Bill to change New York data breach law nears next steps

Sen. Michael Venditto's legislation to change how the state's IT office responds to data breaches is now up for consideration by Senate lawmakers.

A bill that would charge New York’s IT department with taking a more active role in responding to data breaches is picking up steam in the Legislature.

State Sen. Michael Venditto’s S. 6834 would mandate a whole host of changes to how the state reacts to an electronic breach of private information, giving more responsibilities to New York’s Office of Information Technology Services in the wake of any state data breach. Venditto introduced the legislation back in late February, but after making a few tweaks to the bill, his Consumer Protection Committee took up the bill for consideration last week.

Starting Jan. 1, should any “state entity” handling citizens’ private information discover that personal data becomes exposed to any unauthorized users, the legislation would task the IT office with delivering “a report on the scope of the breach and recommendations to restore and improve the security of the system to the state entity” within 90 days after the discovery of the breach.

Additionally, the bill requires that state IT staff “develop, update and provide regular training to all state entities relating to best practices for the prevention of a breach of the security of the system.”


“New York’s current data breach notification law needs to be updated to keep pace with individuals’ use and dissemination of private information,” Venditto wrote in a memorandum attached to the bill. “This bill recognizes the breadth of private information, so it expands the scope of information included under the current law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under [the federal Health Insurance Portability and Accountability Act].”

Indeed, Venditto’s bill would include the new categories of data in the state statutes governing breaches within both public and private entities.

[Read more: New York bill would prioritize cyberthreat planning for water infrastructure owners]

The legislation would also pull in the state’s IT office in the event of a breach at a company handling private information. State law currently requires any company notifying New York residents about a breach to also alert the state attorney general, the Department of State, and the Division of State Police — Venditto’s legislation would substitute the IT office in that process for the state police.

The bill also charges the state department with responding to any “complaints and inquiries” about a company’s data breach, and working with the IT department and attorney general’s office to “regularly update and make publicly available information relating to how to respond to a breach of the security of the system and best practices for how to prevent a breach.”


Though the legislation has been stuck in committee for months, little about the bill has changed to prompt its new progress — most notably, lawmakers added a section laying out how companies should find alternative methods to notify people about a breach if their email address was among the information compromised.

However, since Venditto chairs the committee currently considering the bill, the legislative analytics company FiscalNote gives it a 96 percent chance of making to the floor for a vote.

Should the bill make it to the Senate floor, FiscalNote estimates it has a 87 percent chance of passing, largely because it’s a “Republican-sponsored bill in a Republican majority body.”

Contact the reporter at, and follow him on Twitter @AlexKomaSNG.

Latest Podcasts