NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1157
SPONSOR: Santabarbara
 
TITLE OF BILL:
An act to amend the general business law, in relation to disclosure of
breaches of the security of the system
 
PURPOSE OR GENERAL IDEA OF BILL:
This bill would require any person or business which conducts business
in the State of New York to disclose any breach of a security of a
computerized system which compromises private customer information with-
in 5 days of such a breach.
 
SUMMARY OF SPECIFIC PROVISIONS:
Sections 1: Amends Subdivision 2 of section 899-aa of the general busi-
ness law by requiring disclosure of a computer security system breach
within 5 days.
Section 2: Effective date.
 
JUSTIFICATION:
Computer security breaches of national retailers have become common
occurrences in recent years and these events jeopardize the privacy of
personal information of countless New Yorkers. It is essential that
individuals know as soon as possible if their private information has
been compromised or there is the threat it has been compromised. If
there is a security breach, potentially impacted individuals need to be
notified as quickly as possible to make sure their information is safe.
Currently, those conducting business in New York State who own or
license computerized systems that store private information are required
to disclose a breach or suspected breach without unreasonable delay.
This time requirement is too vague and needs to be replaced with specif-
ic guidelines for action. This bill would amend the existing language to
require that a breach of personal information be disclosed within 5 days
For consumers whose personal information is compromised in a security
breach, awareness of the breach affords them the opportunity to take
Preemptive action to ensure that they can mitigate the risk of identity
theft. While the current law encourages breaches to be disclosed quick-
ly, many factors may compel those responsible for the breached system to
delay such a disclosure. This bill will make sure that consumers are
provided with the information they deserve when their private informa-
tion is compromised.
 
PRIOR LEGISLATIVE HISTORY:
2015-16: A5925 - referred to consumer affairs and protection
2017-18: A180 - referred to consumer affairs and protection
2019-20: A1387- referred to consumer affairs and protection
 
FISCAL IMPLICATIONS:
None to the state.
 
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
1157
2025-2026 Regular Sessions
IN ASSEMBLY
January 9, 2025
___________
Introduced by M. of A. SANTABARBARA -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to disclosure of
breaches of the security of the system
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The opening paragraph of subdivision 2 of section 899-aa of
2 the general business law, as amended by chapter 647 of the laws of 2024,
3 is amended to read as follows:
4 Any person or business which owns or licenses computerized data which
5 includes private information shall disclose any breach of the security
6 of the system [following] within five days of the discovery or notifica-
7 tion of the breach in the security of the system to any resident of New
8 York state whose private information was, or is reasonably believed to
9 have been, accessed or acquired by a person without valid authorization.
10 [The disclosure shall be made in the most expedient time possible and
11 without unreasonable delay, provided that such notification shall be
12 made within thirty days after the breach has been discovered, except for
13 the legitimate needs of law enforcement, as provided in subdivision four
14 of this section.]
15 § 2. This act shall take effect immediately.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03501-01-5