Bill Summary – FastDemocracy

BILL NUMBER: S2152
SPONSOR: COMRIE
 
TITLE OF BILL:
An act to amend the general business law, in relation to requiring
certain businesses to offer identity theft prevention and mitigation
services in the case of a security breach
 
PURPOSE:
This bill would require any person or business to provide free reason-
able credit report monitoring, identity theft prevention services, and
if applicable, identity theft mitigation services should they suffer a
data breach including a consumer's social security number.
 
SUMMARY OF PROVISIONS:
Section one amends section 899-aa of the general business law by adding
a new subdivision 10 that would require any person or business, other
than a credit reporting agency, to provide free reasonable credit report
monitoring, identity theft prevention services, and if applicable, iden-
tity theft mitigation services should they suffer a data breach includ-
ing a consumer's social security. number. These services would be
required to be provided to affected consumers for a minimum of two
years. Additionally such person or business would be required to provide
notice to a consumer whose social security number was disclosed on how
to obtain such services free of charge. This section also provides that
any person or small business may apply to the Department of Financial
Services for a financial hardship waiver if they are able to demonstrate
to the Department that these requirements would impose a financial hard-
ship
Section two sets the effective date.
 
JUSTIFICATION:
Data and security breaches are an all too common occurrence in the
modern age. Such breaches occur among many large corporations such as
Yahoo, Marriott, EBay, Target and JP Morgan. The theft of personal data,
including Social Security Numbers puts consumers at inordinate risk for
dire financial consequences, such as having their identity stolen and
their credit totally ruined.
This legislation would require any person or business to provide free
reasonable credit report monitoring, identity theft prevention services,
and if applicable, identity theft mitigation services should they suffer
a data breach including a consumer's social security number. These
services would be required to be provided to affected consumers for a
minimum of two years. Additionally such person or business would be
required to provide notice to a consumer whose social security number
was disclosed onò how to obtain such services free of charge. The bill
also provides that any person or small business may apply to the Depart-
ment of Financial Services for a financial hardship waiver if they are
able to demonstrate to the Department that these requirements would
impose a financial hardship.
 
LEGISLATIVE HISTORY:
2024: S700 Comrie/ A1725 Dinowitz
2022: S3161- referred to consumer protection
Passed Senate 2019-20 Session.
 
FISCAL IMPLICATIONS:
None.
 
EFFECTIVE DATE:
This act shall take effect on the 180th day after it shall have become
law. Effective immediately, the addition, amendment and/or repeal of any
rule or regulation necessary for the implementation of this act on its
effective date are authorized to be made and completed on or before such
effective date.