Bill Text: NY S05601 | 2017-2018 | General Assembly | Amended


Bill Title: Relates to notification of a security breach; includes credit and debit card; increases civil penalties.

Spectrum: Slight Partisan Bill (Democrat 6-3)

Status: (Introduced - Dead) 2018-02-01 - PRINT NUMBER 5601A [S05601 Detail]

Download: New_York-2017-S05601-Amended.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                         5601--A
                               2017-2018 Regular Sessions
                    IN SENATE
                                     April 19, 2017
                                       ___________
        Introduced by Sens. CARLUCCI, AKSHAR, ALCANTARA, GOLDEN, HAMILTON, HELM-
          ING,  KAMINSKY, PERALTA, SAVINO -- read twice and ordered printed, and
          when printed to be committed to the Committee on  Consumer  Protection
          --  recommitted  to the Committee on Consumer Protection in accordance
          with Senate Rule 6, sec. 8  --  committee  discharged,  bill  amended,
          ordered reprinted as amended and recommitted to said committee
        AN  ACT  to amend the general business law and the state technology law,
          in relation to notification of a security breach
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section  1.  Subdivisions  1, 2, 5, 6, 7, 8 and 9 of section 899-aa of
     2  the general business law, subdivisions 1, 2, 5, 6, 7 and 9 as  added  by
     3  chapter  442  of the laws of 2005, paragraph (c) of subdivision 1, para-
     4  graph (a) of subdivision 6 and subdivision 8 as amended by  chapter  491
     5  of  the  laws  of  2005 and paragraph (a) of subdivision 8 as amended by
     6  section 6 of part N of chapter 55 of the laws of 2013, are amended and a
     7  new subdivision 5-a is added to read as follows:
     8    1. As used in this section, the following terms shall have the follow-
     9  ing meanings:
    10    (a) "Personal information" shall mean  any  information  concerning  a
    11  natural  person  which, because of name, number, personal mark, or other
    12  identifier, can be used to identify such natural person;
    13    (b) "Private information" shall mean either: (i) personal  information
    14  consisting of any information in combination with any one or more of the
    15  following  data  elements,  when  either the personal information or the
    16  data element is not encrypted, or encrypted with an encryption key  that
    17  has also been acquired:
    18    (1) social security number;
    19    (2)  driver's license number or non-driver identification card number;
    20  [or]
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10986-02-8

        S. 5601--A                          2
     1    (3) account number, credit or debit card number, in  combination  with
     2  any  required  security code, access code, or password that would permit
     3  access to an individual's financial account; or
     4    (4)  biometric  information, meaning data generated by automatic meas-
     5  urements of an individual's physical characteristics, which are used  by
     6  the owner or licensee to authenticate the individual's identity;
     7    (ii)  a  user name or e-mail address in combination with a password or
     8  security question and answer that  would  permit  access  to  an  online
     9  account; or
    10    (iii)  any  unsecured  protected health information held by a "covered
    11  entity" as defined in the health insurance portability and  accountabil-
    12  ity act of 1996 (45 C.F.R.  pts. 160, 162, 164), as amended from time to
    13  time.
    14    "Private  information" does not include publicly available information
    15  which is lawfully made available to the  general  public  from  federal,
    16  state, or local government records.
    17    (c)  "Breach  of  the  security of the system" shall mean unauthorized
    18  acquisition or acquisition without valid authorization  of  computerized
    19  data  that  compromises  the  security, confidentiality, or integrity of
    20  [personal] private information maintained  by  a  business.  Good  faith
    21  acquisition of [personal] private information by an employee or agent of
    22  the  business  for  the  purposes of the business is not a breach of the
    23  security of the system, provided that the  private  information  is  not
    24  used or subject to unauthorized disclosure.
    25    In determining whether information has been acquired, or is reasonably
    26  believed  to  have  been acquired, by an unauthorized person or a person
    27  without valid authorization, such business may  consider  the  following
    28  factors, among others:
    29    (1) indications that the information is in the physical possession and
    30  control  of  a  person without valid authorization or by an unauthorized
    31  person, such as a lost or stolen computer  or  other  device  containing
    32  information; or
    33    (2) indications that the information has been downloaded or copied; or
    34    (3)  indications  that  the  information  was used by a person without
    35  valid authorization  or  an  unauthorized  person,  such  as  fraudulent
    36  accounts opened or instances of identity theft reported.
    37    (d) "Consumer reporting agency" shall mean any person which, for mone-
    38  tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
    39  in whole or in part in the practice of assembling or evaluating consumer
    40  credit information or other information on consumers for the purpose  of
    41  furnishing  consumer  reports to third parties, and which uses any means
    42  or facility of interstate commerce  for  the  purpose  of  preparing  or
    43  furnishing consumer reports. A list of consumer reporting agencies shall
    44  be compiled by the state attorney general and [furnished upon request to
    45  any person or business required to make a notification under subdivision
    46  two of this section] publicly posted on its website.
    47    (e) "Credit card" shall mean any card or other credit device issued by
    48  a  financial  institution  to  a  consumer  for the purpose of providing
    49  money, property, labor or services on credit.
    50    (f) "Debit card" shall mean any card  or  other  device  issued  by  a
    51  financial  institution to a consumer for use in initiating an electronic
    52  fund transfer from the account of the consumer at such financial  insti-
    53  tution,  for  the  purpose  of  transferring  money  between accounts or
    54  obtaining money, property, labor, or services.
    55    2. Any person or business which conducts business in New  York  state,
    56  and  which  owns  or  licenses  computerized data which includes private

        S. 5601--A                          3
     1  information shall disclose any breach of  the  security  of  the  system
     2  following discovery or notification of the breach in the security of the
     3  system  to any resident of New York state whose private information was,
     4  or  is  reasonably  believed  to have been, acquired by a person without
     5  valid authorization or by an unauthorized person.  The disclosure  shall
     6  be  made  in  the  most expedient time possible and without unreasonable
     7  delay, consistent with the  legitimate  needs  of  law  enforcement,  as
     8  provided  in subdivision four of this section, or any measures necessary
     9  to determine the scope of the breach and restore the [reasonable] integ-
    10  rity of the system.
    11    5. The notice required by this section shall be directly  provided  to
    12  the affected persons by one of the following methods:
    13    (a) written notice;
    14    (b)  electronic  notice,  provided  that  the person to whom notice is
    15  required has expressly consented to receiving said notice in  electronic
    16  form  and a log of each such notification is kept by the person or busi-
    17  ness who notifies affected  persons  in  such  form;  provided  further,
    18  however,  that  in no case shall any person or business require a person
    19  to consent to accepting said notice in  said  form  as  a  condition  of
    20  establishing any business relationship or engaging in any transaction.
    21    (c)  telephone notification provided that a log of each such notifica-
    22  tion is kept by the person or business who notifies affected persons; or
    23    (d) substitute notice, if a business demonstrates to the state  attor-
    24  ney  general  that the cost of providing notice would exceed two hundred
    25  fifty thousand dollars, or that the affected class of subject persons to
    26  be notified exceeds five hundred thousand, or  such  business  does  not
    27  have  sufficient contact information. Substitute notice shall consist of
    28  all of the following:
    29    (1) e-mail notice when such business has an  e-mail  address  for  the
    30  subject  persons,  provided the breached information does not include an
    31  e-mail address in combination with a password or security  question  and
    32  answer  that  would  permit access to the online account, in which case,
    33  the person or business shall not comply with this section  by  providing
    34  notice  to  that  e-mail  account,  but  shall  instead comply with this
    35  section by clear and conspicuous notice delivered to the consumer online
    36  when the consumer is connected to the online account  from  an  internet
    37  protocol address or from an online location which the person or business
    38  knows the consumer customarily accesses the online account;
    39    (2)  conspicuous  posting  of  the  notice on such business's web site
    40  page, if such business maintains one; and
    41    (3) notification to major statewide media.
    42    5-a. Any credit or debit card issuer that issues a new credit or debit
    43  card as a result of a breach of the security of the system  pursuant  to
    44  paragraph  (c)  of  subdivision  one  of this section, shall provide the
    45  consumer notice that the issuance of the  replacement  credit  or  debit
    46  card  is  due  to  a  potential  compromise of the prior card absent any
    47  evidence of actual or potential unauthorized use of such credit or debit
    48  card or other circumstances precipitating the issuance of a  replacement
    49  card.
    50    6.  (a)  whenever  the  attorney  general  shall believe from evidence
    51  satisfactory to him that there is a violation of  this  article  he  may
    52  bring  an action in the name and on behalf of the people of the state of
    53  New York, in a court of justice having jurisdiction to issue an  injunc-
    54  tion,  to  enjoin  and  restrain the continuation of such violation.  In
    55  such action, preliminary relief may be granted under article sixty-three
    56  of the civil practice law and rules. In such action the court may  award

        S. 5601--A                          4
     1  damages  for  actual  costs  or  losses incurred by a person entitled to
     2  notice pursuant to this article, if notification  was  not  provided  to
     3  such  person pursuant to this article, including consequential financial
     4  losses.  Whenever the court shall determine in such action that a person
     5  or business violated this article knowingly or recklessly, the court may
     6  impose a civil penalty of the greater of five thousand dollars or up  to
     7  [ten]  twenty dollars per instance of failed notification, provided that
     8  the latter amount shall not exceed  [one]  two  hundred  fifty  thousand
     9  dollars.
    10    (b)  the remedies provided by this section shall be in addition to any
    11  other lawful remedy available.
    12    (c) no action may be brought under  the  provisions  of  this  section
    13  unless  such  action  is  commenced within two years [immediately] after
    14  either the date [of the act complained of or the date  of  discovery  of
    15  such  act]  on which the attorney general became aware of the violation,
    16  or the date of notice sent pursuant  to  paragraph  (a)  of  subdivision
    17  eight of this section, whichever occurs first.
    18    7.  Regardless  of the method by which notice is provided, such notice
    19  shall include contact information for the person or business making  the
    20  notification,  the  telephone numbers and websites of the relevant state
    21  and federal agencies that provide information regarding security  breach
    22  response and identity theft prevention and protection information, and a
    23  description  of  the categories of information that were, or are reason-
    24  ably believed to have been, acquired by a person without valid  authori-
    25  zation or by an unauthorized person, including specification of which of
    26  the  elements  of  personal information and private information were, or
    27  are reasonably believed to have been, so acquired.
    28    8. (a) In the event that any New York residents are  to  be  notified,
    29  the  person  or  business  shall  notify the state attorney general, the
    30  department of state and the [division of state police] office of  infor-
    31  mation technology services as to the timing, content and distribution of
    32  the  notices [and], approximate number of affected persons and provide a
    33  copy of the template of the notice  sent  to  affected  persons.    Such
    34  notice  shall be made without delaying notice to affected New York resi-
    35  dents.
    36    (b) In the event that more than five thousand New York  residents  are
    37  to  be  notified  at  one time, the person or business shall also notify
    38  consumer reporting agencies as to the timing, content  and  distribution
    39  of  the  notices and approximate number of affected persons. Such notice
    40  shall be made without delaying notice to affected New York residents.
    41    9. The department  of  state  shall  receive  complaints  pursuant  to
    42  section ninety-four-a of the executive law relating to any breach of the
    43  security of the system, make referrals as appropriate and in cooperation
    44  with the state attorney general and the office of information technology
    45  services  develop, regularly update and make publicly available informa-
    46  tion relating to how to respond to a  breach  of  the  security  of  the
    47  system and best practices for how to prevent a breach of the security of
    48  the system.
    49    10.  The  provisions  of  this  section  shall  be exclusive and shall
    50  preempt any provisions of local law, ordinance or code, and no  locality
    51  shall impose requirements that are inconsistent with or more restrictive
    52  than those set forth in this section.
    53    §  2. Paragraphs (a) and (d) of subdivision 1 and subdivisions 2, 6, 7
    54  and 8 of section 208 of the state technology law, paragraphs (a) and (d)
    55  of subdivision 1 and subdivision 8 as added by chapter 442 of  the  laws
    56  of  2005, subdivision 2 and paragraph (a) of subdivision 7 as amended by

        S. 5601--A                          5
     1  section 5 of part N of chapter 55 of the laws of 2013 and subdivisions 6
     2  and 7 as amended by chapter 491 of the laws of 2005, are amended to read
     3  as follows:
     4    (a)  "Private  information"  shall  mean:  (i) personal information in
     5  combination with any one or more of the following  data  elements,  when
     6  either  the personal information or the data element is not encrypted or
     7  encrypted with an encryption key that has also been acquired:
     8    (1) social security number;
     9    (2) driver's license number or non-driver identification card  number;
    10  [or]
    11    (3)  account  number, credit or debit card number, in combination with
    12  any required security code, access code, or password which would  permit
    13  access to an individual's financial account; or
    14    (4)  biometric  information, meaning data generated by automatic meas-
    15  urements of an individual's physical characteristics, which are used  by
    16  the owner or licensee to authenticate the individual's identity;
    17    (ii)  a  user name or e-mail address in combination with a password or
    18  security question and answer that  would  permit  access  to  an  online
    19  account; or
    20    (iii)  any  unsecured  protected  health information held by a covered
    21  entity as defined in the health insurance portability and accountability
    22  act of 1996 (45 C.F.R.  pts. 160, 162, 164), as  amended  from  time  to
    23  time.
    24    "Private  information" does not include publicly available information
    25  that is lawfully made available to  the  general  public  from  federal,
    26  state, or local government records.
    27    (d) "Consumer reporting agency" shall mean any person which, for mone-
    28  tary  fees, dues, or on a cooperative nonprofit basis, regularly engages
    29  in whole or in part in the practice of assembling or evaluating consumer
    30  credit information or other information on consumers for the purpose  of
    31  furnishing  consumer  reports to third parties, and which uses any means
    32  or facility of interstate commerce  for  the  purpose  of  preparing  or
    33  furnishing consumer reports. A list of consumer reporting agencies shall
    34  be compiled by the state attorney general and [furnished upon request to
    35  state  entities required to make a notification under subdivision two of
    36  this section] publicly posted on its website.
    37    2. Any state entity that  owns  or  licenses  computerized  data  that
    38  includes  private  information shall disclose any breach of the security
    39  of the system following discovery or notification of the breach  in  the
    40  security  of  the system to any resident of New York state whose private
    41  information was, or is reasonably believed to have been, acquired  by  a
    42  person  without  valid  authorization  or  an unauthorized person.   The
    43  disclosure shall be made in the most expedient time possible and without
    44  unreasonable delay, consistent with the legitimate needs of law enforce-
    45  ment, as provided in subdivision four of this section, or  any  measures
    46  necessary  to determine the scope of the breach and restore the [reason-
    47  able] integrity of the data system.  The state entity shall consult with
    48  the state office of information technology  services  to  determine  the
    49  scope  of the breach and restoration measures. Within ninety days of the
    50  notice of the breach, the  office  of  information  technology  services
    51  shall deliver a report on the scope of the breach and recommendations to
    52  restore and improve the security of the system to the state entity.
    53    6.  Regardless  of the method by which notice is provided, such notice
    54  shall include contact  information  for  the  state  entity  making  the
    55  notification,  the  telephone  numbers and the websites for the relevant
    56  state and federal agencies that provide information  regarding  security

        S. 5601--A                          6
     1  breach response and identity theft prevention and protection information
     2  and  a  description  of  the categories of information that were, or are
     3  reasonably believed to have been, acquired by  a  person  without  valid
     4  authorization  or  an  unauthorized  person,  including specification of
     5  which of the elements of personal information  and  private  information
     6  were, or are reasonably believed to have been, so acquired.
     7    7.  (a)  In  the event that any New York residents are to be notified,
     8  the state entity shall notify the state attorney general, the department
     9  of state and the state office of information technology services  as  to
    10  the  timing,  content  and  distribution  of the notices and approximate
    11  number of affected persons and provide a copy of  the  template  of  the
    12  notice  sent  to  affected  persons.   Such notice shall be made without
    13  delaying notice to affected New York residents.
    14    (b) In the event that more than five thousand New York  residents  are
    15  to  be notified at one time, the state entity shall also notify consumer
    16  reporting agencies as to the timing, content  and  distribution  of  the
    17  notices and approximate number of affected persons. Such notice shall be
    18  made without delaying notice to affected New York residents.
    19    8.  The state office of information technology services shall develop,
    20  update and provide regular training to all state  entities  relating  to
    21  best  practices  for  the  prevention of a breach of the security of the
    22  system.
    23     9. Any entity listed in subparagraph two of paragraph (c) of subdivi-
    24  sion one of this section shall adopt a notification policy no more  than
    25  one  hundred  twenty days after the effective date of this section. Such
    26  entity may develop a notification policy which is consistent  with  this
    27  section  or  alternatively  shall  adopt a local law which is consistent
    28  with this section.
    29    § 3. This act shall take effect on the first of January next  succeed-
    30  ing the date on which it shall have become a law.
feedback