Bill Text: NY A05232 | 2017-2018 | General Assembly | Introduced
Bill Title: Relates to the protection of personal information by businesses.
Spectrum: Partisan Bill (Democrat 10-0)
Status: (Introduced - Dead) 2017-02-09 - enacting clause stricken [A05232 Detail]
Download: New_York-2017-A05232-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 5232 2017-2018 Regular Sessions IN ASSEMBLY February 7, 2017 ___________ Introduced by M. of A. DINOWITZ, GOTTFRIED, GALEF, TITONE, COOK, ABINAN- TI, ENGLEBRIGHT, OTIS, FAHY, COLTON -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to the protection of personal information by businesses The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 899-aa of the general business law, as added by 2 chapter 442 of the laws of 2005, paragraph (c) of subdivision 1, para- 3 graph (a) of subdivision 6 and subdivision 8 as amended by chapter 491 4 of the laws of 2005 and paragraph (a) of subdivision 8 as amended by 5 section 6 of part N of chapter 55 of the laws of 2013, is amended to 6 read as follows: 7 § 899-aa. Safeguarding personal information; [Notification;] notifica- 8 tion, person without valid authorization has acquired private informa- 9 tion. 1. As used in this section, the following terms shall have the 10 following meanings: 11 (a) "Personal information" shall mean any information concerning a 12 natural person which, because of name, number, personal mark, or other 13 identifier, can be used to identify such natural person; 14 (b) "Private information" shall mean personal information consisting 15 of any information in combination with any one or more of the following 16 data elements, when either the personal information or the data element 17 is not encrypted, or encrypted with an encryption key that has also been 18 acquired: 19 (1) social security number; 20 (2) driver's license number or non-driver identification card number; 21 or 22 (3) account number, credit or debit card number, in combination with 23 any required security code, access code, or password that would permit 24 access to an individual's financial account; EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD03435-01-7A. 5232 2 1 "Private information" does not include publicly available information 2 which is lawfully made available to the general public from federal, 3 state, or local government records. 4 (c) "Breach of the security of the system" shall mean unauthorized 5 acquisition or acquisition without valid authorization of computerized 6 data that compromises the security, confidentiality, or integrity of 7 personal information maintained by a business. Good faith acquisition of 8 personal information by an employee or agent of the business for the 9 purposes of the business is not a breach of the security of the system, 10 provided that the private information is not used or subject to unau- 11 thorized disclosure. 12 In determining whether information has been acquired, or is reasonably 13 believed to have been acquired, by an unauthorized person or a person 14 without valid authorization, such business may consider the following 15 factors, among others: 16 (1) indications that the information is in the physical possession and 17 control of an unauthorized person, such as a lost or stolen computer or 18 other device containing information; or 19 (2) indications that the information has been downloaded or copied; or 20 (3) indications that the information was used by an unauthorized 21 person, such as fraudulent accounts opened or instances of identity 22 theft reported. 23 (d) "Consumer reporting agency" shall mean any person which, for mone- 24 tary fees, dues, or on a cooperative nonprofit basis, regularly engages 25 in whole or in part in the practice of assembling or evaluating consumer 26 credit information or other information on consumers for the purpose of 27 furnishing consumer reports to third parties, and which uses any means 28 or facility of interstate commerce for the purpose of preparing or 29 furnishing consumer reports. A list of consumer reporting agencies shall 30 be compiled by the state attorney general and furnished upon request to 31 any person or business required to make a notification under subdivision 32 two of this section. 33 2. Any person or business which conducts business in New York state, 34 and which owns or licenses computerized data which includes private 35 information shall: 36 (a) develop, implement, and maintain a comprehensive information secu- 37 rity program which must be consistent with the safeguards for protection 38 of personal information and information of a similar character set forth 39 in any state or federal laws or regulations by which the person who owns 40 or licenses such information may be regulated, and that is written in 41 one or more readily accessible parts and contains administrative, tech- 42 nical, and physical safeguards that are appropriate to: 43 (1) the size, scope, and type of business of the person obligated to 44 safeguard the personal information under such comprehensive information 45 security program; 46 (2) the amount of resources available to such person or business; 47 (3) the amount of stored data; and 48 (4) the need for security and confidentiality of information of 49 customers and employees of the business. 50 (b) disclose any breach of the security of the system following 51 discovery or notification of the breach in the security of the system to 52 any resident of New York state whose private information was, or is 53 reasonably believed to have been, acquired by a person without valid 54 authorization. The disclosure shall be made in the most expedient time 55 possible and without unreasonable delay, consistent with the legitimate 56 needs of law enforcement, as provided in subdivision [four] five of thisA. 5232 3 1 section, or any measures necessary to determine the scope of the breach 2 and restore the reasonable integrity of the system. 3 3. Without limiting the generality of the foregoing, every comprehen- 4 sive information security program pursuant to paragraph (a) of subdivi- 5 sion two of this section shall include, but not be limited to: 6 (a) designating one or more employees to maintain the comprehensive 7 information security program; 8 (b) identifying and assessing reasonably foreseeable internal and 9 external risks to the security, confidentiality, and/or integrity of any 10 electronic, paper, or other records containing personal information, and 11 evaluating and improving, where necessary, the current safeguards for 12 limiting such risks, including, but not limited to: 13 (1) providing ongoing employee training; 14 (2) monitoring employee compliance with policies and procedures; and 15 (3) identifying means for detecting and preventing security system 16 failures. 17 (c) developing security policies for employees relating to the stor- 18 age, access, and transportation of records containing personal informa- 19 tion outside of business premises; 20 (d) imposing disciplinary measures for violations of the comprehensive 21 information security program rules; 22 (e) preventing terminated or former employees from accessing records 23 containing personal information; 24 (f) overseeing third-party service providers by: 25 (1) taking reasonable steps to select and retain third-party service 26 providers that are capable of maintaining appropriate security measures 27 to protect such personal information consistent with these provisions 28 and any applicable federal laws or regulations; and 29 (2) requiring such third-party service providers by contract to imple- 30 ment and maintain such appropriate security measures for personal infor- 31 mation; provided, however, that until October first, two thousand eigh- 32 teen, a contract a person or business has entered into with a 33 third-party service provider to perform services for or functions on 34 behalf of such person or business satisfies the provisions of this 35 subparagraph even if the contract a person or business has entered into 36 with a third-party service provider does not include a requirement that 37 the third-party service provider maintains such appropriate safeguards, 38 as long as said person or business entered into the contract no later 39 than October first, two thousand sixteen. 40 (g) placing reasonable restrictions upon physical access to records 41 containing personal information, and storage of such records and data in 42 locked facilities, storage areas, or containers; 43 (h) ensuring that the comprehensive information security program is 44 separating in a manner reasonably calculated to prevent unauthorized 45 access to or unauthorized use of personal information, and upgrading 46 information safeguards as necessary to limit risks; 47 (i) reviewing the scope of the security measures at least annually or 48 whenever there is a material change in business practices that may 49 reasonably jeopardize the security or integrity of records containing 50 personal information; and 51 (j) documenting responsive actions taken in connection with any inci- 52 dent involving a breach of security, and mandatory post-incident review 53 of events and actions taken, if any, to make changes in business prac- 54 tices relating to protection of personal information.A. 5232 4 1 [3.]4. Any person or business which maintains computerized data which 2 includes private information which such person or business does not own 3 shall: 4 (a) include in its written, comprehensive information security program 5 the establishment and maintenance of a security system covering its 6 computers, including any wireless system, that, at a minimum, and to the 7 extent technically feasible, include the following elements: 8 (1) secure user authentication protocols including: 9 (i) control of user identifications and other identifiers; 10 (ii) a reasonably secure method of assigning and selecting passwords, 11 or use of unique identifier technologies, such as biometrics or token 12 devices; 13 (iii) control of data security passwords to ensure that such passwords 14 are kept in a location and/or format that does not compromise the secu- 15 rity of the data they protect; 16 (iv) restricting access to active users and active user accounts only; 17 and 18 (v) blocking access to user identification after multiple unsuccessful 19 attempts to gain access or the limitation placed on access for the 20 particular system; 21 (2) secure access control measures that: 22 (i) restrict access to records and files containing personal informa- 23 tion to those who need such information to perform their job duties; and 24 (ii) assign unique identifications plus passwords, which are not 25 vendor-supplied default passwords, to each person with computer access 26 that are reasonably designed to maintain the integrity of the security 27 of the access controls; 28 (3) encryption of all transmitted records and files containing 29 personal information that will travel across public networks, and 30 encryption of all data containing personal information to be transmitted 31 wirelessly; 32 (4) reasonable monitoring of systems for unauthorized use of or access 33 to personal information; 34 (5) encryption of all personal information stored on laptops or other 35 portable devices; 36 (6) for files containing personal information on a system that is 37 connected to the internet, firewall protection and operating system 38 security patches reasonably designed to maintain the integrity of the 39 personal information; 40 (7) system security agent software which must include malware 41 protection and virus definitions, or a version of such software that can 42 still be supported with up-to-date patches and virus definitions, and is 43 set to receive the most current security updates on a regular basis; and 44 (8) education and training of employees on the proper use of the 45 computer security system and the importance of personal information 46 security. 47 (b) notify the owner or licensee of the information of any breach of 48 the security of the system immediately following discovery, if the 49 private information was, or is reasonably believed to have been, 50 acquired by a person without valid authorization. 51 [4.] 5. The notification required by this section may be delayed if a 52 law enforcement agency determines that such notification impedes a crim- 53 inal investigation. The notification required by this section shall be 54 made after such law enforcement agency determines that such notification 55 does not compromise such investigation.A. 5232 5 1 [5.] 6. The notice required by this section shall be directly provided 2 to the affected persons by one of the following methods: 3 (a) written notice; 4 (b) electronic notice, provided that the person to whom notice is 5 required has expressly consented to receiving said notice in electronic 6 form and a log of each such notification is kept by the person or busi- 7 ness who notifies affected persons in such form; provided further, 8 however, that in no case shall any person or business require a person 9 to consent to accepting said notice in said form as a condition of 10 establishing any business relationship or engaging in any transaction. 11 (c) telephone notification provided that a log of each such notifica- 12 tion is kept by the person or business who notifies affected persons; or 13 (d) Substitute notice, if a business demonstrates to the state attor- 14 ney general that the cost of providing notice would exceed two hundred 15 fifty thousand dollars, or that the affected class of subject persons to 16 be notified exceeds five hundred thousand, or such business does not 17 have sufficient contact information. Substitute notice shall consist of 18 all of the following: 19 (1) e-mail notice when such business has an e-mail address for the 20 subject persons; 21 (2) conspicuous posting of the notice on such business's web site 22 page, if such business maintains one; and 23 (3) notification to major statewide media. 24 [6.] 7. (a) whenever the attorney general shall believe from evidence 25 satisfactory to him that there is a violation of this article he may 26 bring an action in the name and on behalf of the people of the state of 27 New York, in a court of justice having jurisdiction to issue an injunc- 28 tion, to enjoin and restrain the continuation of such violation. In 29 such action, preliminary relief may be granted under article sixty-three 30 of the civil practice law and rules. In such action the court may award 31 damages for actual costs or losses incurred by a person entitled to 32 notice pursuant to this article, if notification was not provided to 33 such person pursuant to this article, including consequential financial 34 losses. Whenever the court shall determine in such action that a person 35 or business violated this article knowingly or recklessly, the court may 36 impose a civil penalty of the greater of five thousand dollars or up to 37 ten dollars per instance of failed notification, provided that the 38 latter amount shall not exceed one hundred fifty thousand dollars. 39 (b) the remedies provided by this section shall be in addition to any 40 other lawful remedy available. 41 (c) no action may be brought under the provisions of this section 42 unless such action is commenced within two years immediately after the 43 date of the act complained of or the date of discovery of such act. 44 [7.] 8. Regardless of the method by which notice is provided, such 45 notice shall include contact information for the person or business 46 making the notification and a description of the categories of informa- 47 tion that were, or are reasonably believed to have been, acquired by a 48 person without valid authorization, including specification of which of 49 the elements of personal information and private information were, or 50 are reasonably believed to have been, so acquired. 51 [8.] 9. (a) In the event that any New York residents are to be noti- 52 fied, the person or business shall notify the state attorney general, 53 the department of state and the division of state police as to the 54 timing, content and distribution of the notices and approximate number 55 of affected persons. Such notice shall be made without delaying notice 56 to affected New York residents.A. 5232 6 1 (b) In the event that more than five thousand New York residents are 2 to be notified at one time, the person or business shall also notify 3 consumer reporting agencies as to the timing, content and distribution 4 of the notices and approximate number of affected persons. Such notice 5 shall be made without delaying notice to affected New York residents. 6 [9.] 10. The provisions of this section shall be exclusive and shall 7 preempt any provisions of local law, ordinance or code, and no locality 8 shall impose requirements that are inconsistent with or more restrictive 9 than those set forth in this section. 10 § 2. This act shall take effect immediately; provided, however, that 11 the provisions of this act shall apply to any person or business who 12 owns or licenses personal information about a resident of New York with- 13 in eighteen months after such effective date, provided, further, that 14 any person or business may come into compliance before such effective 15 date.
