Bill Text: NY A03174 | 2015-2016 | General Assembly | Introduced
Bill Title: Relates to destruction of personal information stored on copiers, facsimile machines or multifunction devices.
Spectrum: Slight Partisan Bill (Democrat 4-2)
Status: (Engrossed - Dead) 2016-06-14 - REFERRED TO RULES [A03174 Detail]
Download: New_York-2015-A03174-Introduced.html
S T A T E O F N E W Y O R K ________________________________________________________________________ 3174 2015-2016 Regular Sessions I N A S S E M B L Y January 22, 2015 ___________ Introduced by M. of A. PEOPLES-STOKES -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to destruction of personal information stored on copiers, facsimile machines or multi- function devices THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: 1 Section 1. The general business law is amended by adding a new section 2 349-f to read as follows: 3 S 349-F. DESTRUCTION OF PERSONAL INFORMATION STORED ON COPIERS, 4 FACSIMILE MACHINES OR MULTIFUNCTION DEVICES. 1. FOR THE PURPOSES OF THIS 5 SECTION: 6 (A) "DATA STORAGE DEVICE" MEANS ANY DEVICE THAT STORES INFORMATION OR 7 DATA FROM ANY ELECTRONIC OR OPTICAL MEDIUM, INCLUDING, WITHOUT LIMITA- 8 TION, A COMPUTER, CELLULAR TELEPHONE, MAGNETIC TAPE, ELECTRONIC COMPUTER 9 DRIVE AND OPTICAL COMPUTER DRIVE, AND THE MEDIUM ITSELF. 10 (B) "ENCRYPTION" MEANS THE PROTECTION OF DATA IN ELECTRONIC OR OPTICAL 11 FORM, IN STORAGE OR IN TRANSIT, USING: (I) AN ENCRYPTION TECHNOLOGY 12 WHICH HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY, INCLUD- 13 ING, WITHOUT LIMITATION, THE FEDERAL INFORMATION PROCESSING STANDARDS 14 ISSUED BY THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, OR ITS 15 SUCCESSOR ORGANIZATION, AND WHICH RENDERS SUCH DATA INDECIPHERABLE IN 16 THE ABSENCE OF ASSOCIATED CRYPTOGRAPHIC KEYS NECESSARY TO ENABLE 17 DECRYPTION OF SUCH DATA; AND (II) APPROPRIATE MANAGEMENT AND SAFEGUARDS 18 OF CRYPTOGRAPHIC KEYS TO PROTECT THE INTEGRITY OF THE ENCRYPTION USING 19 GUIDELINES PROMULGATED BY AN ESTABLISHED STANDARDS SETTING BODY, INCLUD- 20 ING, WITHOUT LIMITATION, THE NATIONAL INSTITUTE OF STANDARDS AND TECH- 21 NOLOGY OR ITS SUCCESSOR ORGANIZATION. 22 (C) "MULTIFUNCTION DEVICE" MEANS A MACHINE THAT INCORPORATES THE FUNC- 23 TIONALITY OF MULTIPLE DEVICES, WHICH MAY INCLUDE A PRINTER, COPIER, EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD01183-01-5 A. 3174 2 1 SCANNER, FACSIMILE MACHINE OR ELECTRONIC MAIL TERMINAL, TO PROVIDE FOR 2 THE CENTRALIZED MANAGEMENT, DISTRIBUTION OR PRODUCTION OF DOCUMENTS. 3 2. A BUSINESS ENTITY OR DATA COLLECTOR THAT OWNS OR POSSESSES A COPI- 4 ER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE WHICH USES A DATA STORAGE 5 DEVICE TO STORE, REPRODUCE, TRANSMIT OR RECEIVE DATA OR IMAGES THAT MAY 6 CONTAIN PERSONAL INFORMATION SHALL, BEFORE THE BUSINESS ENTITY OR DATA 7 COLLECTOR RELINQUISHES OWNERSHIP, PHYSICAL CUSTODY OR CONTROL OF THE 8 COPIER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE TO ANOTHER PERSON, 9 ENSURE THAT ANY PERSONAL INFORMATION WHICH IS STORED ON THE DATA STORAGE 10 DEVICE OF THE COPIER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE IS: 11 (A) SECURED THROUGH THE USE OF ENCRYPTION; OR 12 (B) DESTROYED THROUGH THE USE OF A PHYSICAL OR TECHNOLOGICAL METHOD 13 THAT HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY, INCLUD- 14 ING, WITHOUT LIMITATION, A METHOD PRESCRIBED BY THE MOST RECENT VERSION 15 OF THE FEDERAL INFORMATION PROCESSING STANDARDS ISSUED BY THE NATIONAL 16 INSTITUTE OF STANDARDS AND TECHNOLOGY OR ITS SUCCESSOR ORGANIZATION. 17 3. IF A BUSINESS ENTITY OR DATA COLLECTOR USES OR POSSESSES A COPIER, 18 FACSIMILE MACHINE OR MULTIFUNCTION DEVICE WHICH USES A DATA STORAGE 19 DEVICE TO STORE, REPRODUCE, TRANSMIT OR RECEIVE DATA OR IMAGES THAT MAY 20 CONTAIN PERSONAL INFORMATION PURSUANT TO A LEASE AGREEMENT OR RENTAL 21 CONTRACT, THE OWNER OR LESSOR OF THE COPIER, FACSIMILE MACHINE OR MULTI- 22 FUNCTION DEVICE SHALL, AS SOON AS PRACTICABLE AFTER THE TERMINATION OR 23 CANCELLATION OF THE LEASE AGREEMENT OR RENTAL CONTRACT, OR UPON ASSUMING 24 PHYSICAL CUSTODY OR CONTROL OF THE COPIER, FACSIMILE MACHINE OR MULTI- 25 FUNCTION DEVICE, ENSURE THAT ANY PERSONAL INFORMATION WHICH IS STORED ON 26 THE DATA STORAGE DEVICE OF THE COPIER, FACSIMILE MACHINE OR MULTIFUNC- 27 TION DEVICE IS DESTROYED THROUGH THE USE OF A PHYSICAL OR TECHNOLOGICAL 28 METHOD THAT HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY, 29 INCLUDING, WITHOUT LIMITATION, A METHOD PRESCRIBED BY THE MOST RECENT 30 VERSION OF THE FEDERAL INFORMATION PROCESSING STANDARDS ISSUED BY THE 31 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OR ITS SUCCESSOR ORGAN- 32 IZATION. 33 4. THE PROVISIONS OF SUBDIVISIONS TWO AND THREE OF THIS SECTION DO NOT 34 APPLY TO A COPIER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE WHICH IS 35 USED OR CONFIGURED IN SUCH A WAY AS TO PREVENT THE STORAGE OF DATA OR 36 IMAGES THAT MAY CONTAIN PERSONAL INFORMATION. 37 S 2. This act shall take effect on the ninetieth day after it shall 38 have become a law.