Int 0141-2004
Businesses licensed by the DOA to notify consumers in the event of a security breach of personal identifying information.
IntroductionEnactedCommittee on Consumer Affairsintroduced 2004-02-04Local Law 2005/046
Enacted as Local Law 2005/046.
Official record · Legistar
Agenda: 2004-02-04Passed: 2005-05-19Enacted: 2005-05-19
Committee on Consumer Affairs — Department of Consumer Affairs
How it compares
22% of similar bills passed
11 passed · 39 died
This bill: 454 days in committee
Similar bills: median 389 days · 334 days when passed
Compared against 50 Introduction bills in Committee on Consumer Affairs.
Ranked by how closely each matches this bill's topic — closest first:
Int 0140-2004
City agencies to notify consumers in the event of a security breach of personal identifying information.
454dEnacted
Int 0139-2004
Identity Theft
454dEnacted
Int 0562-2011
Authorizing the Department of Consumer Affairs to enforce section 131 of article 9-B of the general business law.
965dFiled
Int 0483-2006
Requiring notices relating to the rights of mobile phone consumers.
1128dFiled
Int 0817-2012
Requiring certain information on notices of violation issued to food vendors.
334dEnacted
Int 0995-2009
Disclosure of tenant screening reports.
224dFiled
+ 44 more comparable bills
Sponsors (12)
Philip Reed(prime)
Hiram Monserrate
Eva S. Moskowitz
Joseph P. Addabbo, Jr.
Betsy Gotbaum
Lifecycle
IntroducedIntroduced by Council
2004-02-04 · City Council
ActionReferred to Comm by Council
2004-02-04 · City Council
HeardHearing Held by Committee
2004-03-01 · Committee on Consumer Affairs
HeldLaid Over by Committee
2004-03-01 · Committee on Consumer Affairs
HeardHearing Held by Committee
2005-03-30 · Committee on Consumer Affairs
HeldLaid Over by Committee
2005-03-30 · Committee on Consumer Affairs
HeardHearing Held by Committee
2005-05-04 · Committee on Consumer Affairs
ActionAmendment Proposed by Comm
2005-05-04 · Committee on Consumer Affairs
ActionAmended by Committee
2005-05-04 · Committee on Consumer Affairs
AdvancedApproved by Committee
2005-05-04 · Committee on Consumer Affairs
AdvancedApproved by Council
2005-05-11 · City Council
ActionSent to Mayor by Council
2005-05-11 · City Council
HeardHearing Held by Mayor
2005-05-19 · Mayor
AdvancedSigned Into Law by Mayor
2005-05-19 · Mayor
ActionRecved from Mayor by Council
2005-05-20 · City Council
Heard at (2)
City Council · 2005-05-11 · 1:30 PM · Council Chambers - City Hall
City Council · 2004-02-04 · 1:30 PM · Council Chambers - City Hall
Attachments (10)
- Committee Report 3/1/04
- Hearing Transcript 3/1/04
- Committee Report 3/30/05
- Hearing Transcript 3/30/05
- Opening Statement 3/30/05
- Committee Report 5/4/05
- Hearing Transcript 5/4/05
- Fiscal Impact Statement-A
- Local Law
- Hearing Transcript - Stated Meeting 5/11/05
Full text
Be it enacted by the Council as follows:
Section One. Legislative declaration. The Council finds that acts of identity theft are plaguing New Yorkers. Federal Trade Commission statistics for 2002 and 2003 indicate that identity theft is the single most common consumer fraud complaint in the nation. New York City residents are as likely to be victimized by identity theft as the citizens of many cities within the United States.
The Council finds that identity thieves often gain control of victims’ sensitive personal information by hacking into computers or otherwise violating the security of data systems. When such unauthorized persons acquire individuals’ personal information, they are able to access bank accounts, take control of credit cards, and defraud unsuspecting victims. The Council thus finds that one of the most effective ways to curtail identity thieves is to inform would-be victims that the security of their sensitive personal information has been violated; individuals can then take the steps necessary to regain control of their privacy and finances.
Accordingly, the Council finds it necessary to require businesses required to be licensed by the Department of Consumer Affairs, or pursuant to provisions of state law enforced by the department, to inform individuals whenever there has been a breach of security with respect to sensitive personal information. Business people can best serve their fellow New Yorkers by making such disclosures expeditiously, while acting in accordance with the procedures of the New York City Police Department and other legitimate law enforcement agents.
§ 2. Chapter 1 of title 20 of the administrative code of the city of New York is amended by adding new section 20-117, to read as follows:
§20-117. Licensee disclosure of security breach; notification requirements.
a. Definitions. For the purposes of this section,
1. The term “personal identifying information” shall mean any person’s date of birth, social security number, driver’s license number, non-driver photo identification card number, financial services account number or code, savings account number or code, checking account number or code, brokerage account number or code, credit card account number or code, debit card number or code, automated teller machine number or code, personal identification number, mother's maiden name, computer system password, electronic signature or unique biometric data that is a fingerprint, voice print, retinal image or iris image of another person. This term shall apply to all such data, notwithstanding the method by which such information is maintained.
2. The term “breach of security” shall mean unauthorized possession of personal identifying information that compromises the security, confidentiality or integrity of such information. Good faith or inadvertent possession of any personal identifying information by an employee or agent of the licensee for the legitimate purposes of the business of the licensee shall not constitute a breach of security.
b. Any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, that owns or leases data that includes personal identifying information and any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, that maintains but does not own data that includes personal identifying information shall immediately disclose to the department and to the police department any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach if such personal identifying information is reasonably believed to have been acquired by an unauthorized person.
c. Subsequent to compliance with the provisions set forth in subdivision b of this section, any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, that owns or leases data that includes personal identifying information shall disclose, in accordance with the procedures set forth in subdivision e of this section, any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to any person whose personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
d. Subsequent to compliance with the provisions set forth in subdivision b of this section, any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, that maintains but does not own data that includes personal identifying information shall disclose, in accordance with the procedures set forth in subdivision e of this section, any breach of security following discovery by a supervisor or manager, or following notification to a supervisor or manager, of such breach to the owner, lessor or licensor of the data if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
e. The disclosures required by subdivisions c and d of this section shall be made as soon as practicable by a method reasonable under the circumstances. Provided said method is not inconsistent with the legitimate needs of law enforcement or any other investigative or protective measures necessary to restore the reasonable integrity of the data system, disclosure shall be made by at least one of the following means:
1. Written notice to the individual at his or her last known address; or
2. Verbal notification to the individual by telephonic communication; or
3. Electronic notification to the individual at his or her last known e-mail address.
f. Should disclosure pursuant to paragraphs one, two or three of subdivision e be impracticable or inappropriate given the circumstances of the breach and the identity of the victim, such disclosure shall be made by a mechanism of the licensee’s choosing, provided such mechanism is reasonably targeted to the individual in a manner that does not further compromise the integrity of the personal information disclosed and has been approved, or is in compliance with rules promulgated, by the Commissioner.
g. Any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, that discards any records of an individual’s personal identifying information shall do so in a manner intended to prevent retrieval of the information contained therein or thereon.
h. Any person required to be licensed pursuant to chapter two of this title, or pursuant to provisions of state law enforced by the department, who shall violate any of the provisions of this section, upon conviction thereof, shall be punishable by a fine of not more than five hundred dollars ($500) and shall be liable for a civil penalty of one hundred dollars ($100) for each violation.
§ 3. If any section, subdivision, sentence, clause, phrase or other portion of this local law is, for any reason, declared unconstitutional or invalid in whole or in part, by any court of competent jurisdiction, such portion shall be deemed severable, and such unconstitutionality or invalidity shall not affect the validity of the remaining portions of this law, which remaining portions shall continue in full force and effect.
§ 4. This local law shall take effect 120 days after it shall have been enacted into law; provided that the Commissioner may take any actions necessary prior to such effective date for the implementation of this local law including, but not limited to, establishing guidelines and promulgating rules.