STATE OF NEW YORK
        ________________________________________________________________________
                                          2856
                               2017-2018 Regular Sessions
                   IN ASSEMBLY
                                    January 23, 2017
                                       ___________
        Introduced  by  M. of A. PEOPLES-STOKES -- read once and referred to the
          Committee on Consumer Affairs and Protection
        AN ACT to amend the general business law, in relation to destruction  of
          personal  information  stored on copiers, facsimile machines or multi-
          function devices
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  349-f to read as follows:
     3    §  349-f.  Destruction  of  personal  information  stored  on copiers,
     4  facsimile machines or multifunction devices. 1. For the purposes of this
     5  section:
     6    (a) "Data storage device" means any device that stores information  or
     7  data  from  any electronic or optical medium, including, without limita-
     8  tion, a computer, cellular telephone, magnetic tape, electronic computer
     9  drive and optical computer drive, and the medium itself.
    10    (b) "Encryption" means the protection of data in electronic or optical
    11  form, in storage or in transit,  using:  (i)  an  encryption  technology
    12  which has been adopted by an established standards setting body, includ-
    13  ing,  without  limitation,  the federal information processing standards
    14  issued by the national institute of standards  and  technology,  or  its
    15  successor  organization,  and  which renders such data indecipherable in
    16  the  absence  of  associated  cryptographic  keys  necessary  to  enable
    17  decryption  of such data; and (ii) appropriate management and safeguards
    18  of cryptographic keys to protect the integrity of the  encryption  using
    19  guidelines promulgated by an established standards setting body, includ-
    20  ing,  without  limitation, the national institute of standards and tech-
    21  nology or its successor organization.
    22    (c) "Multifunction device" means a machine that incorporates the func-
    23  tionality of multiple devices, which  may  include  a  printer,  copier,
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03623-01-7
        A. 2856                             2
     1  scanner,  facsimile  machine or electronic mail terminal, to provide for
     2  the centralized management, distribution or production of documents.
     3    2.  A business entity or data collector that owns or possesses a copi-
     4  er, facsimile machine or multifunction device which uses a data  storage
     5  device  to store, reproduce, transmit or receive data or images that may
     6  contain personal information shall, before the business entity  or  data
     7  collector  relinquishes  ownership,  physical  custody or control of the
     8  copier, facsimile machine or multifunction  device  to  another  person,
     9  ensure that any personal information which is stored on the data storage
    10  device of the copier, facsimile machine or multifunction device is:
    11    (a) secured through the use of encryption; or
    12    (b)  destroyed  through  the use of a physical or technological method
    13  that has been adopted by an established standards setting body,  includ-
    14  ing,  without limitation, a method prescribed by the most recent version
    15  of the federal information processing standards issued by  the  national
    16  institute of standards and technology or its successor organization.
    17    3.  If a business entity or data collector uses or possesses a copier,
    18  facsimile machine or multifunction device  which  uses  a  data  storage
    19  device  to store, reproduce, transmit or receive data or images that may
    20  contain personal information pursuant to a  lease  agreement  or  rental
    21  contract, the owner or lessor of the copier, facsimile machine or multi-
    22  function  device  shall, as soon as practicable after the termination or
    23  cancellation of the lease agreement or rental contract, or upon assuming
    24  physical custody or control of the copier, facsimile machine  or  multi-
    25  function device, ensure that any personal information which is stored on
    26  the  data  storage device of the copier, facsimile machine or multifunc-
    27  tion device is destroyed through the use of a physical or  technological
    28  method  that  has been adopted by an established standards setting body,
    29  including, without limitation, a method prescribed by  the  most  recent
    30  version  of  the  federal information processing standards issued by the
    31  national institute of standards and technology or its  successor  organ-
    32  ization.
    33    4. The provisions of subdivisions two and three of this section do not
    34  apply  to  a  copier, facsimile machine or multifunction device which is
    35  used or configured in such a way as to prevent the storage  of  data  or
    36  images that may contain personal information.
    37    §  2.   This act shall take effect on the ninetieth day after it shall
    38  have become a law.