S T A T E O F N E W Y O R K ________________________________________________________________________ 7358 I N S E N A T E May 14, 2014 ___________ Introduced by Sen. GOLDEN -- read twice and ordered printed, and when printed to be committed to the Committee on Energy and Telecommuni- cations AN ACT to amend the executive law, the general business law and the state technology law, in relation to the New York state online privacy act THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: 1 Section 1. The executive law is amended by adding a new article 10-A 2 to read as follows: 3 ARTICLE 10-A 4 OFFICE OF PRIVACY PROTECTION 5 SECTION 205. OFFICE OF PRIVACY PROTECTION; CREATED. 6 205-A. ADMINISTRATION. 7 205-B. PRIVACY PROTECTION ADVISORY COMMITTEE. 8 205-C. RESPONSIBILITIES. 9 205-D. CONSTRUCTION. 10 205-E. REPORT. 11 S 205. OFFICE OF PRIVACY PROTECTION; CREATED. THE OFFICE OF PRIVACY 12 PROTECTION IS HEREBY CREATED IN THE EXECUTIVE DEPARTMENT. ITS PURPOSE 13 SHALL BE TO PROMOTE AND PROTECT THE PRIVACY OF PERSONAL INFORMATION OF 14 INDIVIDUALS. 15 S 205-A. ADMINISTRATION. THE OFFICE SHALL BE HEADED BY A COMMISSIONER 16 OF PRIVACY PROTECTION WHO SHALL BE APPOINTED BY THE GOVERNOR BY AND WITH 17 THE ADVICE AND CONSENT OF THE SENATE, AND WHO SHALL HOLD OFFICE AT THE 18 PLEASURE OF THE GOVERNOR. THE COMMISSIONER SHALL POSSES SUCH RIGHTS, 19 POWERS, AND DUTIES IN CONNECTION WITH PRIVACY PROTECTION AS ARE 20 EXPRESSED OR REASONABLY IMPLIED BY THIS CHAPTER OR OTHER APPLICABLE LAWS 21 OF THIS STATE RELATING TO THE ONLINE PRIVACY OF INDIVIDUALS. 22 S 205-B. PRIVACY PROTECTION ADVISORY COMMITTEE. THERE IS HEREBY 23 CREATED THE PRIVACY PROTECTION ADVISORY COMMITTEE, WHICH SHALL CONSIST 24 OF THE FOLLOWING EX OFFICIO MEMBERS OR THEIR DESIGNEES: THE SECRETARY OF 25 STATE, THE ATTORNEY GENERAL, THE COMMISSIONER OF THE DIVISION OF HOME- 26 LAND SECURITY AND EMERGENCY SERVICES, AND THE DIRECTOR OF THE OFFICE OF EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD14411-04-4 S. 7358 2 1 INFORMATION TECHNOLOGY SERVICES. IN ADDITION, THERE SHALL BE APPOINTED 2 BY THE GOVERNOR BY AND WITH THE ADVICE AND CONSENT OF THE SENATE, FIVE 3 PERSONS WHO HAVE BEEN EMPLOYED AT THE LEVEL OF EXECUTIVE OFFICER IN 4 COMPANIES IN THE INFORMATION TECHNOLOGY INDUSTRY FOR A PERIOD OF FIVE 5 YEARS OR MORE OR AS A PRIVACY COMPLIANCE OFFICER FOR SUCH PERIOD, OR AS 6 A CONSULTANT OR ACADEMIC RESEARCHER OR TEACHER OR LAWYER OR HOLDING A 7 SIMILAR POSITION REQUIRING EXPERTISE IN THE FIELD OF PRIVACY AND INFOR- 8 MATION TECHNOLOGY FOR A PERIOD OF FIVE YEARS OR MORE. THE DIRECTOR OF 9 THE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL BE CHAIR OF THE 10 ADVISORY COMMITTEE. 11 EACH MEMBER OF THE COMMITTEE SHALL BE APPOINTED FOR TERMS OF TWO 12 YEARS. ANY MEMBER MAY BE REAPPOINTED FOR ADDITIONAL TERMS. THE ADVISORY 13 COMMITTEE SHALL MEET NO LESS THAN THREE TIMES EACH YEAR, OR MORE IF ITS 14 BUSINESS REQUIRES. THE ADVISORY COMMITTEE SHALL ADVISE THE COMMISSIONER 15 ON ALL MATTERS RELATING TO PRIVACY CONCERNS, AND ON SUCH OTHER MATTERS 16 AS THE COMMISSIONER SHALL REQUEST. MEMBERS OF THE ADVISORY COMMITTEE 17 SHALL RECEIVE NO COMPENSATION BUT SHALL BE ENTITLED TO ACTUAL AND NECES- 18 SARY TRAVELING AND OTHER EXPENSES WHILE ENGAGED IN THE PERFORMANCE OF 19 SUCH MEMBER'S DUTIES HEREUNDER. 20 THE COMMITTEE SHALL HAVE THE FOLLOWING FUNCTIONS, POWERS AND DUTIES: 21 1. TO REVIEW AND COMMENT, AS IT DEEMS APPROPRIATE, ON ALL PROPOSED 22 RULES AND REGULATIONS OF THE OFFICE; 23 2. TO PROVIDE GUIDANCE AND SUPPORT TO THE OFFICE IN THE DEVELOPMENT OF 24 PRIVACY POLICIES OR RECOMMENDATIONS; 25 3. TO MAKE RECOMMENDATIONS CONCERNING SURVEYS AND REPORTS; AND 26 4. TO PERFORM SUCH OTHER ACTS AS MAY BE ASSIGNED BY THE CHAIR OF THE 27 COMMITTEE WHICH ARE NECESSARY OR APPROPRIATE TO CARRY OUT THE FUNCTIONS 28 OF THE COMMITTEE. 29 S 205-C. RESPONSIBILITIES. THE OFFICE OF PRIVACY PROTECTION SHALL: 30 1. RECEIVE COMPLAINTS CONCERNING VIOLATIONS OF ARTICLES THIRTY-NINE-H 31 AND THIRTY-NINE-F OF THE GENERAL BUSINESS LAW AND VIOLATIONS OF OTHER 32 PRIVACY-RELATED LAWS, INCLUDING IDENTITY THEFT AND IDENTIFY FRAUD, AND 33 SECTIONS THREE HUNDRED NINETY-NINE-DDD AND THREE HUNDRED 34 NINETY-NINE-DDDD OF THIS CHAPTER, AND SHALL REFER, WHERE APPROPRIATE, 35 SUCH COMPLAINTS TO LOCAL, STATE, OR FEDERAL AGENCIES WHERE SUCH AGENCIES 36 ARE AVAILABLE TO ASSIST, AND REQUEST REGULAR UPDATES ON ACTIVITIES 37 UNDERTAKEN DUE TO SUCH REFERRALS FROM SUCH AGENCIES. SUCH AGENCIES TO 38 WHICH COMPLAINTS HAVE BEEN REFERRED SHALL RESPOND TO ANY SUCH REQUESTS 39 FOR UPDATES EXPEDITIOUSLY OR SHALL PROVIDE THE OFFICE WITH A WRITTEN 40 SUMMARY OF REASONS WHY IT COULD NOT COMPLY WITH THE REQUEST; 41 2. PROVIDE INFORMATION, AND REFERRAL TO INDIVIDUALS AND ENTITIES ABOUT 42 OBTAINING, COMPILING, MAINTAINING, USING, DISCLOSING, OR DISPOSING OF 43 PERSONALLY IDENTIFIABLE INFORMATION IN A LAWFUL MANNER PURSUANT TO ARTI- 44 CLES THIRTY-NINE-H AND THIRTY-NINE-F OF THIS CHAPTER, INCLUDING THE USE 45 OF AND DISCLOSURE OF SOCIAL SECURITY NUMBERS PURSUANT TO SECTIONS THREE 46 HUNDRED NINETY-NINE-DDD AND THREE HUNDRED NINETY-NINE-DDDD OF THE GENER- 47 AL BUSINESS LAW; 48 3. DEVELOP INFORMATIONAL AND EDUCATIONAL PROGRAMS AND MATERIALS TO 49 FOSTER AND IMPROVE PUBLIC UNDERSTANDING CONCERNING THE ISSUES RELATED TO 50 PRIVACY; AND 51 4. ASSIST AS REQUESTED IN THE TRAINING OF LOCAL, STATE, AND FEDERAL 52 LAW ENFORCEMENT AGENCIES REGARDING IDENTITY THEFT AND OTHER PRIVACY-RE- 53 LATED CRIMES. 54 S 205-D. CONSTRUCTION. THE AUTHORITY OF THE OFFICE OF PRIVACY 55 PROTECTION TO ADOPT REGULATIONS UNDER THIS ARTICLE SHALL BE LIMITED 56 EXCLUSIVELY TO THOSE REGULATIONS NECESSARY TO IMPLEMENT SUBDIVISIONS ONE S. 7358 3 1 THROUGH FOUR OF SECTION TWO HUNDRED FIVE-C OF THIS ARTICLE. NOTHING 2 CONTAINED HEREIN SHALL BE DEEMED TO APPLY TO THE LEGISLATURE OR THE 3 JUDICIARY, OR, EXCEPT AS PROVIDED IN ARTICLES THIRTY-NINE-F AND THIRTY- 4 NINE-H OF THIS CHAPTER, TO A STATE AGENCY AS SUCH TERM IS DEFINED BY 5 SECTION ONE HUNDRED ONE OF THE NEW YORK STATE TECHNOLOGY LAW. 6 S 205-E. REPORT. THE OFFICE SHALL REPORT ANNUALLY ON THE THIRTIETH OF 7 JANUARY EACH YEAR TO THE GOVERNOR, THE TEMPORARY PRESIDENT OF THE 8 SENATE, THE SPEAKER OF THE ASSEMBLY, THE MINORITY LEADERS OF THE SENATE 9 BEGINNING IN THE FIRST CALENDAR YEAR AFTER THE EFFECTIVE DATE OF THIS 10 SECTION. 11 1. THE NUMBER OF COMPLAINTS RECEIVED AND THE REFERRALS MADE BY CATEGO- 12 RY OR CLASS OF COMPLAINT. 13 2. THE NUMBERS OF INVESTIGATIONS UNDERTAKEN BY THE OFFICE, THE CATEGO- 14 RIES OF SUCH INVESTIGATIONS, AND THE NUMBERS OF CLOSED CASES OF SUCH 15 INVESTIGATIONS. 16 3. RECOMMENDATIONS CONCERNING IMPROVEMENTS IN PRIVACY LAWS AND PROCE- 17 DURES. 18 S 2. Section 399-ddd of the general business law, as added by chapter 19 372 of the laws of 2012, is renumbered section 399-dddd. 20 S 3. Article 40 and sections 900 and 901 of the general business law, 21 as renumbered by chapter 407 of the laws of 1973, are renumbered article 22 45 and sections 950 and 951. 23 S 4. The general business law is amended by adding a new article 39-H 24 to read as follows: 25 ARTICLE 39-H 26 NEW YORK STATE ONLINE PRIVACY ACT 27 SECTION 900. SHORT TITLE. 28 901. DEFINITIONS. 29 902. PURPOSE, APPLICATION, EXCEPTIONS, AND WAIVER. 30 903. REQUIREMENT FOR PRIVACY POLICY AND CONFIDENTIALITY. 31 904. PRIVACY PROTECTION FOR MINORS. 32 905. RESPONSIBILITIES CONCERNING PRIVACY POLICIES AND SOCIAL 33 MEDIA. 34 906. REQUIREMENT TO REPORT A SECURITY BREACH. 35 907. LIABILITY FOR FAILURE TO COMPLY. 36 908. ENFORCEMENT. 37 S 900. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY BE CITED AS 38 THE "NEW YORK STATE ONLINE PRIVACY ACT". 39 S 901. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL 40 HAVE THE FOLLOWING MEANINGS: 41 1. "COLLECT" MEANS TO RECEIVE AND STORE INFORMATION, INCLUDING VIA 42 COOKIE TECHNOLOGY, FOR PURPOSES OF RETRIEVAL IN ORDER TO INITIATE COMMU- 43 NICATION WITH OR MAKE DETERMINATIONS ABOUT THE PERSON WHO IS THE SUBJECT 44 OF SUCH INFORMATION. 45 2. "COLLEGE" AND "UNIVERSITY" SHALL HAVE THE SAME MEANINGS AS SET 46 FORTH IN SECTION TWO OF THE EDUCATION LAW. 47 3. "DISCLOSE" MEANS TO REVEAL, RELEASE, TRANSFER, DISSEMINATE OR 48 OTHERWISE COMMUNICATE INFORMATION ORALLY, IN WRITING, OR BY ELECTRONIC 49 OR OTHER MEANS, TO SOME PERSON OR ENTITY OTHER THAN TO THE PERSON WHO IS 50 THE SUBJECT OF SUCH INFORMATION. 51 4. "MINOR" MEANS A NATURAL UNEMANCIPATED PERSON SIXTEEN YEARS OF AGE 52 OR LESS WHO RESIDES IN THIS STATE AND IS NOT OTHERWISE INCLUDED IN RULES 53 ISSUED BY THE FEDERAL TRADE COMMISSION PURSUANT TO THE CHILDREN'S ONLINE 54 PRIVACY PROTECTION ACT. 55 5. "OPERATOR" MEANS A PERSON OR ENTITY THAT OWNS OR OPERATES A WEBSITE 56 OR ONLINE SERVICE THAT COLLECTS PERSONALLY IDENTIFIABLE INFORMATION FROM S. 7358 4 1 A USER RESIDING IN THIS STATE WHO USES OR VISITS SUCH WEBSITE OR ONLINE 2 SERVICE. IT DOES NOT INCLUDE A THIRD PARTY THAT HOSTS BUT DOES NOT OWN A 3 WEBSITE OR ONLINE SERVICE ON BEHALF OF AN OPERATOR OR THAT PROCESSES 4 INFORMATION ON BEHALF OF AN OWNER OR OPERATOR. 5 6. "PERSONALLY IDENTIFIABLE INFORMATION" INCLUDES THE CATEGORIES OF 6 INFORMATION DESCRIBED IN THIS SUBDIVISION, BUT DOES NOT INCLUDE PUBLICLY 7 AVAILABLE INFORMATION LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC FROM 8 FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS. PERSONALLY IDENTIFIABLE 9 INFORMATION INCLUDES BUT IS NOT LIMITED TO THE FOLLOWING ITEMS OR ANY 10 COMBINATION THEREOF: 11 (A) FIRST NAME; 12 (B) LAST NAME; 13 (C) HOME OR OTHER PHYSICAL ADDRESS; 14 (D) AGE; 15 (E) DATE OF BIRTH; 16 (F) NAMES, AGE, GENDER, TELEPHONE NUMBER OR ELECTRONIC MAIL OR OTHER 17 ADDRESSES OF CHILDREN; 18 (G) HEIGHT, WEIGHT, RACE, RELIGION, OCCUPATION, OR POLITICAL PARTY 19 AFFILIATION; 20 (H) E-MAIL ADDRESS; 21 (I) TELEPHONE NUMBER; 22 (J) SOCIAL SECURITY NUMBER; 23 (K) INFORMATION PERTAINING TO BANK ACCOUNTS, INVESTMENT ACCOUNTS, 24 CREDIT OR DEBIT CARDS, OR BALANCES OR ACCOUNT NUMBERS OF ANY OF THESE; 25 (L) ANY SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT 26 ACCESS TO AN INDIVIDUAL'S FINANCIAL ACCOUNT OR OTHER ONLINE ACCOUNT; 27 (M) MEDICAL INFORMATION, INCLUDING ANY INFORMATION REGARDING AN INDI- 28 VIDUAL'S MEDICAL HISTORY, MENTAL OR PHYSICAL CONDITION, OR MEDICAL 29 TREATMENT OR DIAGNOSIS BY A HEALTH CARE PROFESSIONAL, INCLUDING DRUGS, 30 THERAPIES, OR MEDICAL PRODUCTS OR EQUIPMENT USED; AND 31 (N) HEALTH INSURANCE INFORMATION, INCLUDING AN INDIVIDUAL'S HEALTH 32 INSURANCE POLICY NUMBER OR SUBSCRIBER IDENTIFICATION NUMBER, ANY UNIQUE 33 IDENTIFIER USED BY A HEALTH CARE INSURER TO IDENTIFY THE INDIVIDUAL, OR 34 ANY INFORMATION IN AN INDIVIDUAL'S APPLICATION AND CLAIMS HISTORY, 35 INCLUDING ANY APPEALS RECORDS. 36 7. "POSTED" MEANS INFORMATION THAT CAN BE ACCESSED BY ANOTHER USER OR 37 USERS IN ADDITION TO THE ORIGINAL USER WHO POSTED THE INFORMATION, IRRE- 38 SPECTIVE OF WHETHER SUCH ADDITIONAL USER OR USERS ARE REGISTERED USERS 39 OF THE WEBSITE OR ONLINE SERVICE WHERE THE INFORMATION IS POSTED. 40 8. "PUBLICLY POST" OR "PUBLICLY DISPLAY" MEANS TO INTENTIONALLY COMMU- 41 NICATE OR OTHERWISE MAKE AVAILABLE TO THE GENERAL PUBLIC. 42 9. "CONSPICUOUSLY POST" WITH RESPECT TO A PRIVACY POLICY INCLUDES 43 POSTING ON OR THROUGH ANY OF THE FOLLOWING: 44 (A) A WEB PAGE ON WHICH THE PRIVACY POLICY IS POSTED IF THE WEB PAGE 45 IS THE HOMEPAGE OR FIRST SIGNIFICANT PAGE A USER ENCOUNTERS ON ENTERING 46 THE WEBSITE; 47 (B) AN ICON OR TEXT LINK THAT HYPERLINKS TO A WEB PAGE ON WHICH THE 48 PRIVACY POLICY IS POSTED, IF THE ICON IS LOCATED ON THE HOMEPAGE OR THE 49 FIRST SIGNIFICANT PAGE AFTER ENTERING THE WEBSITE, AND IF THE ICON 50 CONTAINS THE WORDS "PRIVACY POLICY." THE ICON SHALL ALSO USE A COLOR 51 THAT CONTRASTS WITH THE BACKGROUND COLOR OF THE WEB PAGE AND IS SET IN 52 TYPE EQUAL TO OR GREATER IN SIZE THAN THE SURROUNDING TEXT ON THE 53 WEBSITE OR IS OTHERWISE DISTINGUISHABLE. IF A TEXT LINK, THEN THE LINK 54 MUST INCLUDE THE WORDS "PRIVACY POLICY" IN CAPITAL LETTERS EQUAL TO OR 55 GREATER IN SIZE AND IN FONT AND COLOR THAT CONTRASTS WITH THE SURROUND- 56 ING TEXT; OR S. 7358 5 1 (C) IN THE CASE OF AN ONLINE SERVICE, ANY OTHER REASONABLY ACCESSIBLE 2 MEANS OF MAKING THE PRIVACY POLICY AVAILABLE FOR USERS OF THE ONLINE 3 SERVICE. 4 10. "PRIVACY POLICY" MEANS A POLICY CONCERNING THE PRIVACY OF 5 PERSONALLY IDENTIFIABLE INFORMATION COLLECTED BY AN OPERATOR THROUGH ITS 6 WEBSITE OR ONLINE SERVICE THAT DOES THE FOLLOWING: 7 (A) IDENTIFIES THE CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION 8 THAT THE OPERATOR COLLECTS THROUGH THE WEBSITE OR ONLINE SERVICE ABOUT 9 USERS WHO USE OR VISIT ITS WEBSITE OR ONLINE SERVICE AND THE USE OF THAT 10 INFORMATION; 11 (B) STATES THE MEANS BY WHICH PERSONALLY IDENTIFIABLE INFORMATION IS 12 COLLECTED AND WHETHER SUCH COLLECTION OCCURS ACTIVELY OR PASSIVELY, AND 13 WHETHER SUCH COLLECTION IS VOLUNTARY AND THE CONSEQUENCES, IF ANY, OF A 14 REFUSAL TO PROVIDE THE INFORMATION; 15 (C) IDENTIFIES THE CATEGORIES OF THIRD-PARTY PERSONS OR ENTITIES WITH 16 WHOM THE OPERATOR MAY SHARE PERSONALLY IDENTIFIABLE INFORMATION; 17 (D) DISCLOSES WHETHER OTHER PARTIES MAY COLLECT PERSONALLY IDENTIFI- 18 ABLE INFORMATION ABOUT A USER'S ACTIVITIES OVER TIME AND ACROSS DIFFER- 19 ENT WEBSITES AND ONLINE SERVICES WHEN SUCH USER CONNECTED TO THE OPERA- 20 TOR'S WEBSITE OR SERVICE; 21 (E) STATES WHETHER ANY PERSONALLY IDENTIFIABLE INFORMATION COLLECTED 22 WILL BE RETAINED BY THE OPERATOR, AND, IF SO, THE CATEGORIES OF SUCH 23 PERSONALLY IDENTIFIABLE INFORMATION RETAINED AND THE PERIOD OF TIME OVER 24 WHICH IT WILL BE RETAINED, THE STEPS THE OPERATOR TAKES TO PROTECT THE 25 CONFIDENTIALITY AND INTEGRITY OF THE INFORMATION, INCLUDING THE CATEGO- 26 RIES OF CONTROLS OF CLOUD SECURITY ARCHITECTURE IF INFORMATION IS STORED 27 ON THE CLOUD, AND THE OPERATOR'S PROCEDURE FOR DESTROYING SUCH INFORMA- 28 TION ON TERMINATION OF THE USER'S SUBSCRIPTION OR CANCELLATION OF ACCESS 29 TO OR USE OF THE WEBSITE OR THE ONLINE SERVICE; 30 (F) DESCRIBES THE PROCEDURES BY WHICH A USER MAY GAIN ACCESS TO HIS OR 31 HER PERSONALLY IDENTIFIABLE INFORMATION, AND WHETHER THE OPERATOR MAIN- 32 TAINS A PROCESS FOR A USER TO REVIEW AND MAKE, OR REQUEST AND OBTAIN, 33 CHANGES TO ANY SUCH PERSONALLY IDENTIFIABLE INFORMATION COLLECTED 34 THROUGH THE WEBSITE OR ONLINE SERVICE. IF THERE IS SUCH A PROCESS, THE 35 OPERATOR SHALL PROVIDE A DESCRIPTION OF THAT PROCESS. IF AN OPERATOR 36 COLLECTS SUCH INFORMATION BUT DOES NOT PROVIDE A MEANS FOR A USER OF ITS 37 WEBSITE OR ONLINE SERVICE TO OBTAIN SUCH CHANGES, IT SHALL CONSPICUOUSLY 38 POST THE STATEMENT, "THIS WEBSITE OR ONLINE SERVICE COLLECTS PERSONALLY 39 IDENTIFIABLE INFORMATION FROM ITS USERS AND DOES NOT ALLOW THE USER TO 40 REVIEW OR CHANGE SUCH INFORMATION"; 41 (G) DESCRIBES THE PROCESS BY WHICH THE OPERATOR NOTIFIES USERS OF 42 MATERIAL CHANGES TO THE OPERATOR'S PRIVACY POLICY FOR THAT WEBSITE OR 43 ONLINE SERVICE; AND 44 (H) DISCLOSES HOW THE OPERATOR RESPONDS TO WEB BROWSER "DO NOT TRACK" 45 SIGNALS OR OTHER MECHANISMS THAT ALLOW USERS TO EXERCISE CHOICE REGARD- 46 ING THE COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION. AN OPERATOR 47 MAY SATISFY THIS REQUIREMENT BY PROVIDING A CLEAR AND CONSPICUOUS HYPER- 48 LINK IN THE OPERATOR'S PRIVACY POLICY TO AN ONLINE LOCATION CONTAINING A 49 DESCRIPTION, INCLUDING THE EFFECTS, OF ANY PROGRAM OR PROTOCOL THE OPER- 50 ATOR FOLLOWS THAT OFFERS THE USER TO EXERCISE SUCH CHOICE. 51 11. "SOCIAL MEDIA" MEANS AN INTERNET-BASED SERVICE THAT ALLOWS INDI- 52 VIDUALS TO ENGAGE IN ACTIVITIES WHICH INCLUDE BUT ARE NOT LIMITED TO THE 53 FOLLOWING: CONSTRUCT A PUBLIC OR SEMI-PUBLIC PROFILE WITHIN A BOUNDED 54 SYSTEM, CREATED BY THE SERVICE; CREATE A LIST OF OTHER USERS WITH WHOM 55 THEY SHARE A CONNECTION WITHIN THE SYSTEM; AND VIEW AND NAVIGATE THEIR 56 LIST OF CONNECTIONS AND THOSE MADE BY OTHERS WITHIN THE SYSTEM. SOCIAL S. 7358 6 1 MEDIA INCLUDES FACEBOOK, E-MAIL, AND TWITTER ACCOUNTS, AND OTHER SIMILAR 2 SERVICES, AND WEBSITES AND ONLINE SERVICES WHICH INCLUDE THE ACTIVITIES 3 DESCRIBED IN THIS SUBDIVISION, AND THE DIGITAL MEDIA CONTAINED IN THOSE 4 SITES, INCLUDING PHOTOS, VIDEOS, TEXTS AND E-MAIL MESSAGES. 5 12. "SECURITY BREACH" OR "BREACH OF SECURITY" OF THE SYSTEM HAS THE 6 SAME MEANING AS "BREACH OF SECURITY OF THE SYSTEM" AS DEFINED IN ARTICLE 7 THIRTY-NINE-F OF THIS CHAPTER. 8 13. "USER" MEANS AN INDIVIDUAL WHO USES THE INTERNET TO ACCESS A 9 WEBSITE OR ONLINE SERVICE OR SOCIAL MEDIA. 10 14. "WEBSITE OR ONLINE SERVICE" MEANS AND INCLUDES A WEBSITE, ONLINE 11 SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, ELECTRONIC SERVICE OR 12 ACCOUNT, THAT CONTAINS ELECTRONIC CONTENT, INCLUDING BUT NOT LIMITED TO 13 VIDEOS, STILL PHOTOGRAPHS, BLOGS, VIDEO BLOGS, PODCASTS, INSTANT AND 14 TEXT MESSAGES, E-MAIL, ONLINE SERVICES OR ACCOUNTS, OR WEBSITE PROFILES 15 OR LOCATIONS. 16 15. "WEBSITE OR ONLINE SERVICE DIRECTED TO MINORS" MEANS A WEBSITE OR 17 ONLINE SERVICE OR PORTION THEREOF CREATED, DEVELOPED, OR USED FOR THE 18 PURPOSE OF REACHING AN AUDIENCE PREDOMINANTLY COMPRISED OF MINORS, AND 19 NOT DESIGNED OR INTENDED FOR A MORE GENERAL AUDIENCE COMPRISED OF 20 ADULTS; PROVIDED, HOWEVER, THAT REFERRING OR LINKING VIA SUCH INFORMA- 21 TION LOCATION TOOLS AS A DIRECTORY, INDEX, REFERENCE, POINTER, OR HYPER- 22 TEXT LINK TO A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, OR MOBILE 23 APPLICATION DIRECTED TO MINORS SHALL NOT BE DEEMED TO QUALIFY SUCH 24 WEBSITE OR ONLINE SERVICE AS ONE CREATED, DEVELOPED, OR USED FOR THE 25 PURPOSE OF REACHING AN AUDIENCE PREDOMINANTLY COMPRISED OF MINORS. 26 S 902. PURPOSE, APPLICATION, EXCEPTIONS, AND WAIVER. 1. THE PURPOSE OF 27 THIS ARTICLE IS TO HELP SAFEGUARD THE PRIVACY OF PERSONALLY IDENTIFIABLE 28 INFORMATION OF USERS OF WEBSITES AND ONLINE SERVICES BY: ESTABLISHING 29 REQUIREMENTS FOR THE CONFIDENTIAL TREATMENT OF SUCH INFORMATION BY THE 30 OPERATORS OF WEBSITES AND ONLINE SERVICES; REQUIRING DISCLOSURE TO USERS 31 OF THE PRIVACY POLICY OF SUCH WEBSITES OR ONLINE SERVICES; PROVIDE TO 32 USERS WHO ARE MINORS OVER THE AGE OF THIRTEEN THE SAME PROTECTION 33 AFFORDED BY THE RULES ISSUED BY THE FEDERAL TRADE COMMISSION PURSUANT TO 34 THE CHILDREN'S ONLINE PRIVACY PROTECTION ACT FOR CHILDREN UNDER THE AGE 35 OF THIRTEEN; TO RESTRICT ACCESS TO SOCIAL NETWORKING INFORMATION OF 36 USERS BY CERTAIN EDUCATIONAL INSTITUTIONS AND EMPLOYERS; TO REQUIRE 37 IMMEDIATE REPORTING OF A SECURITY BREACH OF PERSONALLY IDENTIFIABLE 38 INFORMATION; AND TO ESTABLISH PENALTIES FOR VIOLATIONS. 39 2. THE PROVISIONS OF THIS ARTICLE SHALL NOT APPLY TO ANY WEBSITE OR 40 ONLINE SERVICE THAT DOES NOT COLLECT PERSONALLY IDENTIFIABLE INFORMATION 41 CONCERNING USERS, ANY AGENCY OR POLITICAL SUBDIVISION OF THE STATE OR 42 THE FEDERAL GOVERNMENT, OR A FINANCIAL INSTITUTION THAT HAS ADOPTED 43 SAFEGUARDS THAT COMPLY WITH THE STANDARDS ESTABLISHED PURSUANT TO 44 SECTION 501(B) OF THE GRAMM-LEACH-BLILEY ACT OF 1999, 15 USC 6801. ANY 45 GROUP DESCRIBED IN THIS SUBDIVISION MAY CONSPICUOUSLY POST A STATEMENT 46 ON ITS WEBSITE OR WITH OR THROUGH ITS ONLINE SERVICE THAT STATES THAT IT 47 DOES NOT COLLECT PERSONALLY IDENTIFIABLE INFORMATION OR IS NOT COVERED 48 BY THE PROVISIONS OF THIS ARTICLE WITH A STATEMENT AS TO THE REASONS FOR 49 SUCH EXCLUSION. 50 3. ANY OTHER PROVISION OF THIS ARTICLE TO THE CONTRARY NOTWITHSTAND- 51 ING, AN OPERATOR MAY DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION ON A 52 LIMITED BASIS IF THE DISCLOSURE IS MADE: 53 (A) PURSUANT TO A COURT ORDER, A GRAND JURY SUBPOENA, OR OTHERWISE 54 PURSUANT TO REQUIREMENTS OF LAW; 55 (B) TO A COURT IN A CIVIL ACTION FOR CONVERSION COMMENCED BY THE OPER- 56 ATOR OR IN A CIVIL ACTION TO ENFORCE COLLECTION OF UNPAID SUBSCRIPTION S. 7358 7 1 FEES OR PURCHASE AMOUNTS, AND THEN ONLY TO THE EXTENT NECESSARY TO 2 ESTABLISH THE FACT OF THE SUBSCRIPTION DELINQUENCY OR PURCHASE AGREE- 3 MENT, AND WITH APPROPRIATE SAFEGUARDS AGAINST UNAUTHORIZED DISCLOSURE; 4 (C) FOR THE SOLE PURPOSE OF VALIDATING THE IDENTITY OR CREDIT-WORTHI- 5 NESS OF THE USER OR FOR A FRAUD INVESTIGATION WHEN MADE TO ANOTHER ENTI- 6 TY OR WHICH HAS THE EXPERTISE AND ABILITY TO PROVIDE SUCH VALIDATION OR 7 TO A BUSINESS SUBSIDIARY OR RELATED ENTITY IF RESTRICTED TO DISCLOSURE 8 SOLELY FOR A LEGITIMATE BUSINESS REASON; 9 (D) AT THE REQUEST OF THE USER; 10 (E) WHEN THE INFORMATION IS TO BE USED FOR ANY BUSINESS FUNCTION 11 PERMITTED OR ALLOWED UNDER THE GRAMM LEACH BLILEY ACT, P.L. 106-102 12 (1999) BY ANY ENTITY REGULATED BY SUCH ACT; 13 (F) IN CONNECTION WITH A REQUEST FOR CREDIT OR A CREDIT TRANSACTION 14 INITIATED BY THE USER OR IN CONNECTION WITH A LAWFUL REQUEST FOR A 15 CONSUMER REPORT OR INVESTIGATIVE CONSUMER REPORT, AS SUCH TERMS ARE 16 DEFINED IN SECTION THREE HUNDRED EIGHTY-A OF THIS CHAPTER; 17 (G) FOR PURPOSES OF EMPLOYMENT, INCLUDING IN THE COURSE OF ADMINIS- 18 TRATION OF A CLAIM, BENEFIT, OR PROCEDURE RELATED TO THE INDIVIDUAL'S 19 EMPLOYMENT BY THE PERSON, INCLUDING THE INDIVIDUAL'S TERMINATION FROM 20 EMPLOYMENT, RETIREMENT, INJURY SUFFERED DURING THE COURSE OF EMPLOYMENT, 21 OR TO CHECK ON AN UNEMPLOYMENT INSURANCE CLAIM OF THE INDIVIDUAL; OR 22 (H) SOLELY FOR STATISTICAL PURPOSES AND IS IN A FORM THAT CANNOT BE 23 USED TO IDENTIFY ANY PARTICULAR PERSON. 24 4. THE PROVISIONS OF THIS ARTICLE SHALL BE EXCLUSIVE AND SHALL PREEMPT 25 ANY PROVISIONS OF LOCAL LAW, ORDINANCE OR CODE, AND NO LOCALITY SHALL 26 IMPOSE REQUIREMENTS THAT ARE INCONSISTENT WITH OR MORE RESTRICTIVE THAN 27 THOSE SET FORTH IN THIS ARTICLE. WITH RESPECT TO SOCIAL SECURITY 28 NUMBERS, THE PROVISIONS OF SECTION THREE HUNDRED NINETY-NINE-DDD AND 29 THREE HUNDRED NINETY-NINE-DDDD OF THIS CHAPTER SHALL BE CONTROLLING. 30 5. ANY WAIVER OF A PROVISION OF THIS ARTICLE IS CONTRARY TO PUBLIC 31 POLICY AND IS VOID AND UNENFORCEABLE. 32 S 903. REQUIREMENT FOR PRIVACY POLICY AND CONFIDENTIALITY. 1. AN OPER- 33 ATOR SHALL CONSPICUOUSLY POST ITS PRIVACY POLICY AND THE EFFECTIVE DATE 34 OF THE POLICY ON ITS WEBSITE, OR IN THE CASE OF AN ONLINE SERVICE, MAKE 35 THE POLICY AVAILABLE VIA E-MAIL OR OTHER ACCESSIBLE NOTIFICATION WHEN 36 THE USER SIGNS INTO THE SERVICE. THE NOTICE SHALL INCLUDE A STATEMENT 37 THAT A USER MAY REQUEST, IN WRITING OR BY E-MAIL, TO HAVE HIS OR HER 38 E-MAIL ADDRESS KEPT CONFIDENTIAL AS REQUIRED BY THIS ARTICLE. 39 2. EXCEPT AS OTHERWISE PROVIDED IN THIS ARTICLE OR AUTHORIZED BY ANY 40 OTHER SECTION OF LAW, AN OPERATOR SHALL KEEP CONFIDENTIAL AND SHALL NOT 41 SHARE THE FOLLOWING ITEMS OF INFORMATION WITH ANY UNAUTHORIZED PARTY OR 42 ENTITY: 43 (A) ALL PERSONALLY IDENTIFIABLE INFORMATION CONCERNING A USER, OTHER 44 THAN THE E-MAIL ADDRESS OF THE USER, UNLESS THE USER GIVES PERMISSION, 45 IN WRITING OR BY E-MAIL, TO THE OPERATOR TO DISCLOSE SUCH INFORMATION; 46 AND 47 (B) THE E-MAIL ADDRESS OF THE USER, IF THE USER SO REQUESTS IN WRITING 48 OR BY E-MAIL. UPON RECEIVING SUCH A REQUEST, AN OPERATOR SHALL KEEP 49 CONFIDENTIAL AND SHALL NOT SHARE WITH ANY UNAUTHORIZED PARTY OR ENTITY 50 THE E-MAIL ADDRESS OF THE USER, UNLESS THE USER GIVES PERMISSION IN 51 WRITING OR BY E-MAIL, TO THE OPERATOR TO DISCLOSE SUCH E-MAIL ADDRESS. 52 3. OTHER PROVISIONS OF THIS ARTICLE TO THE CONTRARY NOTWITHSTANDING, 53 THE PROVISIONS OF SECTIONS THREE HUNDRED NINETY-NINE-DDD AND THREE 54 HUNDRED NINETY-NINE-DDDD OF THIS CHAPTER CONCERNING SOCIAL SECURITY 55 NUMBERS SHALL APPLY TO WEBSITES AND ONLINE SERVICES, AND SHALL MEAN AND 56 INCLUDE PORTIONS OF SOCIAL SECURITY NUMBERS. ANY PROVISION IN SUCH S. 7358 8 1 SECTIONS OF THIS CHAPTER ALLOWING FOR DISCLOSURE OF A SOCIAL SECURITY 2 NUMBER UPON THE CONSENT OF AN INDIVIDUAL SHALL BE DEEMED TO MEAN THE 3 EXPRESS CONSENT OF THE INDIVIDUAL. 4 4. AN OPERATOR SHALL DESTROY, ERASE, OR DELETE ANY COMPUTER FILES, 5 DOCUMENTS, OR ELECTRONIC RECORDS CONTAINING PERSONALLY IDENTIFIABLE 6 INFORMATION OF A USER WHO CANCELS THE ONLINE SERVICE OR WEBSITE 7 SUBSCRIPTION, AND SHALL NOTIFY THE USER WHO CANCELS THE ONLINE SERVICE 8 OR WEBSITE SUBSCRIPTION AND SHALL NOTIFY THE USER OF SUCH DESTRUCTION 9 WITHIN FIVE DAYS OF SUCH CANCELLATION. 10 5. THE VOLUNTARY DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION TO 11 A WEBSITE OR ONLINE SERVICE OF AN OPERATOR, WHETHER SOLICITED OR UNSO- 12 LICITED, SHALL BE DEEMED TO CONSTITUTE CONSENT TO THE COLLECTION OF SUCH 13 INFORMATION BY THE OPERATOR SOLELY FOR THE PURPOSES FOR WHICH THE USER 14 DISCLOSED IT, AS REASONABLY ASCERTAINABLE FROM THE NATURE AND TERMS OF 15 THE DISCLOSURE, BUT SHALL NOT BE DEEMED TO CONSTITUTE CONSENT TO DISCLO- 16 SURE OF SUCH PERSONALLY IDENTIFIABLE INFORMATION TO ANY OTHER PARTY 17 ABSENT EXPRESS CONSENT AS IS REQUIRED BY THIS ARTICLE OR WHICH IS 18 EXPRESSLY OTHERWISE ALLOWED BY THIS ARTICLE. 19 S 904. PRIVACY PROTECTION FOR MINORS. AN OPERATOR OF A WEBSITE OR 20 ONLINE SERVICE WHICH IS REQUIRED TO COMPLY WITH THE RULES ISSUED BY THE 21 FEDERAL TRADE COMMISSION PURSUANT TO THE CHILDREN'S ONLINE PRIVACY 22 PROTECTION ACT WITH RESPECT TO MINORS UNDER THE AGE OF THIRTEEN SHALL 23 PROVIDE THE SAME LEVEL OF ACTIVITY, PROTECTION, AND COMPLIANCE TO MINORS 24 AS DEFINED HEREIN IRRESPECTIVE OF WHETHER SUCH WEBSITE OR ONLINE SERVICE 25 OPERATES SOLELY WITHIN THE STATE. 26 S 905. RESPONSIBILITIES CONCERNING PRIVACY POLICIES AND SOCIAL MEDIA. 27 1. AN EMPLOYER SHALL NOT REQUIRE OR REQUEST AN EMPLOYEE OR APPLICANT 28 FOR EMPLOYMENT TO DISCLOSE A USERNAME OR PASSWORD FOR THE PURPOSE OF 29 ACCESSING SOCIAL MEDIA, OR TO ACCESS SOCIAL MEDIA IN THE PRESENCE OF THE 30 EMPLOYER, OR TO DIVULGE ANY SOCIAL MEDIA. AN EMPLOYER SHALL NOT 31 DISCHARGE OR DISCIPLINE, OR OTHERWISE RETALIATE AGAINST AN EMPLOYEE OR 32 APPLICANT FOR NOT COMPLYING WITH A REQUEST OR DEMAND BY THE EMPLOYER 33 THAT VIOLATES THIS SUBDIVISION. THE FOREGOING TO THE CONTRARY NOTWITH- 34 STANDING, NOTHING IN THIS SUBDIVISION SHALL AFFECT AN EMPLOYER'S EXIST- 35 ING RIGHTS AND OBLIGATIONS TO REQUEST AN EMPLOYEE TO DIVULGE SOCIAL 36 MEDIA REASONABLY BELIEVED TO BE RELEVANT TO AN INVESTIGATION OF ALLEGA- 37 TIONS OF EMPLOYEE MISCONDUCT OR VIOLATION OF APPLICABLE LAWS AND REGU- 38 LATIONS, PROVIDED THAT THE SOCIAL MEDIA IS USED SOLELY FOR PURPOSES OF 39 SUCH INVESTIGATION OR FOR A RELATED PROCEEDING, OR SHALL BE DEEMED TO 40 PRECLUDE AN EMPLOYER FROM REQUIRING OR REQUESTING AN EMPLOYEE TO 41 DISCLOSE A USERNAME, PASSWORD, OR OTHER METHOD FOR THE PURPOSE OF 42 ACCESSING AN EMPLOYER-ISSUED ELECTRONIC DEVICE, OR TO PROHIBIT AN 43 EMPLOYER FROM TERMINATING OR OTHERWISE TAKING AN ADVERSE ACTION AGAINST 44 AN EMPLOYEE OR APPLICANT AS MAY BE OTHERWISE PERMITTED BY LAW. 45 2. COLLEGES AND UNIVERSITIES, AND THEIR EMPLOYEES AND REPRESENTATIVES, 46 SHALL NOT REQUIRE OR REQUEST A STUDENT, PROSPECTIVE STUDENT, OR STUDENT 47 GROUP TO DISCLOSE A USER NAME OR PASSWORD FOR ACCESSING SOCIAL MEDIA, OR 48 TO ACCESS SOCIAL MEDIA IN THE PRESENCE OF THE INSTITUTION'S EMPLOYEE OR 49 REPRESENTATIVE, OR TO DIVULGE ANY SOCIAL MEDIA INFORMATION. NO COLLEGE 50 OR UNIVERSITY SHALL SUSPEND, EXPEL, DISCIPLINE, OR OTHERWISE PENALIZE A 51 STUDENT, PROSPECTIVE STUDENT, OR STUDENT GROUP IN ANY WAY FOR REFUSING 52 TO COMPLY WITH A REQUEST OR DEMAND THAT VIOLATES THIS SUBDIVISION, 53 PROVIDED HOWEVER THAT NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE 54 DEEMED TO AFFECT THE RIGHTS AND OBLIGATIONS OF A COLLEGE OR UNIVERSITY 55 TO PROTECT AGAINST AND INVESTIGATE ALLEGED STUDENT MISCONDUCT OR 56 VIOLATIONS OF APPLICABLE LAWS AND REGULATIONS, OR TO PROHIBIT SUCH S. 7358 9 1 INSTITUTION FROM TAKING ANY ADVERSE ACTION AGAINST A STUDENT, PROSPEC- 2 TIVE STUDENT, OR STUDENT GROUP FOR ANY LAWFUL REASON OR TO PROHIBIT A 3 STUDENT FROM VOLUNTARILY CONSENTING TO SUCH DISCLOSURE. A COLLEGE OR 4 UNIVERSITY SHALL CONSPICUOUSLY POST ITS PRIVACY POLICY INCLUDING ITS 5 PRIVACY POLICY REGARDING SOCIAL MEDIA. 6 S 906. REQUIREMENT TO REPORT A SECURITY BREACH. WITHIN TWENTY-FOUR 7 HOURS FOLLOWING DISCOVERY OR NOTIFICATION OF A SECURITY BREACH, PURSUANT 8 TO ARTICLE THIRTY-NINE-F OF THIS CHAPTER, AN OPERATOR SHALL INFORM THE 9 OFFICE OF PRIVACY PROTECTION AS TO THE BREACH, THE DATE AND EXTENT OF 10 THE BREACH, THE CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION THAT 11 WERE OR ARE REASONABLY BELIEVED TO HAVE BEEN THE SUBJECT OF THE BREACH, 12 THE NUMBER OF CONSUMERS AFFECTED, THE GEOGRAPHIC AREA OF THE BREACH, AND 13 TOLL-FREE TELEPHONE NUMBERS OF COMPANY REPRESENTATIVES ASSIGNED TO 14 PROVIDE INFORMATION CONCERNING THE BREACH. AN OPERATOR SHALL ADDI- 15 TIONALLY REPORT A SECURITY BREACH TO THE OFFICE OF INFORMATION TECHNOLO- 16 GY SERVICES WITHIN TWENTY-FOUR HOURS OF DISCOVERY OF ANY SECURITY BREACH 17 AND SHALL INCLUDE THE ITEMS OF INFORMATION SPECIFIED IN ARTICLE FOUR OF 18 THE STATE TECHNOLOGY LAW. 19 S 907. LIABILITY FOR FAILURE TO COMPLY. 1. ANY OPERATOR WHICH IS 20 NEGLIGENT IN FAILING TO COMPLY WITH ANY REQUIREMENT IMPOSED UNDER 21 SECTION NINE HUNDRED THREE OF THIS ARTICLE WITH RESPECT TO A USER OF ITS 22 WEBSITE OR ONLINE SERVICE IS LIABLE TO THAT USER IN AN AMOUNT EQUAL TO 23 THE SUM OF ANY ACTUAL DAMAGES SUSTAINED AS A RESULT OF SUCH FAILURE, AND 24 IN THE CASE OF ANY SUCCESSFUL ACTION TO ENFORCE ANY LIABILITY UNDER THIS 25 SECTION, THE COSTS OF THE ACTION TOGETHER WITH REASONABLE ATTORNEY'S 26 FEES AS DETERMINED BY THE COURT; PROVIDED HOWEVER THAT SOLELY WITH 27 RESPECT TO AN ALLEGED FAILURE TO POST A PRIVACY POLICY, OR TO POST TIME- 28 LY, OR TO POST ALL THE INFORMATION REQUIRED, OR TO POST ACCURATE INFOR- 29 MATION, AN OPERATOR MAY ASSERT AS A COMPLETE DEFENSE IN ANY ACTION IN 30 LAW OR EQUITY THAT IT THEREAFTER PROVIDED SUCH INFORMATION TO ALL 31 AFFECTED USERS WITHIN THIRTY DAYS OF THE DATE THAT OPERATOR KNEW OF SUCH 32 FAILURE. 33 2. ANY PERSON WHO WILLFULLY VIOLATES THE PROVISIONS OF SUBDIVISION TWO 34 OR THREE OF SECTION NINE HUNDRED THREE OR SECTION NINE HUNDRED SIX OF 35 THIS ARTICLE SHALL BE ADDITIONALLY SUBJECT TO A CIVIL PENALTY NOT TO 36 EXCEED ONE THOUSAND DOLLARS FOR EACH SUCH VIOLATION. 37 3. ANY OPERATOR WHO KNOWINGLY MAKES A FALSE OR MISLEADING STATEMENT IN 38 A PRIVACY POLICY OR WHO FAILS TO PROVIDE PRIVACY PROTECTION FOR MINORS 39 PURSUANT TO SECTION NINE HUNDRED FOUR AS REQUIRED BY THIS ARTICLE SHALL 40 BE ADDITIONALLY SUBJECT TO A FINE OF FIVE HUNDRED DOLLARS FOR EACH SUCH 41 VIOLATION, PROVIDED SUCH CIVIL PENALTY SHALL NOT EXCEED FIVE HUNDRED 42 THOUSAND DOLLARS FOR ANY SINGLE EVENT. 43 4. ANY EMPLOYER WHO VIOLATES THE PROVISIONS OF SECTION NINE HUNDRED 44 FIVE OF THIS ARTICLE SHALL BE SUBJECT TO THE CIVIL PENALTIES, REMEDIES, 45 AND PROVISIONS IMPOSED PURSUANT TO SECTION SIX HUNDRED SEVENTY-FIVE OF 46 THIS CHAPTER. 47 5. THE RIGHTS AND REMEDIES AVAILABLE UNDER THIS SECTION ARE CUMULATIVE 48 TO EACH OTHER AND TO ANY OTHER RIGHTS AND REMEDIES AVAILABLE UNDER LAW. 49 S 908. ENFORCEMENT. THE ATTORNEY GENERAL OR ANY DISTRICT ATTORNEY MAY 50 APPLY FOR AN ORDER TEMPORARILY OR PERMANENTLY RESTRAINING AND ENJOINING 51 ANY PERSON FROM VIOLATING ANY PROVISION OF THIS ARTICLE. 52 S 5. The state technology law is amended by adding a new article 4 to 53 read as follows: 54 ARTICLE 4 55 BREACH NOTIFICATION SERVICE 56 SECTION 401. BREACH NOTIFICATION SERVICE. S. 7358 10 1 S 401. BREACH NOTIFICATION SERVICE. THE OFFICE SHALL COLLABORATE WITH 2 THE OFFICE OF PRIVACY PROTECTION TO CREATE A SERVICE TO BE HOUSED WITHIN 3 THE OFFICE UNDER WHICH A COMPANY REQUIRED TO REPORT ON A SECURITY 4 BREACH, AS SUCH TERM IS DEFINED IN ARTICLE THIRTY-NINE-E OF THE GENERAL 5 BUSINESS LAW, SHALL BE REQUIRED TO POST THE FOLLOWING INFORMATION 6 CONCERNING THE BREACH: 7 1. THE NAME OF THE COMPANY AND CONTACT INFORMATION OF THE OPERATOR OF 8 THE WEBSITE OR SERVICE, WITH THE CONTACT INFORMATION TO INCLUDE A TOLL- 9 FREE NUMBER; 10 2. THE DATE OF THE SECURITY BREACH AND THE NUMBER OF CONSUMERS 11 AFFECTED; 12 3. THE GEOGRAPHIC AREA OF THE BREACH; AND 13 4. TOLL-FREE TELEPHONE NUMBERS AND ADDRESSES OF THE MAJOR CREDIT 14 REPORTING AGENCIES. 15 THE SERVICE SHALL BE DESIGNED TO PROVIDE ONLINE NOTIFICATION CONCERN- 16 ING SECURITY BREACHES TO CONSUMERS WHO REQUEST SUCH INFORMATION BASED ON 17 GEOGRAPHY, TYPE OF CREDIT OR BANK CARD, BANKING OR FINANCIAL INSTITU- 18 TION, OR OTHER CATEGORIES OF INFORMATION AS SHALL BE PROVIDED IN THE 19 SERVICE. 20 S 6. This act shall take effect on the one hundred twentieth day after 21 it shall have become a law.