NY State Senate Bill 2023-S2659A

Current Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2024	referred to internet and technology returned to senate died in assembly
Jun 07, 2023	referred to science and technology delivered to assembly passed senate
May 08, 2023	advanced to third reading
May 03, 2023	2nd report cal.
May 02, 2023	1st report cal.735
Apr 26, 2023	print number 2659a
Apr 26, 2023	amend and recommit to internet and technology
Jan 24, 2023	referred to internet and technology

Votes

- Jun 7, 2023 - Floor Vote
  S2659A
  
  60
  
  Aye
  
  1
  
  Nay
  
  0
  
  Absent
  
  2
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Jun 7, 2023
      
      aye (60)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Brouk
      
      Canzoneri-Fitzpatrick
      
      Chu
      
      Cleare
      
      Comrie
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Walczyk
      
      Webb
      
      Weber
      
      Weik
      
      nay (1)
      
      Palumbo
      
      excused (2)
      
      Cooney
      
      Felder
  May 2, 2023 - Internet And Technology Committee Vote
  S2659A
  
  5
  
  Aye
  
  0
  
  Nay
  
  2
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Internet And Technology Committee Vote: May 2, 2023
      
      aye (5)
      
      Brouk
      
      Comrie
      
      Gonzalez
      
      Parker
      
      Ryan
      
      aye wr (2)
      
      Stec
      
      Walczyk

Bill Amendments

Original

A (Active)

2023-S2659 - Details

See Assembly Version of this Bill:: A8872
Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2017-2018: S6880
2019-2020: S2540
2021-2022: S5808

2023-S2659 - Summary

Provides that a business must provide notification of a data breach within 15 days of such breach; includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

2023-S2659 - Sponsor Memo

                                 
BILL NUMBER: S2659

SPONSOR: COMRIE
 
TITLE OF BILL:

An act to amend the general business law, in relation to notification of
a data breach

 
SUMMARY OF PROVISIONS:

This bill amends existing subdivisions 2 and 3 of section 899-aa of the
general business law to provide that consumer reporting agencies that
experience a data breach must disclose such breach within 15 days.

 
JUSTIFICATION:

On September 7th, 2017, one of three major consumer credit reporting
agencies in the United States-Equifax-reported that hackers gained
access to company data that potentially compromised sensitive informa-
tion for 143 million American consumers - nearly 44% of the U.S. popu-
lation. The breach included: social security numbers, driver's license
numbers, names, addresses and birth dates. Keys that unlock consumers'

medical histories, bank accounts, and employee accounts have also been
compromised. Credit card numbers for 209,000 consumers were stolen, and
documents with personal information used in disputes for 182,000 people
were also stolen.

The attack on Equifax represents one of the largest risks to personally
sensitive information in recent years. This incident is the third major
cybersecurity threat for the agency since 2015. Just last year, identify
thieves successfully hacked critical W-2 tax and salary data from an
Equifax website. Earlier this year, thieves again stole W-2 tax data
from an Equifax subsidiary, TAM which provides online payroll, tax and
human resources services to some of the nation's largest corporations.
According to investigations, criminals gained access to certain files in
the company's system from mid-May to July, 2017 by exploiting a weak
point in website software.

Identity thieves can impersonate people with lenders, creditors, and
service providers who rely on personal identity information. Thieves can
also use stored information from Equifax and use it to open accounts
with creditors that use Experian or TransUnion.  Cybersecurity profes-
sionals criticized Equifax for not improving its security practices
after previous thefts. Critics also argue that Equifax should have
multiple layers of controls. Consumers complained of a 6-week lag
between the discovery of the attack and Equifax's public disclosure.
Equifax discovered the intrusion on July 29th but it first disclosed the
attack publicly on September 7th.

There seems to be a broad sense of uncertainty by experts and lawmakers
as to which rederal xeguiatoi, if any, is charged with the responsipiii-
ty to monitor and do regular supervision on cybersecurity. The Consumer
Financial Protection Bureau has authority to police violations of
consumer protection laws by consumer credit bureaus, but the agency
generally leaves data privacy enforcement to the FederAP Commission.
However, the Trade Commission lacks the authority to impose big fines or
authorize fines for first time violations of certain rules. Neither have
commented on applicable law or jurisdiction. Although federal lawmakers
have promised legislation and public hearings, no clear authority is
forthcoming in short order. Thus, it is time for New York State to lead
on this issue, given the fact that millions of our residents were
exposed in this episode.

TO THIS END, THIS LEGISLATION PROVIDES A CLEAR CONSUMER PROTECTION
MANDATE THAT WILL AGGRESSIVELY PROTECT CONSUMERS BY MANDATING TIMELY
DISCLOSURE OF DATA BEACHES BY CREDIT REPORTING AGENCIES.

 
LEGISLATIVE HISTORY:

S5808 2022

S6880 COMRIE No Same as ON FILE: 01/03/18 General Business Law

 
TITLE:

to notification of a data breach 09/20/17 REFERRED TO RULES 01/03/18
REFERRED TO CONSUMER PROTECTION

 
FISCAL IMPLICATIONS:

None noted for. the state; the design of the legislation could signif-
icant save money for consumers.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2023-S2659 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2659
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 24, 2023
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
 section 899-aa of the general business law, as amended by chapter 117 of
 the laws of 2019, are amended to read as follows:
   Any  person or business which owns or licenses computerized data which
 includes private information shall disclose any breach of  the  security
 of  the  system following discovery or notification of the breach in the
 security of the system to any resident of New York state  whose  private
 information  was,  or  is  reasonably believed to have been, accessed or
 acquired by a person without valid authorization. The  disclosure  shall
 be  made  in  the  most expedient time possible and without unreasonable
 delay, [consistent with] AND SHALL BE MADE WITHIN FIFTEEN DAYS AFTER THE
 BREACH HAS BEEN DISCOVERED, EXCEPT  FOR  the  legitimate  needs  of  law
 enforcement,  as  provided  in subdivision four of this section[, or any
 measures necessary to determine the scope of the breach and restore  the
 integrity of the system].
   3.  Any  person  or  business  which maintains computerized data which
 includes private information which such person or business does not  own
 shall  notify  the owner or licensee of the information of any breach of
 the security of the system immediately AND WITHIN FIFTEEN DAYS following
 discovery, if the private information was, or is reasonably believed  to
 have been, accessed or acquired by a person without valid authorization.
   §  2.  Paragraph (a) of subdivision 8 of section 899-aa of the general
 business law, as amended by chapter 117 of the laws of 2019, is  amended
 to read as follows:

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD04602-01-3
 S. 2659                             2

 
   (a)  In  the event that any New York residents are to be notified, the
 person or business shall notify the state attorney general, the  depart-
 ment  of  state  and  the division of state police AND THE DEPARTMENT OF
 FINANCIAL SERVICES as to the timing, content  and  distribution  of  the
 notices  and  approximate number of affected persons and shall provide a
 copy of the template of the notice sent to affected persons. Such notice
 shall be made without delaying notice to affected New York residents.
   § 3. This act shall take effect immediately.

2023-S2659A (ACTIVE) - Details

See Assembly Version of this Bill:: A8872
Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Amd §899-aa, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2017-2018: S6880
2019-2020: S2540
2021-2022: S5808

2023-S2659A (ACTIVE) - Summary

2023-S2659A (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S2659A

SPONSOR: COMRIE
 
TITLE OF BILL:

An act to amend the general business law, in relation to notification of
a data breach

 
SUMMARY OF PROVISIONS:

This bill amends existing subdivisions 2 and 3 of section 899-aa of the
general business law to provide that consumer reporting agencies that
experience a data breach must disclose such breach within 15 days.

 
JUSTIFICATION:

On September 7th, 2017, one of three major consumer credit reporting
agencies in the United States-Equifax-reported that hackers gained
access to company data that potentially compromised sensitive informa-
tion for 143 million American consumers - nearly 44% of the U.S. popu-
lation. The breach included: social security numbers, driver's license
numbers, names, addresses and birth dates. Keys that unlock consumers'

medical histories, bank accounts, and employee accounts have also been
compromised. Credit card numbers for 209,000 consumers were stolen, and
documents with personal information used in disputes for 182,000 people
were also stolen.

The attack on Equifax represents one of the largest risks to personally
sensitive information in recent years. This incident is the third major
cybersecurity threat for the agency since 2015. Just last year, identify
thieves successfully hacked critical W-2 tax and salary data from an
Equifax website. Earlier this year, thieves again stole W-2 tax data
from an Equifax subsidiary, TAM which provides online payroll, tax and
human resources services to some of the nation's largest corporations.
According to investigations, criminals gained access to certain files in
the company's system from mid-May to July, 2017 by exploiting a weak
point in website software.

Identity thieves can impersonate people with lenders, creditors, and
service providers who rely on personal identity information. Thieves can
also use stored information from Equifax and use it to open accounts
with creditors that use Experian or TransUnion.  Cybersecurity profes-
sionals criticized Equifax for not improving its security practices
after previous thefts. Critics also argue that Equifax should have
multiple layers of controls. Consumers complained of a 6-week lag
between the discovery of the attack and Equifax's public disclosure.
Equifax discovered the intrusion on July 29th but it first disclosed the
attack publicly on September 7th.

There seems to be a broad sense of uncertainty by experts and lawmakers
as to which federal regulations, if any, is charged with the responsi-
bility to monitor and do regular supervision on cybersecurity. The
Consumer Financial Protection Bureau has authority to police violations
of consumer protection laws by consumer credit bureaus, but the agency
generally leaves data privacy enforcement to the FederAP Commission.
However, the Trade Commission lacks the authority to impose big fines or
authorize fines for first time violations of certain rules. Neither have
commented on applicable law or jurisdiction. Although federal lawmakers
have promised legislation and public hearings, no clear authority is
forthcoming in short order. Thus, it is time for New York State to lead
on this issue, given the fact that millions of our residents were
exposed in this episode.

TO THIS END, THIS LEGISLATION PROVIDES A CLEAR CONSUMER PROTECTION
MANDATE THAT WILL AGGRESSIVELY PROTECT CONSUMERS BY MANDATING TIMELY
DISCLOSURE OF DATA BEACHES BY CREDIT REPORTING AGENCIES.

 
LEGISLATIVE HISTORY:

S5808 2022

S6880 COMRIE No Same as ON FILE: 01/03/18 General Business Law

 
TITLE:

to notification of a data breach 09/20/17 REFERRED TO RULES 01/03/18
REFERRED TO CONSUMER PROTECTION

 
FISCAL IMPLICATIONS:

None noted for. the state; the design of the legislation could signif-
icant save money for consumers.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2023-S2659A (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  2659--A
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 24, 2023
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted to said committee
 
 AN ACT to amend the general business law, in relation to notification of
   a data breach

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The opening paragraph of subdivision 2 and subdivision 3 of
 section 899-aa of the general business law, as amended by chapter 117 of
 the laws of 2019, are amended to read as follows:
   Any person or business which owns or licenses computerized data  which
 includes  private  information shall disclose any breach of the security
 of the system following discovery or notification of the breach  in  the
 security  of  the system to any resident of New York state whose private
 information was, or is reasonably believed to  have  been,  accessed  or
 acquired  by  a person without valid authorization. The disclosure shall
 be made in the most expedient time  possible  and  without  unreasonable
 delay, [consistent with] AND SHALL BE MADE WITHIN FIFTEEN DAYS AFTER THE
 BREACH  HAS  BEEN  DISCOVERED,  EXCEPT  FOR  the legitimate needs of law
 enforcement, as provided in subdivision four of this  section[,  or  any
 measures  necessary to determine the scope of the breach and restore the
 integrity of the system].
   3. Any person or business  which  maintains  computerized  data  which
 includes  private information which such person or business does not own
 shall notify the owner or licensee of the information of any  breach  of
 the  security  of the system [immediately] WITHIN FIFTEEN DAYS following
 discovery, if the private information was, or is reasonably believed  to
 have been, accessed or acquired by a person without valid authorization.

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD04602-02-3
 S. 2659--A                          2

   §  2.  Paragraph (a) of subdivision 8 of section 899-aa of the general
 business law, as amended by chapter 117 of the laws of 2019, is  amended
 to read as follows:
   (a)  In  the event that any New York residents are to be notified, the
 person or business shall notify the state attorney general, the  depart-
 ment  of  state  and  the division of state police AND THE DEPARTMENT OF
 FINANCIAL SERVICES as to the timing, content  and  distribution  of  the
 notices  and  approximate number of affected persons and shall provide a
 copy of the template of the notice sent to affected persons. Such notice
 shall be made without delaying notice to affected New York residents.
   § 3. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S2659A

Sponsored By

Current Bill Status - In Senate Committee Internet And Technology Committee

Jun 7, 2023 - Floor Vote

Floor Vote: Jun 7, 2023

May 2, 2023 - Internet And Technology Committee Vote

Internet And Technology Committee Vote: May 2, 2023

Bill Amendments

2023-S2659 - Details

2023-S2659 - Summary

2023-S2659 - Sponsor Memo

2023-S2659 - Bill Text download pdf

2023-S2659A (ACTIVE) - Details

2023-S2659A (ACTIVE) - Summary

2023-S2659A (ACTIVE) - Sponsor Memo

2023-S2659A (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S2659A

Share this bill

Sponsored By

Leroy Comrie

Current Bill Status - In Senate Committee Internet And Technology Committee

Bill Amendments

2023-S2659 - Details

2023-S2659 - Summary

2023-S2659 - Sponsor Memo

2023-S2659 - Bill Text download pdf

2023-S2659A (ACTIVE) - Details

2023-S2659A (ACTIVE) - Summary

2023-S2659A (ACTIVE) - Sponsor Memo

2023-S2659A (ACTIVE) - Bill Text download pdf

Comments