STATE OF NEW YORK ________________________________________________________________________ 7232--A 2017-2018 Regular Sessions IN ASSEMBLY April 12, 2017 ___________ Introduced by M. of A. OTIS -- read once and referred to the Committee on Consumer Affairs and Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said commit- tee AN ACT to amend the general business law, in relation to the timeliness of disclosure of a breach of the security of a system which contains private information The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Subdivision 2 of section 899-aa of the general business 2 law, as added by chapter 442 of the laws of 2005, is amended to read as 3 follows: 4 2. Any person or business which conducts business in New York state, 5 and which owns or licenses computerized data which includes private 6 information shall disclose any breach of the security of the system 7 following discovery or notification of the breach in the security of the 8 system to any resident of New York state whose private information was, 9 or is reasonably believed to have been, acquired by a person without 10 valid authorization. The disclosure shall be made [in the most expedient 11 time possible and] without unreasonable delay, consistent with the 12 legitimate needs of law enforcement, as provided in subdivision four of 13 this section, or any measures necessary to determine the scope of the 14 breach and restore the reasonable integrity of the system. Reasonable 15 delay under this subdivision shall not exceed forty-five days, except as 16 provided in subdivision four of this section or unless the person or 17 business seeking additional time demonstrates to the attorney general 18 that additional time is reasonably necessary to determine the scope of 19 the breach of the security system, prevent further disclosures, conduct 20 the risk assessment, and restore the reasonable integrity of the securi- 21 ty system. If the attorney general determines that additional delay is 22 necessary the agency may extend the time period for notification for EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD06866-02-7

A. 7232--A 2 1 additional periods of up to forty-five days each. Any such extension 2 shall be provided in writing. 3 § 2. This act shall take effect on the ninetieth day after it shall 4 have become a law.