S.5601 (Carlucci) / A.7167 (Kavanagh)


Director of Government Affairs
518.465.7511, ext. 204


S.5601 (Carlucci) / A.7167 (Kavanagh)


Relates to Notification of a Security Breach



The Business Council of New York State, the state’s leading statewide business and industry association, opposes this legislation that broadens the scope of information covered under the notification provisions regarding security breaches and mandates new reporting systems.
We have numerous concerns regarding this legislation including the following:

  • The bill expands the definition of personal information to include biometric information: user name or email addresses and HIPPA generated information (“health information”).  Since this is not defined, and it may not directly relate to how individuals are identified, it leaves open the method for collection, and correspondingly, preservation in regards to breach.
  • The new term “without valid authorization” is not defined and raises concerns since the underlying law already covers “unauthorized acquisition” and another term “unauthorized person” is also utilized in the bill.
  • In regards to “credit cards” the bill also inserts the phrase “or other credit device” yet the ensuing language makes it appear that the consumer, not the lender, is the creditor. The same situation is present under the term “debit card”. This is a confusing and potentially problematic change regarding the definitions of credit and debit cards and “devices”.
  • The bill also mandates that credit and debit card issuers that issue new credit or debit cards as a result of a breach provide notice prior to the issuance of replacement cards. This is unnecessary, and it could delay the process of issuance and is not found in other aspects of state law.
  • The penalty structure associated with data breach is also increased from ten to twenty dollars per incident for failure to issue notifications of a breach and runs to a threshold of $250,000 (as compared with a previous level of one hundred thousand).
  • The Department of Financial Services recently implemented a stringent cybersecurity and data privacy regulation that requires similar notification and procedural safeguards, making this bill redundant for some sectors.

In summary, this legislation imposes significant new – and in some cases, duplicative – compliance obligations on business, in addition to creating vague new definitions and standards.  For the reasons stated above, the Business Council opposes adoption S. 5601 / A. 7167.