Information Technology and Telecommunications (ITT) Committee Update
Staff Contact: Johnny Evers
November 2, 2017
Attorney General Releases Security Breach Legislation
On November 1st the Attorney General released legislation regarding security breach. This legislation is more expansive than previous versions introduced in past legislative sessions. The bill, S.6933 (Carlucci) / A.8756 (Kavanagh), relates to notification of a security breach, includes credit card and debit cards (definitions), and establishes a new section of the general business law, §899-bb Data security protections. Generally, this law applies to any entity that maintains computerized data on “any resident” of New York State. Current data breach notice requirements only apply to entities authorized to do business in NYS. The legislation requires any person or business that owns or licenses such computerized data on NYS residents to implement “reasonable security measures.” Failure to do so is subject to AG civil enforcement and injunction; civil penalty is $5000 for each violation. Reasonable measures include compliance with federal or NYS issued and certified security protocols (i.e. Graham-Leach-Bliley, HIPPA, etc.), or consistence with about twenty (20) “factors” listed in the bill. Small business (< 50 jobs, <$3 million income) will be judged whether their security efforts are appropriate based on the size and complexity of the business. For instance, steps to be taken by smaller businesses include: the appointment of “employees to coordinate security”, specific technology training, and “technical safeguards” to assess the risks of network, software, and procedures such as disposal of sensitive information, etc. The new law also increases penalties for, and adds provisions to, the state’s preexisting data breach notice law. One key aspect of the proposal is the stipulation that any entity with a database including “NYS residents” will be subject to the NYS notification and security laws, and be subject to NYS enforcement – even if they do not do business in NYS. The proposal imposes a requirement on all entities (persons or business) that has such identifying info of NYS residents in computerized form, to implement some level of cybersecurity protections, with failure to adopt “reasonable” protections subject to NYS civil enforcement (but no private right of action.) Several aspects of earlier version of the bill are contained in the new bill such as the procedures to be followed in the case of beach, the issuance of new credit/debit cards and consumer notices, the notification of state offices in the case of event, and the classifications of “identifying information” (biometric, private, and the combination of user name or e-mail in combination with password or security question/answer) in determining data breached and thus reportable to state offices.
The Business Council is seeking feedback on this bill. Please contact either Lev Ginsburg (Financial Services) or Johnny Evers (Information Technology & Telecommunications) with any concerns or questions.