STATE OF NEW YORK
________________________________________________________________________
5232
2017-2018 Regular Sessions
IN ASSEMBLY
February 7, 2017
___________
Introduced by M. of A. DINOWITZ, GOTTFRIED, GALEF, TITONE, COOK, ABINAN-
TI, ENGLEBRIGHT, OTIS, FAHY, COLTON -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to the protection
of personal information by businesses
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Section 899-aa of the general business law, as added by
2 chapter 442 of the laws of 2005, paragraph (c) of subdivision 1, para-
3 graph (a) of subdivision 6 and subdivision 8 as amended by chapter 491
4 of the laws of 2005 and paragraph (a) of subdivision 8 as amended by
5 section 6 of part N of chapter 55 of the laws of 2013, is amended to
6 read as follows:
7 § 899-aa. Safeguarding personal information; [Notification;] notifica-
8 tion, person without valid authorization has acquired private informa-
9 tion. 1. As used in this section, the following terms shall have the
10 following meanings:
11 (a) "Personal information" shall mean any information concerning a
12 natural person which, because of name, number, personal mark, or other
13 identifier, can be used to identify such natural person;
14 (b) "Private information" shall mean personal information consisting
15 of any information in combination with any one or more of the following
16 data elements, when either the personal information or the data element
17 is not encrypted, or encrypted with an encryption key that has also been
18 acquired:
19 (1) social security number;
20 (2) driver's license number or non-driver identification card number;
21 or
22 (3) account number, credit or debit card number, in combination with
23 any required security code, access code, or password that would permit
24 access to an individual's financial account;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD03435-01-7
A. 5232 2
1 "Private information" does not include publicly available information
2 which is lawfully made available to the general public from federal,
3 state, or local government records.
4 (c) "Breach of the security of the system" shall mean unauthorized
5 acquisition or acquisition without valid authorization of computerized
6 data that compromises the security, confidentiality, or integrity of
7 personal information maintained by a business. Good faith acquisition of
8 personal information by an employee or agent of the business for the
9 purposes of the business is not a breach of the security of the system,
10 provided that the private information is not used or subject to unau-
11 thorized disclosure.
12 In determining whether information has been acquired, or is reasonably
13 believed to have been acquired, by an unauthorized person or a person
14 without valid authorization, such business may consider the following
15 factors, among others:
16 (1) indications that the information is in the physical possession and
17 control of an unauthorized person, such as a lost or stolen computer or
18 other device containing information; or
19 (2) indications that the information has been downloaded or copied; or
20 (3) indications that the information was used by an unauthorized
21 person, such as fraudulent accounts opened or instances of identity
22 theft reported.
23 (d) "Consumer reporting agency" shall mean any person which, for mone-
24 tary fees, dues, or on a cooperative nonprofit basis, regularly engages
25 in whole or in part in the practice of assembling or evaluating consumer
26 credit information or other information on consumers for the purpose of
27 furnishing consumer reports to third parties, and which uses any means
28 or facility of interstate commerce for the purpose of preparing or
29 furnishing consumer reports. A list of consumer reporting agencies shall
30 be compiled by the state attorney general and furnished upon request to
31 any person or business required to make a notification under subdivision
32 two of this section.
33 2. Any person or business which conducts business in New York state,
34 and which owns or licenses computerized data which includes private
35 information shall:
36 (a) develop, implement, and maintain a comprehensive information secu-
37 rity program which must be consistent with the safeguards for protection
38 of personal information and information of a similar character set forth
39 in any state or federal laws or regulations by which the person who owns
40 or licenses such information may be regulated, and that is written in
41 one or more readily accessible parts and contains administrative, tech-
42 nical, and physical safeguards that are appropriate to:
43 (1) the size, scope, and type of business of the person obligated to
44 safeguard the personal information under such comprehensive information
45 security program;
46 (2) the amount of resources available to such person or business;
47 (3) the amount of stored data; and
48 (4) the need for security and confidentiality of information of
49 customers and employees of the business.
50 (b) disclose any breach of the security of the system following
51 discovery or notification of the breach in the security of the system to
52 any resident of New York state whose private information was, or is
53 reasonably believed to have been, acquired by a person without valid
54 authorization. The disclosure shall be made in the most expedient time
55 possible and without unreasonable delay, consistent with the legitimate
56 needs of law enforcement, as provided in subdivision [four] five of this
A. 5232 3
1 section, or any measures necessary to determine the scope of the breach
2 and restore the reasonable integrity of the system.
3 3. Without limiting the generality of the foregoing, every comprehen-
4 sive information security program pursuant to paragraph (a) of subdivi-
5 sion two of this section shall include, but not be limited to:
6 (a) designating one or more employees to maintain the comprehensive
7 information security program;
8 (b) identifying and assessing reasonably foreseeable internal and
9 external risks to the security, confidentiality, and/or integrity of any
10 electronic, paper, or other records containing personal information, and
11 evaluating and improving, where necessary, the current safeguards for
12 limiting such risks, including, but not limited to:
13 (1) providing ongoing employee training;
14 (2) monitoring employee compliance with policies and procedures; and
15 (3) identifying means for detecting and preventing security system
16 failures.
17 (c) developing security policies for employees relating to the stor-
18 age, access, and transportation of records containing personal informa-
19 tion outside of business premises;
20 (d) imposing disciplinary measures for violations of the comprehensive
21 information security program rules;
22 (e) preventing terminated or former employees from accessing records
23 containing personal information;
24 (f) overseeing third-party service providers by:
25 (1) taking reasonable steps to select and retain third-party service
26 providers that are capable of maintaining appropriate security measures
27 to protect such personal information consistent with these provisions
28 and any applicable federal laws or regulations; and
29 (2) requiring such third-party service providers by contract to imple-
30 ment and maintain such appropriate security measures for personal infor-
31 mation; provided, however, that until October first, two thousand eigh-
32 teen, a contract a person or business has entered into with a
33 third-party service provider to perform services for or functions on
34 behalf of such person or business satisfies the provisions of this
35 subparagraph even if the contract a person or business has entered into
36 with a third-party service provider does not include a requirement that
37 the third-party service provider maintains such appropriate safeguards,
38 as long as said person or business entered into the contract no later
39 than October first, two thousand sixteen.
40 (g) placing reasonable restrictions upon physical access to records
41 containing personal information, and storage of such records and data in
42 locked facilities, storage areas, or containers;
43 (h) ensuring that the comprehensive information security program is
44 separating in a manner reasonably calculated to prevent unauthorized
45 access to or unauthorized use of personal information, and upgrading
46 information safeguards as necessary to limit risks;
47 (i) reviewing the scope of the security measures at least annually or
48 whenever there is a material change in business practices that may
49 reasonably jeopardize the security or integrity of records containing
50 personal information; and
51 (j) documenting responsive actions taken in connection with any inci-
52 dent involving a breach of security, and mandatory post-incident review
53 of events and actions taken, if any, to make changes in business prac-
54 tices relating to protection of personal information.
A. 5232 4
1 [3.]4. Any person or business which maintains computerized data which
2 includes private information which such person or business does not own
3 shall:
4 (a) include in its written, comprehensive information security program
5 the establishment and maintenance of a security system covering its
6 computers, including any wireless system, that, at a minimum, and to the
7 extent technically feasible, include the following elements:
8 (1) secure user authentication protocols including:
9 (i) control of user identifications and other identifiers;
10 (ii) a reasonably secure method of assigning and selecting passwords,
11 or use of unique identifier technologies, such as biometrics or token
12 devices;
13 (iii) control of data security passwords to ensure that such passwords
14 are kept in a location and/or format that does not compromise the secu-
15 rity of the data they protect;
16 (iv) restricting access to active users and active user accounts only;
17 and
18 (v) blocking access to user identification after multiple unsuccessful
19 attempts to gain access or the limitation placed on access for the
20 particular system;
21 (2) secure access control measures that:
22 (i) restrict access to records and files containing personal informa-
23 tion to those who need such information to perform their job duties; and
24 (ii) assign unique identifications plus passwords, which are not
25 vendor-supplied default passwords, to each person with computer access
26 that are reasonably designed to maintain the integrity of the security
27 of the access controls;
28 (3) encryption of all transmitted records and files containing
29 personal information that will travel across public networks, and
30 encryption of all data containing personal information to be transmitted
31 wirelessly;
32 (4) reasonable monitoring of systems for unauthorized use of or access
33 to personal information;
34 (5) encryption of all personal information stored on laptops or other
35 portable devices;
36 (6) for files containing personal information on a system that is
37 connected to the internet, firewall protection and operating system
38 security patches reasonably designed to maintain the integrity of the
39 personal information;
40 (7) system security agent software which must include malware
41 protection and virus definitions, or a version of such software that can
42 still be supported with up-to-date patches and virus definitions, and is
43 set to receive the most current security updates on a regular basis; and
44 (8) education and training of employees on the proper use of the
45 computer security system and the importance of personal information
46 security.
47 (b) notify the owner or licensee of the information of any breach of
48 the security of the system immediately following discovery, if the
49 private information was, or is reasonably believed to have been,
50 acquired by a person without valid authorization.
51 [4.] 5. The notification required by this section may be delayed if a
52 law enforcement agency determines that such notification impedes a crim-
53 inal investigation. The notification required by this section shall be
54 made after such law enforcement agency determines that such notification
55 does not compromise such investigation.
A. 5232 5
1 [5.] 6. The notice required by this section shall be directly provided
2 to the affected persons by one of the following methods:
3 (a) written notice;
4 (b) electronic notice, provided that the person to whom notice is
5 required has expressly consented to receiving said notice in electronic
6 form and a log of each such notification is kept by the person or busi-
7 ness who notifies affected persons in such form; provided further,
8 however, that in no case shall any person or business require a person
9 to consent to accepting said notice in said form as a condition of
10 establishing any business relationship or engaging in any transaction.
11 (c) telephone notification provided that a log of each such notifica-
12 tion is kept by the person or business who notifies affected persons; or
13 (d) Substitute notice, if a business demonstrates to the state attor-
14 ney general that the cost of providing notice would exceed two hundred
15 fifty thousand dollars, or that the affected class of subject persons to
16 be notified exceeds five hundred thousand, or such business does not
17 have sufficient contact information. Substitute notice shall consist of
18 all of the following:
19 (1) e-mail notice when such business has an e-mail address for the
20 subject persons;
21 (2) conspicuous posting of the notice on such business's web site
22 page, if such business maintains one; and
23 (3) notification to major statewide media.
24 [6.] 7. (a) whenever the attorney general shall believe from evidence
25 satisfactory to him that there is a violation of this article he may
26 bring an action in the name and on behalf of the people of the state of
27 New York, in a court of justice having jurisdiction to issue an injunc-
28 tion, to enjoin and restrain the continuation of such violation. In
29 such action, preliminary relief may be granted under article sixty-three
30 of the civil practice law and rules. In such action the court may award
31 damages for actual costs or losses incurred by a person entitled to
32 notice pursuant to this article, if notification was not provided to
33 such person pursuant to this article, including consequential financial
34 losses. Whenever the court shall determine in such action that a person
35 or business violated this article knowingly or recklessly, the court may
36 impose a civil penalty of the greater of five thousand dollars or up to
37 ten dollars per instance of failed notification, provided that the
38 latter amount shall not exceed one hundred fifty thousand dollars.
39 (b) the remedies provided by this section shall be in addition to any
40 other lawful remedy available.
41 (c) no action may be brought under the provisions of this section
42 unless such action is commenced within two years immediately after the
43 date of the act complained of or the date of discovery of such act.
44 [7.] 8. Regardless of the method by which notice is provided, such
45 notice shall include contact information for the person or business
46 making the notification and a description of the categories of informa-
47 tion that were, or are reasonably believed to have been, acquired by a
48 person without valid authorization, including specification of which of
49 the elements of personal information and private information were, or
50 are reasonably believed to have been, so acquired.
51 [8.] 9. (a) In the event that any New York residents are to be noti-
52 fied, the person or business shall notify the state attorney general,
53 the department of state and the division of state police as to the
54 timing, content and distribution of the notices and approximate number
55 of affected persons. Such notice shall be made without delaying notice
56 to affected New York residents.
A. 5232 6
1 (b) In the event that more than five thousand New York residents are
2 to be notified at one time, the person or business shall also notify
3 consumer reporting agencies as to the timing, content and distribution
4 of the notices and approximate number of affected persons. Such notice
5 shall be made without delaying notice to affected New York residents.
6 [9.] 10. The provisions of this section shall be exclusive and shall
7 preempt any provisions of local law, ordinance or code, and no locality
8 shall impose requirements that are inconsistent with or more restrictive
9 than those set forth in this section.
10 § 2. This act shall take effect immediately; provided, however, that
11 the provisions of this act shall apply to any person or business who
12 owns or licenses personal information about a resident of New York with-
13 in eighteen months after such effective date, provided, further, that
14 any person or business may come into compliance before such effective
15 date.