUCH REPORT SHALL FURTHER ADDRESS
WHAT STEPS CAN BE TAKEN TO HARMONIZE AND MAKE CONSISTENT EXISTING
PROCUREMENT REQUIREMENTS RELATED TO CYBER SECURITY AND THE FEASIBILITY
OF INCLUDING RISK-BASED SECURITY STANDARDS INTO PROCUREMENT AND CONTRACT
ADMINISTRATION.
§ 4. This act shall take effect on the one hundred eightieth day after
it shall have become a law; provided, however, that the office of infor-
mation technology services is authorized and directed to (i) publish its
model comprehensive security programs containing recommended standards,
safeguards, protocols and best practices for holders of personal infor-
A. 465 17
mation in accordance with section 404 of the state technology law, as
added by section three of this act, and (ii) establish the information
sharing and analysis program and promulgate regulations regarding the
same, in accordance with section 410 of the state technology law, as
added by section three of this act, on or before the one hundred fifti-
eth day after this act shall have become a law.