Bill Text: NY A05232 | 2017-2018 | General Assembly | Introduced


Bill Title: Relates to the protection of personal information by businesses.

Spectrum: Partisan Bill (Democrat 10-0)

Status: (Introduced - Dead) 2017-02-09 - enacting clause stricken [A05232 Detail]

Download: New_York-2017-A05232-Introduced.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                          5232
                               2017-2018 Regular Sessions
                   IN ASSEMBLY
                                    February 7, 2017
                                       ___________
        Introduced by M. of A. DINOWITZ, GOTTFRIED, GALEF, TITONE, COOK, ABINAN-
          TI,  ENGLEBRIGHT,  OTIS, FAHY, COLTON -- read once and referred to the
          Committee on Consumer Affairs and Protection
        AN ACT to amend the general business law, in relation to the  protection
          of personal information by businesses
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Section 899-aa of the general business  law,  as  added  by
     2  chapter  442  of the laws of 2005, paragraph (c) of subdivision 1, para-
     3  graph (a) of subdivision 6 and subdivision 8 as amended by  chapter  491
     4  of  the  laws  of  2005 and paragraph (a) of subdivision 8 as amended by
     5  section 6 of part N of chapter 55 of the laws of  2013,  is  amended  to
     6  read as follows:
     7    § 899-aa. Safeguarding personal information; [Notification;] notifica-
     8  tion,  person  without valid authorization has acquired private informa-
     9  tion.  1. As used in this section, the following terms  shall  have  the
    10  following meanings:
    11    (a)  "Personal  information"  shall  mean any information concerning a
    12  natural person which, because of name, number, personal mark,  or  other
    13  identifier, can be used to identify such natural person;
    14    (b)  "Private  information" shall mean personal information consisting
    15  of any information in combination with any one or more of the  following
    16  data  elements, when either the personal information or the data element
    17  is not encrypted, or encrypted with an encryption key that has also been
    18  acquired:
    19    (1) social security number;
    20    (2) driver's license number or non-driver identification card  number;
    21  or
    22    (3)  account  number, credit or debit card number, in combination with
    23  any required security code, access code, or password that  would  permit
    24  access to an individual's financial account;
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03435-01-7

        A. 5232                             2
     1    "Private  information" does not include publicly available information
     2  which is lawfully made available to the  general  public  from  federal,
     3  state, or local government records.
     4    (c)  "Breach  of  the  security of the system" shall mean unauthorized
     5  acquisition or acquisition without valid authorization  of  computerized
     6  data  that  compromises  the  security, confidentiality, or integrity of
     7  personal information maintained by a business. Good faith acquisition of
     8  personal information by an employee or agent of  the  business  for  the
     9  purposes  of the business is not a breach of the security of the system,
    10  provided that the private information is not used or  subject  to  unau-
    11  thorized disclosure.
    12    In determining whether information has been acquired, or is reasonably
    13  believed  to  have  been acquired, by an unauthorized person or a person
    14  without valid authorization, such business may  consider  the  following
    15  factors, among others:
    16    (1) indications that the information is in the physical possession and
    17  control  of an unauthorized person, such as a lost or stolen computer or
    18  other device containing information; or
    19    (2) indications that the information has been downloaded or copied; or
    20    (3) indications that the  information  was  used  by  an  unauthorized
    21  person,  such  as  fraudulent  accounts  opened or instances of identity
    22  theft reported.
    23    (d) "Consumer reporting agency" shall mean any person which, for mone-
    24  tary fees, dues, or on a cooperative nonprofit basis, regularly  engages
    25  in whole or in part in the practice of assembling or evaluating consumer
    26  credit  information or other information on consumers for the purpose of
    27  furnishing consumer reports to third parties, and which uses  any  means
    28  or  facility  of  interstate  commerce  for  the purpose of preparing or
    29  furnishing consumer reports. A list of consumer reporting agencies shall
    30  be compiled by the state attorney general and furnished upon request  to
    31  any person or business required to make a notification under subdivision
    32  two of this section.
    33    2.  Any  person or business which conducts business in New York state,
    34  and which owns or licenses  computerized  data  which  includes  private
    35  information shall:
    36    (a) develop, implement, and maintain a comprehensive information secu-
    37  rity program which must be consistent with the safeguards for protection
    38  of personal information and information of a similar character set forth
    39  in any state or federal laws or regulations by which the person who owns
    40  or  licenses  such  information may be regulated, and that is written in
    41  one or more readily accessible parts and contains administrative,  tech-
    42  nical, and physical safeguards that are appropriate to:
    43    (1)  the  size, scope, and type of business of the person obligated to
    44  safeguard the personal information under such comprehensive  information
    45  security program;
    46    (2) the amount of resources available to such person or business;
    47    (3) the amount of stored data; and
    48    (4)  the  need  for  security  and  confidentiality  of information of
    49  customers and employees of the business.
    50    (b) disclose any breach  of  the  security  of  the  system  following
    51  discovery or notification of the breach in the security of the system to
    52  any  resident  of  New  York  state whose private information was, or is
    53  reasonably believed to have been, acquired by  a  person  without  valid
    54  authorization.  The  disclosure shall be made in the most expedient time
    55  possible and without unreasonable delay, consistent with the  legitimate
    56  needs of law enforcement, as provided in subdivision [four] five of this

        A. 5232                             3
     1  section,  or any measures necessary to determine the scope of the breach
     2  and restore the reasonable integrity of the system.
     3    3.  Without limiting the generality of the foregoing, every comprehen-
     4  sive information security program pursuant to paragraph (a) of  subdivi-
     5  sion two of this section shall include, but not be limited to:
     6    (a)  designating  one  or more employees to maintain the comprehensive
     7  information security program;
     8    (b) identifying and  assessing  reasonably  foreseeable  internal  and
     9  external risks to the security, confidentiality, and/or integrity of any
    10  electronic, paper, or other records containing personal information, and
    11  evaluating  and  improving,  where necessary, the current safeguards for
    12  limiting such risks, including, but not limited to:
    13    (1) providing ongoing employee training;
    14    (2) monitoring employee compliance with policies and procedures; and
    15    (3) identifying means for detecting  and  preventing  security  system
    16  failures.
    17    (c)  developing  security policies for employees relating to the stor-
    18  age, access, and transportation of records containing personal  informa-
    19  tion outside of business premises;
    20    (d) imposing disciplinary measures for violations of the comprehensive
    21  information security program rules;
    22    (e)  preventing  terminated or former employees from accessing records
    23  containing personal information;
    24    (f) overseeing third-party service providers by:
    25    (1) taking reasonable steps to select and retain  third-party  service
    26  providers  that are capable of maintaining appropriate security measures
    27  to protect such personal information consistent  with  these  provisions
    28  and any applicable federal laws or regulations; and
    29    (2) requiring such third-party service providers by contract to imple-
    30  ment and maintain such appropriate security measures for personal infor-
    31  mation;  provided, however, that until October first, two thousand eigh-
    32  teen,  a  contract  a  person  or  business  has  entered  into  with  a
    33  third-party  service  provider  to  perform services for or functions on
    34  behalf of such person or  business  satisfies  the  provisions  of  this
    35  subparagraph  even if the contract a person or business has entered into
    36  with a third-party service provider does not include a requirement  that
    37  the  third-party service provider maintains such appropriate safeguards,
    38  as long as said person or business entered into the  contract  no  later
    39  than October first, two thousand sixteen.
    40    (g)  placing  reasonable  restrictions upon physical access to records
    41  containing personal information, and storage of such records and data in
    42  locked facilities, storage areas, or containers;
    43    (h) ensuring that the comprehensive information  security  program  is
    44  separating  in  a  manner  reasonably calculated to prevent unauthorized
    45  access to or unauthorized use of  personal  information,  and  upgrading
    46  information safeguards as necessary to limit risks;
    47    (i)  reviewing the scope of the security measures at least annually or
    48  whenever there is a material  change  in  business  practices  that  may
    49  reasonably  jeopardize  the  security or integrity of records containing
    50  personal information; and
    51    (j) documenting responsive actions taken in connection with any  inci-
    52  dent  involving a breach of security, and mandatory post-incident review
    53  of events and actions taken, if any, to make changes in  business  prac-
    54  tices relating to protection of personal information.

        A. 5232                             4
     1    [3.]4.  Any person or business which maintains computerized data which
     2  includes private information which such person or business does not  own
     3  shall:
     4    (a) include in its written, comprehensive information security program
     5  the  establishment  and  maintenance  of  a security system covering its
     6  computers, including any wireless system, that, at a minimum, and to the
     7  extent technically feasible, include the following elements:
     8    (1) secure user authentication protocols including:
     9    (i) control of user identifications and other identifiers;
    10    (ii) a reasonably secure method of assigning and selecting  passwords,
    11  or  use  of  unique identifier technologies, such as biometrics or token
    12  devices;
    13    (iii) control of data security passwords to ensure that such passwords
    14  are kept in a location and/or format that does not compromise the  secu-
    15  rity of the data they protect;
    16    (iv) restricting access to active users and active user accounts only;
    17  and
    18    (v) blocking access to user identification after multiple unsuccessful
    19  attempts  to  gain  access  or  the  limitation placed on access for the
    20  particular system;
    21    (2) secure access control measures that:
    22    (i) restrict access to records and files containing personal  informa-
    23  tion to those who need such information to perform their job duties; and
    24    (ii)  assign  unique  identifications  plus  passwords,  which are not
    25  vendor-supplied default passwords, to each person with  computer  access
    26  that  are  reasonably designed to maintain the integrity of the security
    27  of the access controls;
    28    (3)  encryption  of  all  transmitted  records  and  files  containing
    29  personal  information  that  will  travel  across  public  networks, and
    30  encryption of all data containing personal information to be transmitted
    31  wirelessly;
    32    (4) reasonable monitoring of systems for unauthorized use of or access
    33  to personal information;
    34    (5) encryption of all personal information stored on laptops or  other
    35  portable devices;
    36    (6)  for  files  containing  personal  information on a system that is
    37  connected to the internet,  firewall  protection  and  operating  system
    38  security  patches  reasonably  designed to maintain the integrity of the
    39  personal information;
    40    (7)  system  security  agent  software  which  must  include   malware
    41  protection and virus definitions, or a version of such software that can
    42  still be supported with up-to-date patches and virus definitions, and is
    43  set to receive the most current security updates on a regular basis; and
    44    (8)  education  and  training  of  employees  on the proper use of the
    45  computer security system and  the  importance  of  personal  information
    46  security.
    47    (b)  notify  the owner or licensee of the information of any breach of
    48  the security of the  system  immediately  following  discovery,  if  the
    49  private  information  was,  or  is  reasonably  believed  to  have been,
    50  acquired by a person without valid authorization.
    51    [4.] 5. The notification required by this section may be delayed if  a
    52  law enforcement agency determines that such notification impedes a crim-
    53  inal  investigation.  The notification required by this section shall be
    54  made after such law enforcement agency determines that such notification
    55  does not compromise such investigation.

        A. 5232                             5
     1    [5.] 6. The notice required by this section shall be directly provided
     2  to the affected persons by one of the following methods:
     3    (a) written notice;
     4    (b)  electronic  notice,  provided  that  the person to whom notice is
     5  required has expressly consented to receiving said notice in  electronic
     6  form  and a log of each such notification is kept by the person or busi-
     7  ness who notifies affected  persons  in  such  form;  provided  further,
     8  however,  that  in no case shall any person or business require a person
     9  to consent to accepting said notice in  said  form  as  a  condition  of
    10  establishing any business relationship or engaging in any transaction.
    11    (c)  telephone notification provided that a log of each such notifica-
    12  tion is kept by the person or business who notifies affected persons; or
    13    (d) Substitute notice, if a business demonstrates to the state  attor-
    14  ney  general  that the cost of providing notice would exceed two hundred
    15  fifty thousand dollars, or that the affected class of subject persons to
    16  be notified exceeds five hundred thousand, or  such  business  does  not
    17  have  sufficient contact information. Substitute notice shall consist of
    18  all of the following:
    19    (1) e-mail notice when such business has an  e-mail  address  for  the
    20  subject persons;
    21    (2)  conspicuous  posting  of  the  notice on such business's web site
    22  page, if such business maintains one; and
    23    (3) notification to major statewide media.
    24    [6.] 7. (a) whenever the attorney general shall believe from  evidence
    25  satisfactory  to  him  that  there is a violation of this article he may
    26  bring an action in the name and on behalf of the people of the state  of
    27  New  York, in a court of justice having jurisdiction to issue an injunc-
    28  tion, to enjoin and restrain the continuation of  such  violation.    In
    29  such action, preliminary relief may be granted under article sixty-three
    30  of  the civil practice law and rules. In such action the court may award
    31  damages for actual costs or losses incurred  by  a  person  entitled  to
    32  notice  pursuant  to  this  article, if notification was not provided to
    33  such person pursuant to this article, including consequential  financial
    34  losses.  Whenever the court shall determine in such action that a person
    35  or business violated this article knowingly or recklessly, the court may
    36  impose a civil penalty of the greater of five thousand dollars or up  to
    37  ten  dollars  per  instance  of  failed  notification, provided that the
    38  latter amount shall not exceed one hundred fifty thousand dollars.
    39    (b) the remedies provided by this section shall be in addition to  any
    40  other lawful remedy available.
    41    (c)  no  action  may  be  brought under the provisions of this section
    42  unless such action is commenced within two years immediately  after  the
    43  date of the act complained of or the date of discovery of such act.
    44    [7.]  8.  Regardless  of  the method by which notice is provided, such
    45  notice shall include contact information  for  the  person  or  business
    46  making  the notification and a description of the categories of informa-
    47  tion that were, or are reasonably believed to have been, acquired  by  a
    48  person  without valid authorization, including specification of which of
    49  the elements of personal information and private  information  were,  or
    50  are reasonably believed to have been, so acquired.
    51    [8.]  9.  (a) In the event that any New York residents are to be noti-
    52  fied, the person or business shall notify the  state  attorney  general,
    53  the  department  of  state  and  the  division of state police as to the
    54  timing, content and distribution of the notices and  approximate  number
    55  of  affected  persons. Such notice shall be made without delaying notice
    56  to affected New York residents.

        A. 5232                             6
     1    (b) In the event that more than five thousand New York  residents  are
     2  to  be  notified  at  one time, the person or business shall also notify
     3  consumer reporting agencies as to the timing, content  and  distribution
     4  of  the  notices and approximate number of affected persons. Such notice
     5  shall be made without delaying notice to affected New York residents.
     6    [9.]  10.  The provisions of this section shall be exclusive and shall
     7  preempt any provisions of local law, ordinance or code, and no  locality
     8  shall impose requirements that are inconsistent with or more restrictive
     9  than those set forth in this section.
    10    §  2.  This act shall take effect immediately; provided, however, that
    11  the provisions of this act shall apply to any  person  or  business  who
    12  owns or licenses personal information about a resident of New York with-
    13  in  eighteen  months  after such effective date, provided, further, that
    14  any person or business may come into compliance  before  such  effective
    15  date.
feedback