Summary of A10190

• Requires businesses conducting business in New York that own or license personal information to develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate to their size, scope, type, and resources.

• Mandates notification to affected New York residents and state authorities (attorney general, department of state, state police) in the most expedient time possible following discovery of any breach of security involving unauthorized acquisition of private information.

• Establishes specific security requirements for businesses maintaining computerized data including secure user authentication, access control measures, encryption of transmitted and wireless data, firewall protection, malware protection, and employee training.

• Creates civil enforcement authority for the attorney general to seek injunctions and impose civil penalties of either $5,000 or up to $10 per failed notification (capped at $150,000) for knowing or reckless violations.

• Provides an 18-month compliance period from the effective date for businesses to implement the comprehensive security program requirements.