S T A T E O F N E W Y O R K
________________________________________________________________________
7358
I N S E N A T E
May 14, 2014
___________
Introduced by Sen. GOLDEN -- read twice and ordered printed, and when
printed to be committed to the Committee on Energy and Telecommuni-
cations
AN ACT to amend the executive law, the general business law and the
state technology law, in relation to the New York state online privacy
act
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
1 Section 1. The executive law is amended by adding a new article 10-A
2 to read as follows:
3 ARTICLE 10-A
4 OFFICE OF PRIVACY PROTECTION
5 SECTION 205. OFFICE OF PRIVACY PROTECTION; CREATED.
6 205-A. ADMINISTRATION.
7 205-B. PRIVACY PROTECTION ADVISORY COMMITTEE.
8 205-C. RESPONSIBILITIES.
9 205-D. CONSTRUCTION.
10 205-E. REPORT.
11 S 205. OFFICE OF PRIVACY PROTECTION; CREATED. THE OFFICE OF PRIVACY
12 PROTECTION IS HEREBY CREATED IN THE EXECUTIVE DEPARTMENT. ITS PURPOSE
13 SHALL BE TO PROMOTE AND PROTECT THE PRIVACY OF PERSONAL INFORMATION OF
14 INDIVIDUALS.
15 S 205-A. ADMINISTRATION. THE OFFICE SHALL BE HEADED BY A COMMISSIONER
16 OF PRIVACY PROTECTION WHO SHALL BE APPOINTED BY THE GOVERNOR BY AND WITH
17 THE ADVICE AND CONSENT OF THE SENATE, AND WHO SHALL HOLD OFFICE AT THE
18 PLEASURE OF THE GOVERNOR. THE COMMISSIONER SHALL POSSES SUCH RIGHTS,
19 POWERS, AND DUTIES IN CONNECTION WITH PRIVACY PROTECTION AS ARE
20 EXPRESSED OR REASONABLY IMPLIED BY THIS CHAPTER OR OTHER APPLICABLE LAWS
21 OF THIS STATE RELATING TO THE ONLINE PRIVACY OF INDIVIDUALS.
22 S 205-B. PRIVACY PROTECTION ADVISORY COMMITTEE. THERE IS HEREBY
23 CREATED THE PRIVACY PROTECTION ADVISORY COMMITTEE, WHICH SHALL CONSIST
24 OF THE FOLLOWING EX OFFICIO MEMBERS OR THEIR DESIGNEES: THE SECRETARY OF
25 STATE, THE ATTORNEY GENERAL, THE COMMISSIONER OF THE DIVISION OF HOME-
26 LAND SECURITY AND EMERGENCY SERVICES, AND THE DIRECTOR OF THE OFFICE OF
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD14411-04-4
S. 7358 2
1 INFORMATION TECHNOLOGY SERVICES. IN ADDITION, THERE SHALL BE APPOINTED
2 BY THE GOVERNOR BY AND WITH THE ADVICE AND CONSENT OF THE SENATE, FIVE
3 PERSONS WHO HAVE BEEN EMPLOYED AT THE LEVEL OF EXECUTIVE OFFICER IN
4 COMPANIES IN THE INFORMATION TECHNOLOGY INDUSTRY FOR A PERIOD OF FIVE
5 YEARS OR MORE OR AS A PRIVACY COMPLIANCE OFFICER FOR SUCH PERIOD, OR AS
6 A CONSULTANT OR ACADEMIC RESEARCHER OR TEACHER OR LAWYER OR HOLDING A
7 SIMILAR POSITION REQUIRING EXPERTISE IN THE FIELD OF PRIVACY AND INFOR-
8 MATION TECHNOLOGY FOR A PERIOD OF FIVE YEARS OR MORE. THE DIRECTOR OF
9 THE OFFICE OF INFORMATION TECHNOLOGY SERVICES SHALL BE CHAIR OF THE
10 ADVISORY COMMITTEE.
11 EACH MEMBER OF THE COMMITTEE SHALL BE APPOINTED FOR TERMS OF TWO
12 YEARS. ANY MEMBER MAY BE REAPPOINTED FOR ADDITIONAL TERMS. THE ADVISORY
13 COMMITTEE SHALL MEET NO LESS THAN THREE TIMES EACH YEAR, OR MORE IF ITS
14 BUSINESS REQUIRES. THE ADVISORY COMMITTEE SHALL ADVISE THE COMMISSIONER
15 ON ALL MATTERS RELATING TO PRIVACY CONCERNS, AND ON SUCH OTHER MATTERS
16 AS THE COMMISSIONER SHALL REQUEST. MEMBERS OF THE ADVISORY COMMITTEE
17 SHALL RECEIVE NO COMPENSATION BUT SHALL BE ENTITLED TO ACTUAL AND NECES-
18 SARY TRAVELING AND OTHER EXPENSES WHILE ENGAGED IN THE PERFORMANCE OF
19 SUCH MEMBER'S DUTIES HEREUNDER.
20 THE COMMITTEE SHALL HAVE THE FOLLOWING FUNCTIONS, POWERS AND DUTIES:
21 1. TO REVIEW AND COMMENT, AS IT DEEMS APPROPRIATE, ON ALL PROPOSED
22 RULES AND REGULATIONS OF THE OFFICE;
23 2. TO PROVIDE GUIDANCE AND SUPPORT TO THE OFFICE IN THE DEVELOPMENT OF
24 PRIVACY POLICIES OR RECOMMENDATIONS;
25 3. TO MAKE RECOMMENDATIONS CONCERNING SURVEYS AND REPORTS; AND
26 4. TO PERFORM SUCH OTHER ACTS AS MAY BE ASSIGNED BY THE CHAIR OF THE
27 COMMITTEE WHICH ARE NECESSARY OR APPROPRIATE TO CARRY OUT THE FUNCTIONS
28 OF THE COMMITTEE.
29 S 205-C. RESPONSIBILITIES. THE OFFICE OF PRIVACY PROTECTION SHALL:
30 1. RECEIVE COMPLAINTS CONCERNING VIOLATIONS OF ARTICLES THIRTY-NINE-H
31 AND THIRTY-NINE-F OF THE GENERAL BUSINESS LAW AND VIOLATIONS OF OTHER
32 PRIVACY-RELATED LAWS, INCLUDING IDENTITY THEFT AND IDENTIFY FRAUD, AND
33 SECTIONS THREE HUNDRED NINETY-NINE-DDD AND THREE HUNDRED
34 NINETY-NINE-DDDD OF THIS CHAPTER, AND SHALL REFER, WHERE APPROPRIATE,
35 SUCH COMPLAINTS TO LOCAL, STATE, OR FEDERAL AGENCIES WHERE SUCH AGENCIES
36 ARE AVAILABLE TO ASSIST, AND REQUEST REGULAR UPDATES ON ACTIVITIES
37 UNDERTAKEN DUE TO SUCH REFERRALS FROM SUCH AGENCIES. SUCH AGENCIES TO
38 WHICH COMPLAINTS HAVE BEEN REFERRED SHALL RESPOND TO ANY SUCH REQUESTS
39 FOR UPDATES EXPEDITIOUSLY OR SHALL PROVIDE THE OFFICE WITH A WRITTEN
40 SUMMARY OF REASONS WHY IT COULD NOT COMPLY WITH THE REQUEST;
41 2. PROVIDE INFORMATION, AND REFERRAL TO INDIVIDUALS AND ENTITIES ABOUT
42 OBTAINING, COMPILING, MAINTAINING, USING, DISCLOSING, OR DISPOSING OF
43 PERSONALLY IDENTIFIABLE INFORMATION IN A LAWFUL MANNER PURSUANT TO ARTI-
44 CLES THIRTY-NINE-H AND THIRTY-NINE-F OF THIS CHAPTER, INCLUDING THE USE
45 OF AND DISCLOSURE OF SOCIAL SECURITY NUMBERS PURSUANT TO SECTIONS THREE
46 HUNDRED NINETY-NINE-DDD AND THREE HUNDRED NINETY-NINE-DDDD OF THE GENER-
47 AL BUSINESS LAW;
48 3. DEVELOP INFORMATIONAL AND EDUCATIONAL PROGRAMS AND MATERIALS TO
49 FOSTER AND IMPROVE PUBLIC UNDERSTANDING CONCERNING THE ISSUES RELATED TO
50 PRIVACY; AND
51 4. ASSIST AS REQUESTED IN THE TRAINING OF LOCAL, STATE, AND FEDERAL
52 LAW ENFORCEMENT AGENCIES REGARDING IDENTITY THEFT AND OTHER PRIVACY-RE-
53 LATED CRIMES.
54 S 205-D. CONSTRUCTION. THE AUTHORITY OF THE OFFICE OF PRIVACY
55 PROTECTION TO ADOPT REGULATIONS UNDER THIS ARTICLE SHALL BE LIMITED
56 EXCLUSIVELY TO THOSE REGULATIONS NECESSARY TO IMPLEMENT SUBDIVISIONS ONE
S. 7358 3
1 THROUGH FOUR OF SECTION TWO HUNDRED FIVE-C OF THIS ARTICLE. NOTHING
2 CONTAINED HEREIN SHALL BE DEEMED TO APPLY TO THE LEGISLATURE OR THE
3 JUDICIARY, OR, EXCEPT AS PROVIDED IN ARTICLES THIRTY-NINE-F AND THIRTY-
4 NINE-H OF THIS CHAPTER, TO A STATE AGENCY AS SUCH TERM IS DEFINED BY
5 SECTION ONE HUNDRED ONE OF THE NEW YORK STATE TECHNOLOGY LAW.
6 S 205-E. REPORT. THE OFFICE SHALL REPORT ANNUALLY ON THE THIRTIETH OF
7 JANUARY EACH YEAR TO THE GOVERNOR, THE TEMPORARY PRESIDENT OF THE
8 SENATE, THE SPEAKER OF THE ASSEMBLY, THE MINORITY LEADERS OF THE SENATE
9 BEGINNING IN THE FIRST CALENDAR YEAR AFTER THE EFFECTIVE DATE OF THIS
10 SECTION.
11 1. THE NUMBER OF COMPLAINTS RECEIVED AND THE REFERRALS MADE BY CATEGO-
12 RY OR CLASS OF COMPLAINT.
13 2. THE NUMBERS OF INVESTIGATIONS UNDERTAKEN BY THE OFFICE, THE CATEGO-
14 RIES OF SUCH INVESTIGATIONS, AND THE NUMBERS OF CLOSED CASES OF SUCH
15 INVESTIGATIONS.
16 3. RECOMMENDATIONS CONCERNING IMPROVEMENTS IN PRIVACY LAWS AND PROCE-
17 DURES.
18 S 2. Section 399-ddd of the general business law, as added by chapter
19 372 of the laws of 2012, is renumbered section 399-dddd.
20 S 3. Article 40 and sections 900 and 901 of the general business law,
21 as renumbered by chapter 407 of the laws of 1973, are renumbered article
22 45 and sections 950 and 951.
23 S 4. The general business law is amended by adding a new article 39-H
24 to read as follows:
25 ARTICLE 39-H
26 NEW YORK STATE ONLINE PRIVACY ACT
27 SECTION 900. SHORT TITLE.
28 901. DEFINITIONS.
29 902. PURPOSE, APPLICATION, EXCEPTIONS, AND WAIVER.
30 903. REQUIREMENT FOR PRIVACY POLICY AND CONFIDENTIALITY.
31 904. PRIVACY PROTECTION FOR MINORS.
32 905. RESPONSIBILITIES CONCERNING PRIVACY POLICIES AND SOCIAL
33 MEDIA.
34 906. REQUIREMENT TO REPORT A SECURITY BREACH.
35 907. LIABILITY FOR FAILURE TO COMPLY.
36 908. ENFORCEMENT.
37 S 900. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY BE CITED AS
38 THE "NEW YORK STATE ONLINE PRIVACY ACT".
39 S 901. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL
40 HAVE THE FOLLOWING MEANINGS:
41 1. "COLLECT" MEANS TO RECEIVE AND STORE INFORMATION, INCLUDING VIA
42 COOKIE TECHNOLOGY, FOR PURPOSES OF RETRIEVAL IN ORDER TO INITIATE COMMU-
43 NICATION WITH OR MAKE DETERMINATIONS ABOUT THE PERSON WHO IS THE SUBJECT
44 OF SUCH INFORMATION.
45 2. "COLLEGE" AND "UNIVERSITY" SHALL HAVE THE SAME MEANINGS AS SET
46 FORTH IN SECTION TWO OF THE EDUCATION LAW.
47 3. "DISCLOSE" MEANS TO REVEAL, RELEASE, TRANSFER, DISSEMINATE OR
48 OTHERWISE COMMUNICATE INFORMATION ORALLY, IN WRITING, OR BY ELECTRONIC
49 OR OTHER MEANS, TO SOME PERSON OR ENTITY OTHER THAN TO THE PERSON WHO IS
50 THE SUBJECT OF SUCH INFORMATION.
51 4. "MINOR" MEANS A NATURAL UNEMANCIPATED PERSON SIXTEEN YEARS OF AGE
52 OR LESS WHO RESIDES IN THIS STATE AND IS NOT OTHERWISE INCLUDED IN RULES
53 ISSUED BY THE FEDERAL TRADE COMMISSION PURSUANT TO THE CHILDREN'S ONLINE
54 PRIVACY PROTECTION ACT.
55 5. "OPERATOR" MEANS A PERSON OR ENTITY THAT OWNS OR OPERATES A WEBSITE
56 OR ONLINE SERVICE THAT COLLECTS PERSONALLY IDENTIFIABLE INFORMATION FROM
S. 7358 4
1 A USER RESIDING IN THIS STATE WHO USES OR VISITS SUCH WEBSITE OR ONLINE
2 SERVICE. IT DOES NOT INCLUDE A THIRD PARTY THAT HOSTS BUT DOES NOT OWN A
3 WEBSITE OR ONLINE SERVICE ON BEHALF OF AN OPERATOR OR THAT PROCESSES
4 INFORMATION ON BEHALF OF AN OWNER OR OPERATOR.
5 6. "PERSONALLY IDENTIFIABLE INFORMATION" INCLUDES THE CATEGORIES OF
6 INFORMATION DESCRIBED IN THIS SUBDIVISION, BUT DOES NOT INCLUDE PUBLICLY
7 AVAILABLE INFORMATION LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC FROM
8 FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS. PERSONALLY IDENTIFIABLE
9 INFORMATION INCLUDES BUT IS NOT LIMITED TO THE FOLLOWING ITEMS OR ANY
10 COMBINATION THEREOF:
11 (A) FIRST NAME;
12 (B) LAST NAME;
13 (C) HOME OR OTHER PHYSICAL ADDRESS;
14 (D) AGE;
15 (E) DATE OF BIRTH;
16 (F) NAMES, AGE, GENDER, TELEPHONE NUMBER OR ELECTRONIC MAIL OR OTHER
17 ADDRESSES OF CHILDREN;
18 (G) HEIGHT, WEIGHT, RACE, RELIGION, OCCUPATION, OR POLITICAL PARTY
19 AFFILIATION;
20 (H) E-MAIL ADDRESS;
21 (I) TELEPHONE NUMBER;
22 (J) SOCIAL SECURITY NUMBER;
23 (K) INFORMATION PERTAINING TO BANK ACCOUNTS, INVESTMENT ACCOUNTS,
24 CREDIT OR DEBIT CARDS, OR BALANCES OR ACCOUNT NUMBERS OF ANY OF THESE;
25 (L) ANY SECURITY CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT
26 ACCESS TO AN INDIVIDUAL'S FINANCIAL ACCOUNT OR OTHER ONLINE ACCOUNT;
27 (M) MEDICAL INFORMATION, INCLUDING ANY INFORMATION REGARDING AN INDI-
28 VIDUAL'S MEDICAL HISTORY, MENTAL OR PHYSICAL CONDITION, OR MEDICAL
29 TREATMENT OR DIAGNOSIS BY A HEALTH CARE PROFESSIONAL, INCLUDING DRUGS,
30 THERAPIES, OR MEDICAL PRODUCTS OR EQUIPMENT USED; AND
31 (N) HEALTH INSURANCE INFORMATION, INCLUDING AN INDIVIDUAL'S HEALTH
32 INSURANCE POLICY NUMBER OR SUBSCRIBER IDENTIFICATION NUMBER, ANY UNIQUE
33 IDENTIFIER USED BY A HEALTH CARE INSURER TO IDENTIFY THE INDIVIDUAL, OR
34 ANY INFORMATION IN AN INDIVIDUAL'S APPLICATION AND CLAIMS HISTORY,
35 INCLUDING ANY APPEALS RECORDS.
36 7. "POSTED" MEANS INFORMATION THAT CAN BE ACCESSED BY ANOTHER USER OR
37 USERS IN ADDITION TO THE ORIGINAL USER WHO POSTED THE INFORMATION, IRRE-
38 SPECTIVE OF WHETHER SUCH ADDITIONAL USER OR USERS ARE REGISTERED USERS
39 OF THE WEBSITE OR ONLINE SERVICE WHERE THE INFORMATION IS POSTED.
40 8. "PUBLICLY POST" OR "PUBLICLY DISPLAY" MEANS TO INTENTIONALLY COMMU-
41 NICATE OR OTHERWISE MAKE AVAILABLE TO THE GENERAL PUBLIC.
42 9. "CONSPICUOUSLY POST" WITH RESPECT TO A PRIVACY POLICY INCLUDES
43 POSTING ON OR THROUGH ANY OF THE FOLLOWING:
44 (A) A WEB PAGE ON WHICH THE PRIVACY POLICY IS POSTED IF THE WEB PAGE
45 IS THE HOMEPAGE OR FIRST SIGNIFICANT PAGE A USER ENCOUNTERS ON ENTERING
46 THE WEBSITE;
47 (B) AN ICON OR TEXT LINK THAT HYPERLINKS TO A WEB PAGE ON WHICH THE
48 PRIVACY POLICY IS POSTED, IF THE ICON IS LOCATED ON THE HOMEPAGE OR THE
49 FIRST SIGNIFICANT PAGE AFTER ENTERING THE WEBSITE, AND IF THE ICON
50 CONTAINS THE WORDS "PRIVACY POLICY." THE ICON SHALL ALSO USE A COLOR
51 THAT CONTRASTS WITH THE BACKGROUND COLOR OF THE WEB PAGE AND IS SET IN
52 TYPE EQUAL TO OR GREATER IN SIZE THAN THE SURROUNDING TEXT ON THE
53 WEBSITE OR IS OTHERWISE DISTINGUISHABLE. IF A TEXT LINK, THEN THE LINK
54 MUST INCLUDE THE WORDS "PRIVACY POLICY" IN CAPITAL LETTERS EQUAL TO OR
55 GREATER IN SIZE AND IN FONT AND COLOR THAT CONTRASTS WITH THE SURROUND-
56 ING TEXT; OR
S. 7358 5
1 (C) IN THE CASE OF AN ONLINE SERVICE, ANY OTHER REASONABLY ACCESSIBLE
2 MEANS OF MAKING THE PRIVACY POLICY AVAILABLE FOR USERS OF THE ONLINE
3 SERVICE.
4 10. "PRIVACY POLICY" MEANS A POLICY CONCERNING THE PRIVACY OF
5 PERSONALLY IDENTIFIABLE INFORMATION COLLECTED BY AN OPERATOR THROUGH ITS
6 WEBSITE OR ONLINE SERVICE THAT DOES THE FOLLOWING:
7 (A) IDENTIFIES THE CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION
8 THAT THE OPERATOR COLLECTS THROUGH THE WEBSITE OR ONLINE SERVICE ABOUT
9 USERS WHO USE OR VISIT ITS WEBSITE OR ONLINE SERVICE AND THE USE OF THAT
10 INFORMATION;
11 (B) STATES THE MEANS BY WHICH PERSONALLY IDENTIFIABLE INFORMATION IS
12 COLLECTED AND WHETHER SUCH COLLECTION OCCURS ACTIVELY OR PASSIVELY, AND
13 WHETHER SUCH COLLECTION IS VOLUNTARY AND THE CONSEQUENCES, IF ANY, OF A
14 REFUSAL TO PROVIDE THE INFORMATION;
15 (C) IDENTIFIES THE CATEGORIES OF THIRD-PARTY PERSONS OR ENTITIES WITH
16 WHOM THE OPERATOR MAY SHARE PERSONALLY IDENTIFIABLE INFORMATION;
17 (D) DISCLOSES WHETHER OTHER PARTIES MAY COLLECT PERSONALLY IDENTIFI-
18 ABLE INFORMATION ABOUT A USER'S ACTIVITIES OVER TIME AND ACROSS DIFFER-
19 ENT WEBSITES AND ONLINE SERVICES WHEN SUCH USER CONNECTED TO THE OPERA-
20 TOR'S WEBSITE OR SERVICE;
21 (E) STATES WHETHER ANY PERSONALLY IDENTIFIABLE INFORMATION COLLECTED
22 WILL BE RETAINED BY THE OPERATOR, AND, IF SO, THE CATEGORIES OF SUCH
23 PERSONALLY IDENTIFIABLE INFORMATION RETAINED AND THE PERIOD OF TIME OVER
24 WHICH IT WILL BE RETAINED, THE STEPS THE OPERATOR TAKES TO PROTECT THE
25 CONFIDENTIALITY AND INTEGRITY OF THE INFORMATION, INCLUDING THE CATEGO-
26 RIES OF CONTROLS OF CLOUD SECURITY ARCHITECTURE IF INFORMATION IS STORED
27 ON THE CLOUD, AND THE OPERATOR'S PROCEDURE FOR DESTROYING SUCH INFORMA-
28 TION ON TERMINATION OF THE USER'S SUBSCRIPTION OR CANCELLATION OF ACCESS
29 TO OR USE OF THE WEBSITE OR THE ONLINE SERVICE;
30 (F) DESCRIBES THE PROCEDURES BY WHICH A USER MAY GAIN ACCESS TO HIS OR
31 HER PERSONALLY IDENTIFIABLE INFORMATION, AND WHETHER THE OPERATOR MAIN-
32 TAINS A PROCESS FOR A USER TO REVIEW AND MAKE, OR REQUEST AND OBTAIN,
33 CHANGES TO ANY SUCH PERSONALLY IDENTIFIABLE INFORMATION COLLECTED
34 THROUGH THE WEBSITE OR ONLINE SERVICE. IF THERE IS SUCH A PROCESS, THE
35 OPERATOR SHALL PROVIDE A DESCRIPTION OF THAT PROCESS. IF AN OPERATOR
36 COLLECTS SUCH INFORMATION BUT DOES NOT PROVIDE A MEANS FOR A USER OF ITS
37 WEBSITE OR ONLINE SERVICE TO OBTAIN SUCH CHANGES, IT SHALL CONSPICUOUSLY
38 POST THE STATEMENT, "THIS WEBSITE OR ONLINE SERVICE COLLECTS PERSONALLY
39 IDENTIFIABLE INFORMATION FROM ITS USERS AND DOES NOT ALLOW THE USER TO
40 REVIEW OR CHANGE SUCH INFORMATION";
41 (G) DESCRIBES THE PROCESS BY WHICH THE OPERATOR NOTIFIES USERS OF
42 MATERIAL CHANGES TO THE OPERATOR'S PRIVACY POLICY FOR THAT WEBSITE OR
43 ONLINE SERVICE; AND
44 (H) DISCLOSES HOW THE OPERATOR RESPONDS TO WEB BROWSER "DO NOT TRACK"
45 SIGNALS OR OTHER MECHANISMS THAT ALLOW USERS TO EXERCISE CHOICE REGARD-
46 ING THE COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION. AN OPERATOR
47 MAY SATISFY THIS REQUIREMENT BY PROVIDING A CLEAR AND CONSPICUOUS HYPER-
48 LINK IN THE OPERATOR'S PRIVACY POLICY TO AN ONLINE LOCATION CONTAINING A
49 DESCRIPTION, INCLUDING THE EFFECTS, OF ANY PROGRAM OR PROTOCOL THE OPER-
50 ATOR FOLLOWS THAT OFFERS THE USER TO EXERCISE SUCH CHOICE.
51 11. "SOCIAL MEDIA" MEANS AN INTERNET-BASED SERVICE THAT ALLOWS INDI-
52 VIDUALS TO ENGAGE IN ACTIVITIES WHICH INCLUDE BUT ARE NOT LIMITED TO THE
53 FOLLOWING: CONSTRUCT A PUBLIC OR SEMI-PUBLIC PROFILE WITHIN A BOUNDED
54 SYSTEM, CREATED BY THE SERVICE; CREATE A LIST OF OTHER USERS WITH WHOM
55 THEY SHARE A CONNECTION WITHIN THE SYSTEM; AND VIEW AND NAVIGATE THEIR
56 LIST OF CONNECTIONS AND THOSE MADE BY OTHERS WITHIN THE SYSTEM. SOCIAL
S. 7358 6
1 MEDIA INCLUDES FACEBOOK, E-MAIL, AND TWITTER ACCOUNTS, AND OTHER SIMILAR
2 SERVICES, AND WEBSITES AND ONLINE SERVICES WHICH INCLUDE THE ACTIVITIES
3 DESCRIBED IN THIS SUBDIVISION, AND THE DIGITAL MEDIA CONTAINED IN THOSE
4 SITES, INCLUDING PHOTOS, VIDEOS, TEXTS AND E-MAIL MESSAGES.
5 12. "SECURITY BREACH" OR "BREACH OF SECURITY" OF THE SYSTEM HAS THE
6 SAME MEANING AS "BREACH OF SECURITY OF THE SYSTEM" AS DEFINED IN ARTICLE
7 THIRTY-NINE-F OF THIS CHAPTER.
8 13. "USER" MEANS AN INDIVIDUAL WHO USES THE INTERNET TO ACCESS A
9 WEBSITE OR ONLINE SERVICE OR SOCIAL MEDIA.
10 14. "WEBSITE OR ONLINE SERVICE" MEANS AND INCLUDES A WEBSITE, ONLINE
11 SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, ELECTRONIC SERVICE OR
12 ACCOUNT, THAT CONTAINS ELECTRONIC CONTENT, INCLUDING BUT NOT LIMITED TO
13 VIDEOS, STILL PHOTOGRAPHS, BLOGS, VIDEO BLOGS, PODCASTS, INSTANT AND
14 TEXT MESSAGES, E-MAIL, ONLINE SERVICES OR ACCOUNTS, OR WEBSITE PROFILES
15 OR LOCATIONS.
16 15. "WEBSITE OR ONLINE SERVICE DIRECTED TO MINORS" MEANS A WEBSITE OR
17 ONLINE SERVICE OR PORTION THEREOF CREATED, DEVELOPED, OR USED FOR THE
18 PURPOSE OF REACHING AN AUDIENCE PREDOMINANTLY COMPRISED OF MINORS, AND
19 NOT DESIGNED OR INTENDED FOR A MORE GENERAL AUDIENCE COMPRISED OF
20 ADULTS; PROVIDED, HOWEVER, THAT REFERRING OR LINKING VIA SUCH INFORMA-
21 TION LOCATION TOOLS AS A DIRECTORY, INDEX, REFERENCE, POINTER, OR HYPER-
22 TEXT LINK TO A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, OR MOBILE
23 APPLICATION DIRECTED TO MINORS SHALL NOT BE DEEMED TO QUALIFY SUCH
24 WEBSITE OR ONLINE SERVICE AS ONE CREATED, DEVELOPED, OR USED FOR THE
25 PURPOSE OF REACHING AN AUDIENCE PREDOMINANTLY COMPRISED OF MINORS.
26 S 902. PURPOSE, APPLICATION, EXCEPTIONS, AND WAIVER. 1. THE PURPOSE OF
27 THIS ARTICLE IS TO HELP SAFEGUARD THE PRIVACY OF PERSONALLY IDENTIFIABLE
28 INFORMATION OF USERS OF WEBSITES AND ONLINE SERVICES BY: ESTABLISHING
29 REQUIREMENTS FOR THE CONFIDENTIAL TREATMENT OF SUCH INFORMATION BY THE
30 OPERATORS OF WEBSITES AND ONLINE SERVICES; REQUIRING DISCLOSURE TO USERS
31 OF THE PRIVACY POLICY OF SUCH WEBSITES OR ONLINE SERVICES; PROVIDE TO
32 USERS WHO ARE MINORS OVER THE AGE OF THIRTEEN THE SAME PROTECTION
33 AFFORDED BY THE RULES ISSUED BY THE FEDERAL TRADE COMMISSION PURSUANT TO
34 THE CHILDREN'S ONLINE PRIVACY PROTECTION ACT FOR CHILDREN UNDER THE AGE
35 OF THIRTEEN; TO RESTRICT ACCESS TO SOCIAL NETWORKING INFORMATION OF
36 USERS BY CERTAIN EDUCATIONAL INSTITUTIONS AND EMPLOYERS; TO REQUIRE
37 IMMEDIATE REPORTING OF A SECURITY BREACH OF PERSONALLY IDENTIFIABLE
38 INFORMATION; AND TO ESTABLISH PENALTIES FOR VIOLATIONS.
39 2. THE PROVISIONS OF THIS ARTICLE SHALL NOT APPLY TO ANY WEBSITE OR
40 ONLINE SERVICE THAT DOES NOT COLLECT PERSONALLY IDENTIFIABLE INFORMATION
41 CONCERNING USERS, ANY AGENCY OR POLITICAL SUBDIVISION OF THE STATE OR
42 THE FEDERAL GOVERNMENT, OR A FINANCIAL INSTITUTION THAT HAS ADOPTED
43 SAFEGUARDS THAT COMPLY WITH THE STANDARDS ESTABLISHED PURSUANT TO
44 SECTION 501(B) OF THE GRAMM-LEACH-BLILEY ACT OF 1999, 15 USC 6801. ANY
45 GROUP DESCRIBED IN THIS SUBDIVISION MAY CONSPICUOUSLY POST A STATEMENT
46 ON ITS WEBSITE OR WITH OR THROUGH ITS ONLINE SERVICE THAT STATES THAT IT
47 DOES NOT COLLECT PERSONALLY IDENTIFIABLE INFORMATION OR IS NOT COVERED
48 BY THE PROVISIONS OF THIS ARTICLE WITH A STATEMENT AS TO THE REASONS FOR
49 SUCH EXCLUSION.
50 3. ANY OTHER PROVISION OF THIS ARTICLE TO THE CONTRARY NOTWITHSTAND-
51 ING, AN OPERATOR MAY DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION ON A
52 LIMITED BASIS IF THE DISCLOSURE IS MADE:
53 (A) PURSUANT TO A COURT ORDER, A GRAND JURY SUBPOENA, OR OTHERWISE
54 PURSUANT TO REQUIREMENTS OF LAW;
55 (B) TO A COURT IN A CIVIL ACTION FOR CONVERSION COMMENCED BY THE OPER-
56 ATOR OR IN A CIVIL ACTION TO ENFORCE COLLECTION OF UNPAID SUBSCRIPTION
S. 7358 7
1 FEES OR PURCHASE AMOUNTS, AND THEN ONLY TO THE EXTENT NECESSARY TO
2 ESTABLISH THE FACT OF THE SUBSCRIPTION DELINQUENCY OR PURCHASE AGREE-
3 MENT, AND WITH APPROPRIATE SAFEGUARDS AGAINST UNAUTHORIZED DISCLOSURE;
4 (C) FOR THE SOLE PURPOSE OF VALIDATING THE IDENTITY OR CREDIT-WORTHI-
5 NESS OF THE USER OR FOR A FRAUD INVESTIGATION WHEN MADE TO ANOTHER ENTI-
6 TY OR WHICH HAS THE EXPERTISE AND ABILITY TO PROVIDE SUCH VALIDATION OR
7 TO A BUSINESS SUBSIDIARY OR RELATED ENTITY IF RESTRICTED TO DISCLOSURE
8 SOLELY FOR A LEGITIMATE BUSINESS REASON;
9 (D) AT THE REQUEST OF THE USER;
10 (E) WHEN THE INFORMATION IS TO BE USED FOR ANY BUSINESS FUNCTION
11 PERMITTED OR ALLOWED UNDER THE GRAMM LEACH BLILEY ACT, P.L. 106-102
12 (1999) BY ANY ENTITY REGULATED BY SUCH ACT;
13 (F) IN CONNECTION WITH A REQUEST FOR CREDIT OR A CREDIT TRANSACTION
14 INITIATED BY THE USER OR IN CONNECTION WITH A LAWFUL REQUEST FOR A
15 CONSUMER REPORT OR INVESTIGATIVE CONSUMER REPORT, AS SUCH TERMS ARE
16 DEFINED IN SECTION THREE HUNDRED EIGHTY-A OF THIS CHAPTER;
17 (G) FOR PURPOSES OF EMPLOYMENT, INCLUDING IN THE COURSE OF ADMINIS-
18 TRATION OF A CLAIM, BENEFIT, OR PROCEDURE RELATED TO THE INDIVIDUAL'S
19 EMPLOYMENT BY THE PERSON, INCLUDING THE INDIVIDUAL'S TERMINATION FROM
20 EMPLOYMENT, RETIREMENT, INJURY SUFFERED DURING THE COURSE OF EMPLOYMENT,
21 OR TO CHECK ON AN UNEMPLOYMENT INSURANCE CLAIM OF THE INDIVIDUAL; OR
22 (H) SOLELY FOR STATISTICAL PURPOSES AND IS IN A FORM THAT CANNOT BE
23 USED TO IDENTIFY ANY PARTICULAR PERSON.
24 4. THE PROVISIONS OF THIS ARTICLE SHALL BE EXCLUSIVE AND SHALL PREEMPT
25 ANY PROVISIONS OF LOCAL LAW, ORDINANCE OR CODE, AND NO LOCALITY SHALL
26 IMPOSE REQUIREMENTS THAT ARE INCONSISTENT WITH OR MORE RESTRICTIVE THAN
27 THOSE SET FORTH IN THIS ARTICLE. WITH RESPECT TO SOCIAL SECURITY
28 NUMBERS, THE PROVISIONS OF SECTION THREE HUNDRED NINETY-NINE-DDD AND
29 THREE HUNDRED NINETY-NINE-DDDD OF THIS CHAPTER SHALL BE CONTROLLING.
30 5. ANY WAIVER OF A PROVISION OF THIS ARTICLE IS CONTRARY TO PUBLIC
31 POLICY AND IS VOID AND UNENFORCEABLE.
32 S 903. REQUIREMENT FOR PRIVACY POLICY AND CONFIDENTIALITY. 1. AN OPER-
33 ATOR SHALL CONSPICUOUSLY POST ITS PRIVACY POLICY AND THE EFFECTIVE DATE
34 OF THE POLICY ON ITS WEBSITE, OR IN THE CASE OF AN ONLINE SERVICE, MAKE
35 THE POLICY AVAILABLE VIA E-MAIL OR OTHER ACCESSIBLE NOTIFICATION WHEN
36 THE USER SIGNS INTO THE SERVICE. THE NOTICE SHALL INCLUDE A STATEMENT
37 THAT A USER MAY REQUEST, IN WRITING OR BY E-MAIL, TO HAVE HIS OR HER
38 E-MAIL ADDRESS KEPT CONFIDENTIAL AS REQUIRED BY THIS ARTICLE.
39 2. EXCEPT AS OTHERWISE PROVIDED IN THIS ARTICLE OR AUTHORIZED BY ANY
40 OTHER SECTION OF LAW, AN OPERATOR SHALL KEEP CONFIDENTIAL AND SHALL NOT
41 SHARE THE FOLLOWING ITEMS OF INFORMATION WITH ANY UNAUTHORIZED PARTY OR
42 ENTITY:
43 (A) ALL PERSONALLY IDENTIFIABLE INFORMATION CONCERNING A USER, OTHER
44 THAN THE E-MAIL ADDRESS OF THE USER, UNLESS THE USER GIVES PERMISSION,
45 IN WRITING OR BY E-MAIL, TO THE OPERATOR TO DISCLOSE SUCH INFORMATION;
46 AND
47 (B) THE E-MAIL ADDRESS OF THE USER, IF THE USER SO REQUESTS IN WRITING
48 OR BY E-MAIL. UPON RECEIVING SUCH A REQUEST, AN OPERATOR SHALL KEEP
49 CONFIDENTIAL AND SHALL NOT SHARE WITH ANY UNAUTHORIZED PARTY OR ENTITY
50 THE E-MAIL ADDRESS OF THE USER, UNLESS THE USER GIVES PERMISSION IN
51 WRITING OR BY E-MAIL, TO THE OPERATOR TO DISCLOSE SUCH E-MAIL ADDRESS.
52 3. OTHER PROVISIONS OF THIS ARTICLE TO THE CONTRARY NOTWITHSTANDING,
53 THE PROVISIONS OF SECTIONS THREE HUNDRED NINETY-NINE-DDD AND THREE
54 HUNDRED NINETY-NINE-DDDD OF THIS CHAPTER CONCERNING SOCIAL SECURITY
55 NUMBERS SHALL APPLY TO WEBSITES AND ONLINE SERVICES, AND SHALL MEAN AND
56 INCLUDE PORTIONS OF SOCIAL SECURITY NUMBERS. ANY PROVISION IN SUCH
S. 7358 8
1 SECTIONS OF THIS CHAPTER ALLOWING FOR DISCLOSURE OF A SOCIAL SECURITY
2 NUMBER UPON THE CONSENT OF AN INDIVIDUAL SHALL BE DEEMED TO MEAN THE
3 EXPRESS CONSENT OF THE INDIVIDUAL.
4 4. AN OPERATOR SHALL DESTROY, ERASE, OR DELETE ANY COMPUTER FILES,
5 DOCUMENTS, OR ELECTRONIC RECORDS CONTAINING PERSONALLY IDENTIFIABLE
6 INFORMATION OF A USER WHO CANCELS THE ONLINE SERVICE OR WEBSITE
7 SUBSCRIPTION, AND SHALL NOTIFY THE USER WHO CANCELS THE ONLINE SERVICE
8 OR WEBSITE SUBSCRIPTION AND SHALL NOTIFY THE USER OF SUCH DESTRUCTION
9 WITHIN FIVE DAYS OF SUCH CANCELLATION.
10 5. THE VOLUNTARY DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION TO
11 A WEBSITE OR ONLINE SERVICE OF AN OPERATOR, WHETHER SOLICITED OR UNSO-
12 LICITED, SHALL BE DEEMED TO CONSTITUTE CONSENT TO THE COLLECTION OF SUCH
13 INFORMATION BY THE OPERATOR SOLELY FOR THE PURPOSES FOR WHICH THE USER
14 DISCLOSED IT, AS REASONABLY ASCERTAINABLE FROM THE NATURE AND TERMS OF
15 THE DISCLOSURE, BUT SHALL NOT BE DEEMED TO CONSTITUTE CONSENT TO DISCLO-
16 SURE OF SUCH PERSONALLY IDENTIFIABLE INFORMATION TO ANY OTHER PARTY
17 ABSENT EXPRESS CONSENT AS IS REQUIRED BY THIS ARTICLE OR WHICH IS
18 EXPRESSLY OTHERWISE ALLOWED BY THIS ARTICLE.
19 S 904. PRIVACY PROTECTION FOR MINORS. AN OPERATOR OF A WEBSITE OR
20 ONLINE SERVICE WHICH IS REQUIRED TO COMPLY WITH THE RULES ISSUED BY THE
21 FEDERAL TRADE COMMISSION PURSUANT TO THE CHILDREN'S ONLINE PRIVACY
22 PROTECTION ACT WITH RESPECT TO MINORS UNDER THE AGE OF THIRTEEN SHALL
23 PROVIDE THE SAME LEVEL OF ACTIVITY, PROTECTION, AND COMPLIANCE TO MINORS
24 AS DEFINED HEREIN IRRESPECTIVE OF WHETHER SUCH WEBSITE OR ONLINE SERVICE
25 OPERATES SOLELY WITHIN THE STATE.
26 S 905. RESPONSIBILITIES CONCERNING PRIVACY POLICIES AND SOCIAL MEDIA.
27 1. AN EMPLOYER SHALL NOT REQUIRE OR REQUEST AN EMPLOYEE OR APPLICANT
28 FOR EMPLOYMENT TO DISCLOSE A USERNAME OR PASSWORD FOR THE PURPOSE OF
29 ACCESSING SOCIAL MEDIA, OR TO ACCESS SOCIAL MEDIA IN THE PRESENCE OF THE
30 EMPLOYER, OR TO DIVULGE ANY SOCIAL MEDIA. AN EMPLOYER SHALL NOT
31 DISCHARGE OR DISCIPLINE, OR OTHERWISE RETALIATE AGAINST AN EMPLOYEE OR
32 APPLICANT FOR NOT COMPLYING WITH A REQUEST OR DEMAND BY THE EMPLOYER
33 THAT VIOLATES THIS SUBDIVISION. THE FOREGOING TO THE CONTRARY NOTWITH-
34 STANDING, NOTHING IN THIS SUBDIVISION SHALL AFFECT AN EMPLOYER'S EXIST-
35 ING RIGHTS AND OBLIGATIONS TO REQUEST AN EMPLOYEE TO DIVULGE SOCIAL
36 MEDIA REASONABLY BELIEVED TO BE RELEVANT TO AN INVESTIGATION OF ALLEGA-
37 TIONS OF EMPLOYEE MISCONDUCT OR VIOLATION OF APPLICABLE LAWS AND REGU-
38 LATIONS, PROVIDED THAT THE SOCIAL MEDIA IS USED SOLELY FOR PURPOSES OF
39 SUCH INVESTIGATION OR FOR A RELATED PROCEEDING, OR SHALL BE DEEMED TO
40 PRECLUDE AN EMPLOYER FROM REQUIRING OR REQUESTING AN EMPLOYEE TO
41 DISCLOSE A USERNAME, PASSWORD, OR OTHER METHOD FOR THE PURPOSE OF
42 ACCESSING AN EMPLOYER-ISSUED ELECTRONIC DEVICE, OR TO PROHIBIT AN
43 EMPLOYER FROM TERMINATING OR OTHERWISE TAKING AN ADVERSE ACTION AGAINST
44 AN EMPLOYEE OR APPLICANT AS MAY BE OTHERWISE PERMITTED BY LAW.
45 2. COLLEGES AND UNIVERSITIES, AND THEIR EMPLOYEES AND REPRESENTATIVES,
46 SHALL NOT REQUIRE OR REQUEST A STUDENT, PROSPECTIVE STUDENT, OR STUDENT
47 GROUP TO DISCLOSE A USER NAME OR PASSWORD FOR ACCESSING SOCIAL MEDIA, OR
48 TO ACCESS SOCIAL MEDIA IN THE PRESENCE OF THE INSTITUTION'S EMPLOYEE OR
49 REPRESENTATIVE, OR TO DIVULGE ANY SOCIAL MEDIA INFORMATION. NO COLLEGE
50 OR UNIVERSITY SHALL SUSPEND, EXPEL, DISCIPLINE, OR OTHERWISE PENALIZE A
51 STUDENT, PROSPECTIVE STUDENT, OR STUDENT GROUP IN ANY WAY FOR REFUSING
52 TO COMPLY WITH A REQUEST OR DEMAND THAT VIOLATES THIS SUBDIVISION,
53 PROVIDED HOWEVER THAT NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE
54 DEEMED TO AFFECT THE RIGHTS AND OBLIGATIONS OF A COLLEGE OR UNIVERSITY
55 TO PROTECT AGAINST AND INVESTIGATE ALLEGED STUDENT MISCONDUCT OR
56 VIOLATIONS OF APPLICABLE LAWS AND REGULATIONS, OR TO PROHIBIT SUCH
S. 7358 9
1 INSTITUTION FROM TAKING ANY ADVERSE ACTION AGAINST A STUDENT, PROSPEC-
2 TIVE STUDENT, OR STUDENT GROUP FOR ANY LAWFUL REASON OR TO PROHIBIT A
3 STUDENT FROM VOLUNTARILY CONSENTING TO SUCH DISCLOSURE. A COLLEGE OR
4 UNIVERSITY SHALL CONSPICUOUSLY POST ITS PRIVACY POLICY INCLUDING ITS
5 PRIVACY POLICY REGARDING SOCIAL MEDIA.
6 S 906. REQUIREMENT TO REPORT A SECURITY BREACH. WITHIN TWENTY-FOUR
7 HOURS FOLLOWING DISCOVERY OR NOTIFICATION OF A SECURITY BREACH, PURSUANT
8 TO ARTICLE THIRTY-NINE-F OF THIS CHAPTER, AN OPERATOR SHALL INFORM THE
9 OFFICE OF PRIVACY PROTECTION AS TO THE BREACH, THE DATE AND EXTENT OF
10 THE BREACH, THE CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION THAT
11 WERE OR ARE REASONABLY BELIEVED TO HAVE BEEN THE SUBJECT OF THE BREACH,
12 THE NUMBER OF CONSUMERS AFFECTED, THE GEOGRAPHIC AREA OF THE BREACH, AND
13 TOLL-FREE TELEPHONE NUMBERS OF COMPANY REPRESENTATIVES ASSIGNED TO
14 PROVIDE INFORMATION CONCERNING THE BREACH. AN OPERATOR SHALL ADDI-
15 TIONALLY REPORT A SECURITY BREACH TO THE OFFICE OF INFORMATION TECHNOLO-
16 GY SERVICES WITHIN TWENTY-FOUR HOURS OF DISCOVERY OF ANY SECURITY BREACH
17 AND SHALL INCLUDE THE ITEMS OF INFORMATION SPECIFIED IN ARTICLE FOUR OF
18 THE STATE TECHNOLOGY LAW.
19 S 907. LIABILITY FOR FAILURE TO COMPLY. 1. ANY OPERATOR WHICH IS
20 NEGLIGENT IN FAILING TO COMPLY WITH ANY REQUIREMENT IMPOSED UNDER
21 SECTION NINE HUNDRED THREE OF THIS ARTICLE WITH RESPECT TO A USER OF ITS
22 WEBSITE OR ONLINE SERVICE IS LIABLE TO THAT USER IN AN AMOUNT EQUAL TO
23 THE SUM OF ANY ACTUAL DAMAGES SUSTAINED AS A RESULT OF SUCH FAILURE, AND
24 IN THE CASE OF ANY SUCCESSFUL ACTION TO ENFORCE ANY LIABILITY UNDER THIS
25 SECTION, THE COSTS OF THE ACTION TOGETHER WITH REASONABLE ATTORNEY'S
26 FEES AS DETERMINED BY THE COURT; PROVIDED HOWEVER THAT SOLELY WITH
27 RESPECT TO AN ALLEGED FAILURE TO POST A PRIVACY POLICY, OR TO POST TIME-
28 LY, OR TO POST ALL THE INFORMATION REQUIRED, OR TO POST ACCURATE INFOR-
29 MATION, AN OPERATOR MAY ASSERT AS A COMPLETE DEFENSE IN ANY ACTION IN
30 LAW OR EQUITY THAT IT THEREAFTER PROVIDED SUCH INFORMATION TO ALL
31 AFFECTED USERS WITHIN THIRTY DAYS OF THE DATE THAT OPERATOR KNEW OF SUCH
32 FAILURE.
33 2. ANY PERSON WHO WILLFULLY VIOLATES THE PROVISIONS OF SUBDIVISION TWO
34 OR THREE OF SECTION NINE HUNDRED THREE OR SECTION NINE HUNDRED SIX OF
35 THIS ARTICLE SHALL BE ADDITIONALLY SUBJECT TO A CIVIL PENALTY NOT TO
36 EXCEED ONE THOUSAND DOLLARS FOR EACH SUCH VIOLATION.
37 3. ANY OPERATOR WHO KNOWINGLY MAKES A FALSE OR MISLEADING STATEMENT IN
38 A PRIVACY POLICY OR WHO FAILS TO PROVIDE PRIVACY PROTECTION FOR MINORS
39 PURSUANT TO SECTION NINE HUNDRED FOUR AS REQUIRED BY THIS ARTICLE SHALL
40 BE ADDITIONALLY SUBJECT TO A FINE OF FIVE HUNDRED DOLLARS FOR EACH SUCH
41 VIOLATION, PROVIDED SUCH CIVIL PENALTY SHALL NOT EXCEED FIVE HUNDRED
42 THOUSAND DOLLARS FOR ANY SINGLE EVENT.
43 4. ANY EMPLOYER WHO VIOLATES THE PROVISIONS OF SECTION NINE HUNDRED
44 FIVE OF THIS ARTICLE SHALL BE SUBJECT TO THE CIVIL PENALTIES, REMEDIES,
45 AND PROVISIONS IMPOSED PURSUANT TO SECTION SIX HUNDRED SEVENTY-FIVE OF
46 THIS CHAPTER.
47 5. THE RIGHTS AND REMEDIES AVAILABLE UNDER THIS SECTION ARE CUMULATIVE
48 TO EACH OTHER AND TO ANY OTHER RIGHTS AND REMEDIES AVAILABLE UNDER LAW.
49 S 908. ENFORCEMENT. THE ATTORNEY GENERAL OR ANY DISTRICT ATTORNEY MAY
50 APPLY FOR AN ORDER TEMPORARILY OR PERMANENTLY RESTRAINING AND ENJOINING
51 ANY PERSON FROM VIOLATING ANY PROVISION OF THIS ARTICLE.
52 S 5. The state technology law is amended by adding a new article 4 to
53 read as follows:
54 ARTICLE 4
55 BREACH NOTIFICATION SERVICE
56 SECTION 401. BREACH NOTIFICATION SERVICE.
S. 7358 10
1 S 401. BREACH NOTIFICATION SERVICE. THE OFFICE SHALL COLLABORATE WITH
2 THE OFFICE OF PRIVACY PROTECTION TO CREATE A SERVICE TO BE HOUSED WITHIN
3 THE OFFICE UNDER WHICH A COMPANY REQUIRED TO REPORT ON A SECURITY
4 BREACH, AS SUCH TERM IS DEFINED IN ARTICLE THIRTY-NINE-E OF THE GENERAL
5 BUSINESS LAW, SHALL BE REQUIRED TO POST THE FOLLOWING INFORMATION
6 CONCERNING THE BREACH:
7 1. THE NAME OF THE COMPANY AND CONTACT INFORMATION OF THE OPERATOR OF
8 THE WEBSITE OR SERVICE, WITH THE CONTACT INFORMATION TO INCLUDE A TOLL-
9 FREE NUMBER;
10 2. THE DATE OF THE SECURITY BREACH AND THE NUMBER OF CONSUMERS
11 AFFECTED;
12 3. THE GEOGRAPHIC AREA OF THE BREACH; AND
13 4. TOLL-FREE TELEPHONE NUMBERS AND ADDRESSES OF THE MAJOR CREDIT
14 REPORTING AGENCIES.
15 THE SERVICE SHALL BE DESIGNED TO PROVIDE ONLINE NOTIFICATION CONCERN-
16 ING SECURITY BREACHES TO CONSUMERS WHO REQUEST SUCH INFORMATION BASED ON
17 GEOGRAPHY, TYPE OF CREDIT OR BANK CARD, BANKING OR FINANCIAL INSTITU-
18 TION, OR OTHER CATEGORIES OF INFORMATION AS SHALL BE PROVIDED IN THE
19 SERVICE.
20 S 6. This act shall take effect on the one hundred twentieth day after
21 it shall have become a law.