Assembly Bill A1725

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   1725
 
                        2023-2024 Regular Sessions
 
                           I N  A S S E M B L Y
 
                             January 20, 2023
                                ___________
 
 Introduced  by  M. of A. DINOWITZ, DAVILA, SIMON, GLICK -- read once and
   referred to the Committee on Consumer Affairs and Protection
 
 AN ACT to amend the general  business  law,  in  relation  to  requiring
   certain  businesses  to offer identity theft prevention and mitigation
   services in the case of a security breach

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Subdivision  10 of section 899-aa of the general business
 law, as renumbered by chapter 117 of the laws of 2019, is renumbered  to
 be subdivision 11 and a new subdivision 10 is added to read as follows:
   10. (A) WHERE A SECURITY BREACH FROM A PERSON OR BUSINESS OTHER THAN A
 CONSUMER  CREDIT REPORTING AGENCY INCLUDES A SOCIAL SECURITY NUMBER, AND
 THAT PERSON OR BUSINESS IS REQUIRED TO PROVIDE NOTICE UNDER  SUBDIVISION
 TWO  OF  THIS SECTION, THAT PERSON OR BUSINESS SHALL OFFER EACH RESIDENT
 OF THIS STATE WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED IN  THE  BREACH
 OF  SECURITY  OR  IS  REASONABLY  BELIEVED TO HAVE BEEN DISCLOSED IN THE
 BREACH OF SECURITY, REASONABLE CREDIT REPORT MONITORING, IDENTITY  THEFT
 PREVENTION  SERVICES  AND,  IF  APPLICABLE,  IDENTITY  THEFT  MITIGATION
 SERVICES AT NO COST TO SAID RESIDENT FOR A PERIOD OF NOT LESS THAN TWEN-
 TY-FOUR MONTHS. THE DISCLOSURE  REQUIRED  BY  SUBDIVISION  TWO  OF  THIS
 SECTION  SHALL  INCLUDE  INFORMATION  FOR ANY RESIDENT OF NEW YORK STATE
 WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED AS A RESULT OF A DATA  BREACH
 TO  OBTAIN  FREE,  REASONABLE  CREDIT  REPORT MONITORING, IDENTITY THEFT
 PREVENTION  SERVICES  AND,  IF  APPLICABLE,  IDENTITY  THEFT  MITIGATION
 SERVICES AS DESCRIBED IN THIS SECTION.
   (B)  THE  REQUIREMENT  TO PROVIDE TWENTY-FOUR MONTHS OF IDENTITY THEFT
 MITIGATION SERVICES SHALL NOT APPLY TO ANY INDIVIDUAL  PERSON  OR  SMALL
 BUSINESS  AS  DEFINED  IN SECTION ONE HUNDRED THIRTY-ONE OF THE ECONOMIC
 DEVELOPMENT LAW THAT CAN DEMONSTRATE A FINANCIAL HARDSHIP DIRECTLY OWING
 TO SUCH COMPLIANCE. A REQUEST FOR A FINANCIAL HARDSHIP WAIVER  SHALL  BE
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD00909-01-3
 A. 1725                             2
              

 
 MADE  TO  THE  COMMISSIONER OF THE DEPARTMENT OF FINANCIAL SERVICES ON A
 FORM PRESCRIBED BY THE DEPARTMENT OF FINANCIAL SERVICES.
   § 2. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.  Effective immediately, the addition, amend-
 ment and/or repeal of any rule or regulation necessary for the implemen-
 tation  of  this act on its effective date are authorized to be made and
 completed on or before such effective date.