Agency actions and licensee disclosures in the event of a breach of security.

A Local Law to amend the administrative code of the city of New York, in relation to agency actions and licensee disclosures in the event of a breach of security

This bill would amend the City’s data breach notification laws to align them with requirements in New York’s SHIELD Act. It would make certain definitions in City law more consistent with State law. City agencies that have suffered a security breach involving persons’ private identifying information would be required to promptly disclose it to the City’s Chief Privacy Officer, the Office of Cyber Command, and the Department of Information Technology and Telecommunications; formerly the NYPD received this type of disclosure. The obligation to make this type of disclosure – including to affected persons – would be expanded to situations in which the information was reasonably believed to have been accessed, disclosed or used by an unauthorized person. With some exceptions, the bill would mandate that if 5,000 or more New York residents must be notified at one time pursuant to Section 10-502 of the City’s Administrative Code, the notifying agency must also notify consumer reporting agencies as to the timing, content and distribution of the notices, and approximate number of affected individuals. Certain agencies would have to coordinate and keep records on data breaches. The bill would mandate that Department of Consumer and Worker Protection, Department of Health and Mental Hygiene and Taxi and Limousine Commission licensees required to make a data breach notification pursuant to State law, promptly submit a copy of the notification to their licensing agencies.