S T A T E O F N E W Y O R K
________________________________________________________________________
1725
2023-2024 Regular Sessions
I N A S S E M B L Y
January 20, 2023
___________
Introduced by M. of A. DINOWITZ, DAVILA, SIMON, GLICK -- read once and
referred to the Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to requiring
certain businesses to offer identity theft prevention and mitigation
services in the case of a security breach
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Subdivision 10 of section 899-aa of the general business
law, as renumbered by chapter 117 of the laws of 2019, is renumbered to
be subdivision 11 and a new subdivision 10 is added to read as follows:
10. (A) WHERE A SECURITY BREACH FROM A PERSON OR BUSINESS OTHER THAN A
CONSUMER CREDIT REPORTING AGENCY INCLUDES A SOCIAL SECURITY NUMBER, AND
THAT PERSON OR BUSINESS IS REQUIRED TO PROVIDE NOTICE UNDER SUBDIVISION
TWO OF THIS SECTION, THAT PERSON OR BUSINESS SHALL OFFER EACH RESIDENT
OF THIS STATE WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED IN THE BREACH
OF SECURITY OR IS REASONABLY BELIEVED TO HAVE BEEN DISCLOSED IN THE
BREACH OF SECURITY, REASONABLE CREDIT REPORT MONITORING, IDENTITY THEFT
PREVENTION SERVICES AND, IF APPLICABLE, IDENTITY THEFT MITIGATION
SERVICES AT NO COST TO SAID RESIDENT FOR A PERIOD OF NOT LESS THAN TWEN-
TY-FOUR MONTHS. THE DISCLOSURE REQUIRED BY SUBDIVISION TWO OF THIS
SECTION SHALL INCLUDE INFORMATION FOR ANY RESIDENT OF NEW YORK STATE
WHOSE SOCIAL SECURITY NUMBER WAS DISCLOSED AS A RESULT OF A DATA BREACH
TO OBTAIN FREE, REASONABLE CREDIT REPORT MONITORING, IDENTITY THEFT
PREVENTION SERVICES AND, IF APPLICABLE, IDENTITY THEFT MITIGATION
SERVICES AS DESCRIBED IN THIS SECTION.
(B) THE REQUIREMENT TO PROVIDE TWENTY-FOUR MONTHS OF IDENTITY THEFT
MITIGATION SERVICES SHALL NOT APPLY TO ANY INDIVIDUAL PERSON OR SMALL
BUSINESS AS DEFINED IN SECTION ONE HUNDRED THIRTY-ONE OF THE ECONOMIC
DEVELOPMENT LAW THAT CAN DEMONSTRATE A FINANCIAL HARDSHIP DIRECTLY OWING
TO SUCH COMPLIANCE. A REQUEST FOR A FINANCIAL HARDSHIP WAIVER SHALL BE
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00909-01-3
A. 1725 2
MADE TO THE COMMISSIONER OF THE DEPARTMENT OF FINANCIAL SERVICES ON A
FORM PRESCRIBED BY THE DEPARTMENT OF FINANCIAL SERVICES.
§ 2. This act shall take effect on the one hundred eightieth day after
it shall have become a law. Effective immediately, the addition, amend-
ment and/or repeal of any rule or regulation necessary for the implemen-
tation of this act on its effective date are authorized to be made and
completed on or before such effective date.