(a) Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
(A) reasonable administrative safeguards such as the following, in which the person or business:
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(B) reasonable technical safeguards such as the following, in which the person or business:
(C) reasonable physical safeguards such as the following, in which the person or business:
(c) A small business as defined in paragraph (c) of subdivision one of this section complies with subparagraph (ii) of paragraph (b) of subdivision two of this section if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.
