Bill Text: NY S03973 | 2019-2020 | General Assembly | Introduced


Bill Title: Requires manufacturers of connected devices to equip such devices with reasonable security features.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Introduced) 2019-02-22 - REFERRED TO INTERNET AND TECHNOLOGY [S03973 Detail]

Download: New_York-2019-S03973-Introduced.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                          3973
                               2019-2020 Regular Sessions
                    IN SENATE
                                    February 22, 2019
                                       ___________
        Introduced  by  Sen.  GRIFFO -- read twice and ordered printed, and when
          printed to be committed to the Committee on Internet and Technology
        AN ACT to amend the general business law, in relation to the security of
          connected devices
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  390-d to read as follows:
     3    §  390-d.  Security  of connected devices. 1. For the purposes of this
     4  section, the following terms have the following meanings:
     5    (a) "Authentication" means a method of verifying the  authority  of  a
     6  user, process, or device to access resources in an information system.
     7    (b) "Connected device" means any device, or other physical object that
     8  is  capable  of  connecting to the internet, directly or indirectly, and
     9  that is assigned an internet protocol address or bluetooth address.
    10    (c) "Manufacturer" means the person  who  manufactures,  or  contracts
    11  with  another  person  to  manufacture on the person's behalf, connected
    12  devices that are sold or offered for sale in the state. For the purposes
    13  of this section, a contract with another person to  manufacture  on  the
    14  person's behalf does not include a contract only to purchase a connected
    15  device, or only to purchase and brand a connected device.
    16    (d) "Security feature" means a feature of a device designed to provide
    17  security for that device.
    18    (e)  "Unauthorized  access, destruction, use, modification, or disclo-
    19  sure" means access, destruction, use, modification, or  disclosure  that
    20  is not authorized by the consumer.
    21    2.  (a)  A  manufacturer of a connected device shall equip such device
    22  with a reasonable security feature or  features  that  are  all  of  the
    23  following:
    24    (1) Appropriate to the nature and function of the device.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01120-01-9

        S. 3973                             2
     1    (2)  Appropriate to the information it may collect, contain, or trans-
     2  mit; and
     3    (3) Designed to protect the device and any information contained ther-
     4  ein from unauthorized access, destruction, use, modification, or disclo-
     5  sure.
     6    (b) Subject to all of the requirements of paragraph (a) of this subdi-
     7  vision,  if  a connected device is equipped with a means for authentica-
     8  tion outside a local area network, it shall be deemed a reasonable secu-
     9  rity  feature  under  such  paragraph  if  either   of   the   following
    10  requirements are met:
    11    (1)  The preprogrammed password is unique to each device manufactured;
    12  or
    13    (2) The device contains a security feature that  requires  a  user  to
    14  generate  a  new means of authentication before access is granted to the
    15  device for the first time.
    16    3. (a) This section shall not be construed to impose any duty upon the
    17  manufacturer of a connected device related to  unaffiliated  third-party
    18  software  or  applications  that  a  user  chooses to add to a connected
    19  device.
    20    (b) This section shall not be construed to  impose  any  duty  upon  a
    21  provider of an electronic store, gateway, marketplace, or other means of
    22  purchasing or downloading software or applications, to review or enforce
    23  compliance with this section.
    24    (c)  This  section  shall not be construed to impose any duty upon the
    25  manufacturer of a connected device to prevent a user  from  having  full
    26  control  over  a  connected  device, including the ability to modify the
    27  software or firmware running on the device at the user's discretion.
    28    (d) This section shall not apply to any connected device the function-
    29  ality of which is subject to security requirements  under  federal  law,
    30  regulations, or guidance promulgated by a federal agency pursuant to its
    31  regulatory enforcement authority.
    32    (e)  This  section  shall  not  be  construed to provide a basis for a
    33  private right of action.  The attorney general shall have the  exclusive
    34  authority to enforce this section.
    35    (f)  The duties and obligations imposed by this section are cumulative
    36  with any other duties or obligations imposed under any  other  law,  and
    37  shall  not  be  construed  to relieve any party from any duties or obli-
    38  gations imposed under any other law.
    39    (g) This section shall not be construed to limit the  authority  of  a
    40  law  enforcement  agency  to  obtain connected device information from a
    41  manufacturer as authorized by law or pursuant to an order of a court  of
    42  competent jurisdiction.
    43    (h)  A  covered  entity,  provider of health care, business associate,
    44  health care service plan, contractor,  employer,  or  any  other  person
    45  subject  to  the federal Health Insurance Portability and Accountability
    46  Act of 1996 (HIPAA) shall not be subject to this section with respect to
    47  any activity regulated by such act.
    48    § 2. This act shall take effect on the first of January next  succeed-
    49  ing the date on which it shall have become a law.
feedback