S T A T E   O F   N E W   Y O R K
       ________________________________________________________________________
                                         3230
                              2013-2014 Regular Sessions
                                   I N  S E N A T E
                                   January 31, 2013
                                      ___________
       Introduced  by  Sen.  PARKER -- read twice and ordered printed, and when
         printed to be committed to the Committee on Consumer Protection
       AN ACT to amend the general business law, in relation  to  enacting  the
         "consumer protection against computer spyware act"
         THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
       BLY, DO ENACT AS FOLLOWS:
    1    Section 1. The general business law is amended by adding a new article
    2  28-F to read as follows:
    3                                ARTICLE 28-F
    4                CONSUMER PROTECTION AGAINST COMPUTER SPYWARE
    5  SECTION 491. SHORT TITLE.
    6          492. DEFINITIONS.
    7          493. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE.
    8          494. ENFORCEMENT.
    9    S 491. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY  BE  CITED  AS
   10  THE "CONSUMER PROTECTION AGAINST COMPUTER SPYWARE ACT".
   11    S  492. DEFINITIONS. FOR PURPOSES OF THIS ARTICLE, THE FOLLOWING TERMS
   12  HAVE THE FOLLOWING MEANINGS:
   13    1. "ADVERTISEMENT" MEANS A COMMUNICATION, THE PRIMARY PURPOSE OF WHICH
   14  IS THE COMMERCIAL PROMOTION OF A COMMERCIAL PRODUCT OR SERVICE,  INCLUD-
   15  ING CONTENT ON AN INTERNET WEB SITE OPERATED FOR A COMMERCIAL PURPOSE.
   16    2.  "AUTHORIZED  USER"  WITH RESPECT TO A COMPUTER, MEANS A PERSON WHO
   17  OWNS OR IS AUTHORIZED BY THE OWNER OR LESSEE TO USE THE COMPUTER.
   18    3. "COMPUTER SOFTWARE" MEANS A SEQUENCE OF INSTRUCTIONS WRITTEN IN ANY
   19  PROGRAMMING LANGUAGE THAT IS EXECUTED ON A COMPUTER.
   20    4.  "COMPUTER  VIRUS"  MEANS  A  COMPUTER  PROGRAM  OR  OTHER  SET  OF
   21  INSTRUCTIONS THAT IS DESIGNED TO DEGRADE THE PERFORMANCE OF OR DISABLE A
   22  COMPUTER  OR  COMPUTER  NETWORK  AND  IS DESIGNED TO HAVE THE ABILITY TO
   23  REPLICATE ITSELF ON OTHER COMPUTERS OR  COMPUTER  NETWORKS  WITHOUT  THE
   24  AUTHORIZATION OF THE OWNERS OF THOSE COMPUTERS OR COMPUTER NETWORKS.
        EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                             [ ] is old law to be omitted.
                                                                  LBD06875-01-3
       S. 3230                             2
    1    5.  "CONSUMER"  MEANS  AN INDIVIDUAL WHO RESIDES IN THIS STATE AND WHO
    2  USES THE COMPUTER IN QUESTION PRIMARILY FOR PERSONAL, FAMILY, OR  HOUSE-
    3  HOLD PURPOSES.
    4    6.  "DAMAGE"  MEANS  ANY  SIGNIFICANT  IMPAIRMENT  TO THE INTEGRITY OR
    5  AVAILABILITY OF DATA, SOFTWARE, A SYSTEM, OR INFORMATION.
    6    7. "EXECUTE" WHEN USED WITH RESPECT TO COMPUTER  SOFTWARE,  MEANS  THE
    7  PERFORMANCE  OF THE FUNCTIONS OR THE CARRYING OUT OF THE INSTRUCTIONS OF
    8  THE COMPUTER SOFTWARE.
    9    8. "INTERNET" MEANS THE GLOBAL INFORMATION SYSTEM  THAT  IS  LOGICALLY
   10  LINKED TOGETHER BY A GLOBALLY UNIQUE ADDRESS SPACE BASED ON THE INTERNET
   11  PROTOCOL (IP), OR ITS SUBSEQUENT EXTENSIONS, AND THAT IS ABLE TO SUPPORT
   12  COMMUNICATIONS USING THE TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL
   13  (TCP/IP)  SUITE,  OR  ITS  SUBSEQUENT EXTENSIONS, OR OTHER IP-COMPATIBLE
   14  PROTOCOLS, AND THAT PROVIDES, USES, OR MAKES ACCESSIBLE, EITHER PUBLICLY
   15  OR PRIVATELY, HIGH LEVEL SERVICES  LAYERED  ON  THE  COMMUNICATIONS  AND
   16  RELATED INFRASTRUCTURE DESCRIBED IN THIS SUBDIVISION.
   17    9.  "PERSON"  MEANS  ANY INDIVIDUAL, PARTNERSHIP, CORPORATION, LIMITED
   18  LIABILITY COMPANY, OR OTHER ORGANIZATION, OR ANY COMBINATION THEREOF.
   19    10. "PERSONALLY IDENTIFIABLE INFORMATION" MEANS ANY OF THE FOLLOWING:
   20    (A) FIRST NAME OR FIRST INITIAL IN COMBINATION WITH LAST NAME;
   21    (B) CREDIT OR DEBIT CARD NUMBERS OR OTHER FINANCIAL ACCOUNT NUMBERS;
   22    (C) A PASSWORD OR PERSONAL IDENTIFICATION NUMBER REQUIRED TO ACCESS AN
   23  IDENTIFIED FINANCIAL ACCOUNT;
   24    (D) SOCIAL SECURITY NUMBER; OR
   25    (E) ANY OF THE FOLLOWING INFORMATION IN A FORM THAT PERSONALLY IDENTI-
   26  FIES AN AUTHORIZED USER:
   27    (I) ACCOUNT BALANCES;
   28    (II) OVERDRAFT HISTORY;
   29    (III) PAYMENT HISTORY;
   30    (IV) A HISTORY OF WEB SITES VISITED;
   31    (V) HOME ADDRESS;
   32    (VI) WORK ADDRESS; OR
   33    (VII) A RECORD OF A PURCHASE OR PURCHASES.
   34    S 493. CONSUMER PROTECTION AGAINST COMPUTER SPYWARE. 1.  A  PERSON  OR
   35  ENTITY  THAT IS NOT AN AUTHORIZED USER SHALL NOT CAUSE COMPUTER SOFTWARE
   36  TO BE COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS STATE AND  USE  THE
   37  SOFTWARE TO DO ANY OF THE FOLLOWING:
   38    (A)  MODIFY  ANY  OF  THE FOLLOWING SETTINGS RELATED TO THE COMPUTER'S
   39  ACCESS TO, OR USE OF, THE INTERNET:
   40    (I) THE PAGE THAT APPEARS WHEN AN AUTHORIZED USER LAUNCHES AN INTERNET
   41  BROWSER OR SIMILAR SOFTWARE PROGRAM USED  TO  ACCESS  AND  NAVIGATE  THE
   42  INTERNET;
   43    (II)  THE  DEFAULT  PROVIDER  OR WEB PROXY THE AUTHORIZED USER USES TO
   44  ACCESS OR SEARCH THE INTERNET; OR
   45    (III) THE AUTHORIZED USER'S LIST  OF  BOOKMARKS  USED  TO  ACCESS  WEB
   46  PAGES.
   47    (B)  COLLECT PERSONALLY IDENTIFIABLE INFORMATION THAT MEETS ANY OF THE
   48  FOLLOWING CRITERIA:
   49    (I) IT IS COLLECTED THROUGH THE USE OF  A  KEYSTROKE-LOGGING  FUNCTION
   50  THAT RECORDS KEYSTROKES MADE BY AN AUTHORIZED USER WHO USES THE COMPUTER
   51  AND TRANSFERS THAT INFORMATION FROM THE COMPUTER TO ANOTHER PERSON;
   52    (II)  IT INCLUDES ALL OR SUBSTANTIALLY ALL OF THE WEB SITES VISITED BY
   53  AN AUTHORIZED USER, OTHER THAN WEB SITES OF THE PROVIDER  OF  THE  SOFT-
   54  WARE,  IF  THE  COMPUTER  SOFTWARE WAS INSTALLED IN A MANNER DESIGNED TO
   55  CONCEAL FROM ALL AUTHORIZED USERS OF THE  COMPUTER  THE  FACT  THAT  THE
   56  SOFTWARE IS BEING INSTALLED; OR
       S. 3230                             3
    1    (III)  IT  IS A DATA ELEMENT DESCRIBED IN PARAGRAPH (B), (C) OR (D) OR
    2  SUBPARAGRAPH (I) OR (II) OF PARAGRAPH (E) OF SUBDIVISION TEN OF  SECTION
    3  FOUR  HUNDRED  NINETY-TWO  OF  THIS  ARTICLE, THAT IS EXTRACTED FROM THE
    4  CONSUMER'S COMPUTER HARD DRIVE FOR A PURPOSE WHOLLY UNRELATED TO ANY  OF
    5  THE PURPOSES OF THE SOFTWARE OR SERVICE DESCRIBED TO AN AUTHORIZED USER.
    6    (C)  PREVENT,  WITHOUT  THE  AUTHORIZATION  OF  AN AUTHORIZED USER, AN
    7  AUTHORIZED USER'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF, OR TO
    8  DISABLE, SOFTWARE, BY CAUSING SOFTWARE  THAT  THE  AUTHORIZED  USER  HAS
    9  PROPERLY REMOVED OR DISABLED TO AUTOMATICALLY REINSTALL OR REACTIVATE ON
   10  THE COMPUTER WITHOUT THE AUTHORIZATION OF AN AUTHORIZED USER.
   11    (D)  REPRESENT  THAT  SOFTWARE  WILL  BE UNINSTALLED OR DISABLED BY AN
   12  AUTHORIZED USER'S ACTION, WITH KNOWLEDGE THAT THE SOFTWARE WILL  NOT  BE
   13  SO UNINSTALLED OR DISABLED.
   14    (E)  REMOVE,  DISABLE, OR RENDER INOPERATIVE SECURITY, ANTISPYWARE, OR
   15  ANTIVIRUS SOFTWARE INSTALLED ON THE COMPUTER.
   16    2. A PERSON OR ENTITY THAT IS NOT AN AUTHORIZED USER SHALL  NOT  CAUSE
   17  COMPUTER  SOFTWARE  TO BE COPIED ONTO THE COMPUTER OF A CONSUMER IN THIS
   18  STATE AND USE THE SOFTWARE TO DO ANY OF THE FOLLOWING:
   19    (A) TAKE CONTROL OF THE  CONSUMER'S  COMPUTER  BY  DOING  ANY  OF  THE
   20  FOLLOWING:
   21    (I)  TRANSMITTING OR RELAYING COMMERCIAL ELECTRONIC MAIL OR A COMPUTER
   22  VIRUS FROM THE CONSUMER'S COMPUTER, WHERE THE TRANSMISSION  OR  RELAYING
   23  IS  INITIATED BY A PERSON OTHER THAN THE AUTHORIZED USER AND WITHOUT THE
   24  AUTHORIZATION OF AN AUTHORIZED USER; OR
   25    (II) OPENING MULTIPLE, SEQUENTIAL, STAND-ALONE ADVERTISEMENTS  IN  THE
   26  CONSUMER'S  INTERNET  BROWSER WITHOUT THE AUTHORIZATION OF AN AUTHORIZED
   27  USER AND WITH KNOWLEDGE THAT A REASONABLE COMPUTER USER CANNOT CLOSE THE
   28  ADVERTISEMENTS WITHOUT TURNING OFF THE COMPUTER OR CLOSING  THE  CONSUM-
   29  ER'S INTERNET BROWSER.
   30    (B)  MODIFY  ANY  OF  THE FOLLOWING SETTINGS RELATED TO THE COMPUTER'S
   31  ACCESS TO, OR USE OF, THE INTERNET:
   32    (I) AN AUTHORIZED USER'S  SECURITY  OR  OTHER  SETTINGS  THAT  PROTECT
   33  INFORMATION  ABOUT  THE  AUTHORIZED  USER  FOR  THE  PURPOSE OF STEALING
   34  PERSONAL INFORMATION OF AN AUTHORIZED USER; OR
   35    (II) THE SECURITY SETTINGS OF THE COMPUTER FOR THE PURPOSE OF  CAUSING
   36  DAMAGE TO ONE OR MORE COMPUTERS.
   37    (C)  PREVENT,  WITHOUT  THE  AUTHORIZATION  OF  AN AUTHORIZED USER, AN
   38  AUTHORIZED USER'S REASONABLE EFFORTS TO BLOCK THE INSTALLATION OF, OR TO
   39  DISABLE, SOFTWARE, BY DOING ANY OF THE FOLLOWING:
   40    (I) PRESENTING THE AUTHORIZED USER WITH AN OPTION TO DECLINE INSTALLA-
   41  TION OF SOFTWARE WITH KNOWLEDGE THAT, WHEN THE OPTION IS  SELECTED    BY
   42  THE AUTHORIZED USER, THE INSTALLATION NEVERTHELESS PROCEEDS; OR
   43    (II) FALSELY REPRESENTING THAT SOFTWARE HAS BEEN DISABLED.
   44    3.  (A) A PERSON OR ENTITY, WHO IS NOT AN AUTHORIZED USER SHALL NOT DO
   45  ANY OF THE FOLLOWING WITH REGARD TO THE COMPUTER OF A CONSUMER  IN  THIS
   46  STATE:
   47    (I) INDUCE AN AUTHORIZED USER TO INSTALL A SOFTWARE COMPONENT ONTO THE
   48  COMPUTER BY REPRESENTING THAT INSTALLING SOFTWARE IS NECESSARY FOR SECU-
   49  RITY  OR PRIVACY REASONS OR IN ORDER TO OPEN, VIEW, OR PLAY A PARTICULAR
   50  TYPE OF CONTENT; OR
   51    (II) CAUSE THE COPYING AND EXECUTION ON THE  COMPUTER  OF  A  COMPUTER
   52  SOFTWARE  COMPONENT WITH THE INTENT OF CAUSING AN AUTHORIZED USER TO USE
   53  THE COMPONENT IN A  WAY  THAT  VIOLATES  ANY  OTHER  PROVISION  OF  THIS
   54  SECTION.
   55    (B)  NOTHING  IN  THIS  SECTION  SHALL  APPLY TO ANY MONITORING OF, OR
   56  INTERACTION WITH, A SUBSCRIBER'S INTERNET OR OTHER NETWORK CONNECTION OR
       S. 3230                             4
    1  SERVICE, OR A PROTECTED COMPUTER, BY A TELECOMMUNICATIONS CARRIER, CABLE
    2  OPERATOR, COMPUTER HARDWARE OR SOFTWARE PROVIDER, OR PROVIDER OF  INFOR-
    3  MATION  SERVICE  OR INTERACTIVE COMPUTER SERVICE FOR NETWORK OR COMPUTER
    4  SECURITY  PURPOSES,  DIAGNOSTICS,  TECHNICAL SUPPORT, REPAIR, AUTHORIZED
    5  UPDATES OF SOFTWARE OR SYSTEM FIRMWARE, AUTHORIZED REMOTE SYSTEM MANAGE-
    6  MENT, OR DETECTION OR PREVENTION OF THE UNAUTHORIZED USE OF  OR  FRAUDU-
    7  LENT  OR OTHER ILLEGAL ACTIVITIES IN CONNECTION WITH A NETWORK, SERVICE,
    8  OR COMPUTER SOFTWARE,  INCLUDING  SCANNING  FOR  AND  REMOVING  SOFTWARE
    9  PRESCRIBED UNDER THIS ARTICLE.
   10    (C)  ANY  PROVISION  OF  A  CONTRACT OR AN AGREEMENT ENTERED INTO BY A
   11  CONSUMER THAT DECEIVES A CONSUMER AND THAT PURPORTS OR MAY BE  CONSTRUED
   12  TO  AUTHORIZE,  DIVERT,  OR  REQUIRE  ANYTHING  THAT  WOULD CONSTITUTE A
   13  VIOLATION OF ANY OF THE PROVISIONS OF THIS SECTION IS HEREBY DECLARED TO
   14  BE VOID AS AGAINST PUBLIC POLICY AND SHALL NOT BE ENFORCEABLE.
   15    S 494. ENFORCEMENT. THE ATTORNEY GENERAL  MAY  BRING  A  CIVIL  ACTION
   16  AGAINST  ANY  PERSON  WHO VIOLATES THIS ARTICLE TO ENFORCE THE VIOLATION
   17  AND MAY RECOVER ANY OR ALL OF THE FOLLOWING:
   18    1. A CIVIL PENALTY OF FIVE HUNDRED DOLLARS PER VIOLATION OF THIS ARTI-
   19  CLE;
   20    2. COSTS AND A REASONABLE ATTORNEYS' FEE; AND
   21    3. AN ORDER TO ENJOIN THE VIOLATION.
   22    S 2. Severability. If any clause, sentence, paragraph, section or part
   23  of this act shall be adjudged by any court of competent jurisdiction  to
   24  be  invalid,  such  judgement shall not affect, impair or invalidate the
   25  remainder thereof, but shall be confined in its operation to the clause,
   26  sentence, paragraph, section or part thereof directly  involved  in  the
   27  controversy in which such judgement shall have been rendered.
   28    S  3.  This  act shall take effect on the ninetieth day after it shall
   29  have become a law.