S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   9797
 
                           I N  A S S E M B L Y
 
                             February 13, 2020
                                ___________
 
 Introduced  by M. of A. HYNDMAN -- read once and referred to the Commit-
   tee on Consumer Affairs and Protection
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. Subdivisions 2 and 3 of section 899-aa of the general busi-
 ness  law, as amended by chapter 117 of the laws of 2019, are amended to
 read as follows:
   2. Any person or business which owns  or  licenses  computerized  data
 which  includes  private  information  shall  disclose any breach of the
 security of the system following discovery or notification of the breach
 in the security of the system to any resident of New  York  state  whose
 private  information  was,  or  is  reasonably  believed  to  have been,
 accessed or acquired  by  a  person  without  valid  authorization.  The
 disclosure shall be made in the most expedient time possible and without
 unreasonable  delay,  [consistent with] AND SHALL BE MADE WITHIN FIFTEEN
 DAYS AFTER THE BREACH HAS BEEN DISCOVERED,  EXCEPT  FOR  the  legitimate
 needs  of  law  enforcement,  as  provided  in  subdivision four of this
 section[, or any measures necessary to determine the scope of the breach
 and restore the integrity of the system].
   (a) Notice to affected persons under this section is not  required  if
 the  exposure  of  private  information was an inadvertent disclosure by
 persons authorized to access private  information,  and  the  person  or
 business  reasonably  determines such exposure will not likely result in
 misuse of such information, or financial harm to the affected persons or
 emotional harm in the case of unknown disclosure of  online  credentials
 as  found  in  subparagraph  (ii) of paragraph (b) of subdivision one of
 this section.  Such a determination must be documented  in  writing  and
 maintained  for  at  least five years. If the incident affects over five
 hundred residents of New York, the person or business shall provide  the
 written  determination  to  the  state  attorney general within ten days
 after the determination.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
              

                                                            LBD08659-04-0

 A. 9797                             2
 
   (b) If notice of the breach of the security of the system is  made  to
 affected  persons pursuant to the breach notification requirements under
 any of the following laws, nothing in this  section  shall  require  any
 additional  notice  to those affected persons, but notice still shall be
 provided  to  the state attorney general, the department of state [and],
 the division of state police AND THE DEPARTMENT  OF  FINANCIAL  SERVICES
 pursuant  to  paragraph  (a) of subdivision eight of this section and to
 consumer reporting agencies pursuant to  paragraph  (b)  of  subdivision
 eight of this section:
   (i)  regulations promulgated pursuant to Title V of the federal Gramm-
 Leach-Bliley Act (15 U.S.C. 6801 to 6809), as amended from time to time;
   (ii) regulations implementing the  Health  Insurance  Portability  and
 Accountability  Act  of  1996  (45 C.F.R. parts 160 and 164), as amended
 from time to time, and the Health Information  Technology  for  Economic
 and Clinical Health Act, as amended from time to time;
   (iii) part five hundred of title twenty-three of the official compila-
 tion  of  codes,  rules  and  regulations  of  the state of New York, as
 amended from time to time; or
   (iv) any other data security rules and regulations of, and  the  stat-
 utes  administered  by, any official department, division, commission or
 agency of the federal or New York state government as such rules,  regu-
 lations  or  statutes  are  interpreted  by  such  department, division,
 commission or agency or by the federal or New York state courts.
   3. Any person or business  which  maintains  computerized  data  which
 includes  private information which such person or business does not own
 shall notify the owner or licensee of the information of any  breach  of
 the security of the system immediately AND WITHIN FIFTEEN DAYS following
 discovery,  if the private information was, or is reasonably believed to
 have been, accessed or acquired by a person without valid authorization.
   § 2. Paragraph (a) of subdivision 8 of section 899-aa of  the  general
 business  law, as amended by chapter 117 of the laws of 2019, is amended
 to read as follows:
   (a) In the event that any New York residents are to be  notified,  the
 person  or business shall notify the state attorney general, the depart-
 ment of state [and], the division of state police AND THE DEPARTMENT  OF
 FINANCIAL  SERVICES  as  to  the timing, content and distribution of the
 notices and approximate number of affected persons and shall  provide  a
 copy of the template of the notice sent to affected persons. Such notice
 shall be made without delaying notice to affected New York residents.
   § 3. This act shall take effect immediately.