LBD04247-01-7
S. 3657 2
BY THE GOVERNOR BY AND WITH THE ADVICE AND CONSENT OF THE SENATE. THE
COMMISSIONER SHALL POSSESS SUCH RIGHTS, POWERS AND DUTIES IN CONNECTION
WITH PRIVACY PROTECTION AND INTERNET SAFETY AS ARE EXPRESSED OR REASON-
ABLY IMPLIED BY THIS ARTICLE OR OTHER APPLICABLE LAWS OF THIS STATE
RELATING TO ONLINE PRIVACY AND INTERNET SAFETY. THE COMMISSIONER SHALL
CONSULT WITH THE ONLINE PRIVACY PROTECTION AND INTERNET SAFETY ADVISORY
COMMITTEE IN DEVELOPING POLICIES AND PROGRAMS, AND SHALL COORDINATE
RESPONSIBILITIES CONCERNING SECURITY BREACHES WITH THE DATA BREACH
GROUP.
§ 205-B. ONLINE PRIVACY PROTECTION AND INTERNET SAFETY ADVISORY
COMMITTEE. THERE IS HEREBY CREATED THE ONLINE PRIVACY PROTECTION AND
INTERNET SAFETY ADVISORY COMMITTEE, WHICH SHALL CONSIST OF THE FOLLOWING
EX-OFFICIO MEMBERS OR THEIR DESIGNEES: THE SECRETARY OF STATE, THE
ATTORNEY GENERAL, THE COMMISSIONER OF THE DIVISION OF HOMELAND SECURITY
AND EMERGENCY SERVICES, THE COMMISSIONER OF THE OFFICE OF ONLINE PRIVACY
PROTECTION AND INTERNET SAFETY, AND THE DIRECTOR OF THE OFFICE OF INFOR-
MATION TECHNOLOGY SERVICES. IN ADDITION, THERE SHALL BE APPOINTED BY THE
GOVERNOR BY AND WITH THE ADVICE AND CONSENT OF THE SENATE, FIVE PERSONS
WHO HAVE BEEN EMPLOYED AT THE LEVEL OF EXECUTIVE OFFICER IN COMPANIES IN
THE INFORMATION TECHNOLOGY INDUSTRY FOR A PERIOD OF FIVE YEARS OR MORE,
OR EMPLOYED AT A SENIOR MANAGEMENT LEVEL IN THE AREAS OF PRIVACY COMPLI-
ANCE AND INTERNET SECURITY FOR A PERIOD OF FIVE YEARS OR MORE, OR AS A
PRIVACY COMPLIANCE OFFICER OR OTHER HIGH LEVEL POSITION REQUIRING EXPER-
TISE IN THE FIELD OF PRIVACY AND INFORMATION TECHNOLOGY FOR SUCH PERIOD.
THE GOVERNOR SHALL DESIGNATE THE CHAIR OF THE ADVISORY COMMITTEE.
EACH APPOINTED MEMBER OF THE COMMITTEE SHALL BE APPOINTED FOR TERMS OF
THREE YEARS. ANY MEMBER MAY BE REAPPOINTED FOR TWO ADDITIONAL TERMS. THE
ADVISORY COMMITTEE SHALL MEET NO LESS THAN THREE TIMES EACH YEAR, OR
MORE IF ITS BUSINESS REQUIRES. THE ADVISORY COMMITTEE SHALL ADVISE THE
COMMISSIONER ON MATTERS RELATING TO ONLINE PRIVACY AND INTERNET SAFETY
CONCERNS. MEMBERS OF THE ADVISORY COMMITTEE SHALL RECEIVE NO COMPEN-
SATION BUT SHALL BE ENTITLED TO ACTUAL AND NECESSARY TRAVELING AND OTHER
EXPENSES WHILE ENGAGED IN THE PERFORMANCE OF SUCH MEMBER'S DUTIES HERE-
UNDER.
THE COMMITTEE SHALL HAVE THE FOLLOWING FUNCTIONS, POWERS AND DUTIES:
1. TO REVIEW AND COMMENT IN THE MANNER AND FORM IT DEEMS APPROPRIATE
ON PROPOSED RULES, REGULATIONS, GUIDELINES, AND PROGRAMS OF THE OFFICE;
2. TO PROVIDE GUIDANCE AND SUPPORT TO THE OFFICE IN DEVELOPMENT OF
POLICIES, PROGRAMS, AND RECOMMENDATIONS;
3. TO MAKE RECOMMENDATIONS CONCERNING SURVEYS AND REPORTS; AND
4. TO PERFORM SUCH OTHER ACTS AS ASSIGNED BY THE CHAIR OF THE COMMIT-
TEE WHICH ARE NECESSARY OR APPROPRIATE TO CARRY OUT THE FUNCTIONS OF THE
COMMITTEE AND SUPPORT THE OPERATIONS OF THE OFFICE.
§ 205-C. RESPONSIBILITIES. THE OFFICE OF ONLINE PRIVACY PROTECTION AND
INTERNET SAFETY SHALL:
1. RECEIVE COMPLAINTS: RECEIVE COMPLAINTS CONCERNING VIOLATIONS OF
ARTICLES THIRTY-NINE-H AND THIRTY-NINE-F OF THE GENERAL BUSINESS LAW,
RELATING TO CONFIDENTIALITY AND PRIVACY OF E-MAIL AND SOCIAL MEDIA AND
TO DATA SECURITY BREACHES, AND VIOLATIONS OF OTHER ONLINE PRIVACY-RELAT-
ED LAWS, ATTEMPT TO MEDIATE SUCH COMPLAINTS WHERE APPROPRIATE, AND REFER
COMPLAINTS TO THE APPROPRIATE GOVERNMENTAL AGENCY AUTHORIZED TO TAKE
APPROPRIATE ACTION ON SUCH COMPLAINTS;
2. INFORMATION AND REFERRAL: PROVIDE INFORMATION TO INDIVIDUALS AND
ENTITIES ABOUT OBTAINING, USING, DISCLOSING, OR DISPOSING OF ONLINE
PERSONALLY IDENTIFIABLE INFORMATION IN A LAWFUL MANNER, AND OTHER SUCH
ONLINE PRIVACY ISSUES AS POSTING OF PRIVACY POLICIES, COMPLIANCE WITH
S. 3657 3
FEDERAL AND STATE LAWS AND GUIDELINES CONCERNING PERSONAL INFORMATION OF
MINORS, AND OTHERS;
3. EDUCATION AND OUTREACH: DEVELOP AND COORDINATE PUBLIC AND PRIVATE
INFORMATIONAL AND EDUCATIONAL PROGRAMS AND MATERIALS TO FOSTER AND
IMPROVE PUBLIC UNDERSTANDING CONCERNING ONLINE PRIVACY AND INTERNET
SAFETY, INCLUDING PROGRAMS TARGETED TO MINORS IN CONSULTATION WITH THE
EDUCATION DEPARTMENT;
4. MODEL POLICIES: DEVELOP AND DISSEMINATE MODEL ONLINE PRIVACY POLI-
CIES;
5. TRAINING: ASSIST AS REQUESTED IN THE TRAINING OF LOCAL, STATE, AND
FEDERAL LAW ENFORCEMENT AGENCIES AND OTHERS REGARDING THE PREVENTION OF
IDENTITY THEFT AND OTHER ONLINE PRIVACY-RELATED CRIMES;
6. COORDINATE SECURITY BREACH PROCEDURES: COORDINATE EFFECTIVE
RESPONSES TO ONLINE SECURITY BREACHES WITH THE DATA BREACH GROUP;
7. RESEARCH: CONDUCT INVESTIGATIONS, RESEARCH, STUDIES AND ANALYSES OF
MATTERS AFFECTING THE ONLINE PRIVACY AND INTERNET SAFETY; AND
8. ADVISE: ADVISE AND MAKE RECOMMENDATIONS TO THE GOVERNOR CONCERNING
ONLINE PRIVACY AND INTERNET SAFETY.
§ 205-D. CONSTRUCTION. THE AUTHORITY OF THE OFFICE OF ONLINE PRIVACY
PROTECTION AND INTERNET SAFETY TO ADOPT REGULATIONS UNDER THIS ARTICLE
SHALL BE LIMITED EXCLUSIVELY TO THOSE REGULATIONS NECESSARY TO IMPLEMENT
SUBDIVISIONS ONE THROUGH SIX OF SECTION TWO HUNDRED FIVE-C OF THIS ARTI-
CLE. NOTHING CONTAINED HEREIN SHALL BE DEEMED TO APPLY TO THE LEGISLA-
TURE OR THE JUDICIARY, OR EXCEPT AS SPECIFICALLY OTHERWISE PROVIDED IN
LAW, TO A STATE AGENCY AS SUCH TERM IS DEFINED BY SECTION ONE HUNDRED
ONE OF THE STATE TECHNOLOGY LAW.
§ 205-E. REPORT. THE OFFICE SHALL REPORT ANNUALLY NOT LATER THAN THE
THIRTIETH OF JANUARY EACH YEAR TO THE GOVERNOR, THE TEMPORARY PRESIDENT
OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE MINORITY LEADERS OF THE
SENATE AND ASSEMBLY, AND THE PUBLIC BEGINNING IN THE FIRST CALENDAR YEAR
AFTER THE EFFECTIVE DATE OF THIS SECTION CONCERNING: THE NUMBER OF
COMPLAINTS RECEIVED AND THE RESOLUTIONS THEREOF BY CATEGORY OR CLASS OF
COMPLAINT, THE NUMBERS OF CLOSED CASES, AND ANY RECOMMENDATIONS CONCERN-
ING IMPROVEMENTS IN ONLINE PRIVACY LAWS AND PROCEDURES AND INTERNET
SAFETY.
§ 3. Section 399-ddd of the general business law, as added by chapter
372 of the laws of 2012, is renumbered section 399-dddd.
§ 4. Subdivision 1 of section 399-dddd, as added by chapter 372 of the
laws of 2012 and such section as renumbered by section three of this
act, is amended to read as follows:
1. As used in this section, "social security account number" shall
include the number issued by the federal social security administration
and any number derived from such number, OR ANY PART OF SUCH NUMBER.
Such term shall not include any number that has been encrypted.
§ 5. Paragraph (a) of subdivision 1 of section 399-ddd of the general
business law, as amended by chapter 371 of the laws of 2012, is amended
to read as follows:
(a) As used in this section "social security account number" shall
include the number issued by the federal social security administration
and any number derived from such number, OR ANY PART OF SUCH NUMBER.
Such term shall not include any number that has been encrypted.
§ 6. The general business law is amended by adding a new article 39-H
to read as follows:
ARTICLE 39-H
THE NEW YORK STATE ONLINE ACCOUNTS AND SOCIAL MEDIA PRIVACY ACT
SECTION 900. SHORT TITLE.
S. 3657 4
901. DEFINITIONS.
902. PURPOSE.
903. REQUESTS FOR DISCLOSURE BY EMPLOYERS.
904. REQUESTS FOR DISCLOSURE BY AN EDUCATIONAL INSTITUTION.
905. PROHIBITED AND PERMITTED ACTIVITIES BY LANDLORD.
906. CONSTRUCTION.
907. REMEDIES.
§ 900. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY BE CITED AS
THE "ONLINE MEDIA PRIVACY ACT".
§ 901. DEFINITIONS. AS USED IN THIS ARTICLE: 1. "ADVERSE ACTION"
MEANS TO DISCHARGE, THREATEN, OR OTHERWISE DISCRIMINATE AGAINST AN
EMPLOYEE IN ANY MANNER THAT AFFECTS THE EMPLOYEE'S EMPLOYMENT, INCLUDING
COMPENSATION, TERMS, CONDITIONS, LOCATION, RIGHTS, IMMUNITIES,
PROMOTIONS, OR PRIVILEGES.
2. "EDUCATIONAL INSTITUTION" MEANS A COLLEGE, UNIVERSITY, ACADEMY,
SCHOOL DISTRICT AND CITY SCHOOL DISTRICT OR OTHER ENTITY OFFERING
SECONDARY EDUCATION, PROGRAM OFFERING CAREER EDUCATION OR HIGHER EDUCA-
TION, AS SUCH TERMS ARE DEFINED IN SECTION TWO OF THE EDUCATION LAW, AND
ANY OTHER INSTITUTION OF HIGHER EDUCATION, TECHNICAL COLLEGE, SCHOOL,
PUBLIC SCHOOL, CHARTER SCHOOL, PRIVATE SCHOOL, AND ANY PRIVATE EDUCA-
TIONAL TESTING SERVICE OR ADMINISTRATOR.
3. "EMPLOYER" MEANS A PERSON, INCLUDING THE STATE OR A POLITICAL
SUBDIVISION OF THE STATE, THAT HAS ONE OR MORE WORKERS EMPLOYED IN THE
SAME BUSINESS OR BUSINESS ACTIVITY, OR IN OR ABOUT THE SAME ESTABLISH-
MENT, WITH THE RIGHT TO CONTROL AND DIRECT THE WORK PROVIDED BY SUCH
WORKERS.
4. "PERSONAL INTERNET ACCOUNT" MEANS AN ONLINE ACCOUNT THAT IS USED BY
AN EMPLOYEE OR AN APPLICANT FOR EMPLOYMENT EXCLUSIVELY FOR PERSONAL
COMMUNICATIONS UNRELATED TO ANY BUSINESS PURPOSE OF THE EMPLOYER, BUT
DOES NOT INCLUDE AN ACCOUNT CREATED, MAINTAINED, USED, OR ACCESSED BY AN
EMPLOYEE OR APPLICANT FOR EMPLOYMENT FOR BUSINESS RELATED COMMUNICATIONS
OR FOR A BUSINESS PURPOSE OF THE EMPLOYER. AS USED HEREIN, "PERSONAL
INTERNET ACCOUNT" ALSO MEANS AND INCLUDES SOCIAL MEDIA ACCOUNTS AND
WEBSITE OR ONLINE SERVICES, AS DEFINED IN THIS SECTION, USED BY AN
EMPLOYEE OR AN APPLICANT FOR EMPLOYMENT EXCLUSIVELY FOR PERSONAL COMMU-
NICATIONS UNRELATED TO ANY BUSINESS PURPOSE OF THE EMPLOYER BUT NOT
CREATED, MAINTAINED, USED, OR ACCESSED BY AN EMPLOYEE OR APPLICANT FOR
EMPLOYMENT FOR BUSINESS RELATED COMMUNICATIONS OR FOR A BUSINESS PURPOSE
OF THE EMPLOYER.
5. "SOCIAL MEDIA" MEANS AN INTERNET-BASED SERVICE THAT ALLOWS INDIVID-
UALS TO ENGAGE IN ACTIVITIES WHICH INCLUDE BUT ARE NOT LIMITED TO THE
FOLLOWING: CONSTRUCT A PUBLIC OR SEMI-PUBLIC PROFILE WITHIN A BOUNDED
SYSTEM, CREATED BY THE SERVICE; CREATE A LIST OF OTHER USERS WITH WHOM
THEY SHARE A CONNECTION WITHIN THE SYSTEM; AND VIEW AND NAVIGATE THEIR
LIST OF CONNECTIONS AND THOSE MADE BY OTHERS WITHIN THE SYSTEM. SOCIAL
MEDIA INCLUDES FACEBOOK, E-MAIL, AND TWITTER ACCOUNTS, AND OTHER SIMILAR
SERVICES, AND WEBSITES AND ONLINE SERVICES WHICH INCLUDE THE ACTIVITIES
DESCRIBED IN THIS SUBDIVISION, AND THE DIGITAL MEDIA CONTAINED IN THOSE
SITES, INCLUDING PHOTOS, VIDEOS, TEXTS AND E-MAIL MESSAGES.
6. "WEBSITE OR ONLINE SERVICE" MEANS AND INCLUDES A WEBSITE, ONLINE
SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, ELECTRONIC SERVICE OR
ACCOUNT, THAT CONTAINS ELECTRONIC CONTENT, INCLUDING BUT NOT LIMITED TO
VIDEOS, STILL PHOTOGRAPHS, BLOGS, VIDEO BLOGS, PODCASTS, INSTANT AND
TEXT MESSAGES, E-MAIL, ONLINE SERVICES OR ACCOUNTS, OR WEBSITE PROFILES
OR LOCATIONS.
S. 3657 5
§ 902. PURPOSE. THE PURPOSE OF THIS ARTICLE IS TO PROTECT THE PRIVACY
OF ONLINE USERS AGAINST INAPPROPRIATE INTRUSION.
§ 903. REQUESTS FOR DISCLOSURE BY EMPLOYERS. 1. EXCEPT AS OTHERWISE
PROVIDED HEREIN, AN EMPLOYER MAY NOT SEEK DISCLOSURE OF INFORMATION
RELATED TO A PERSONAL INTERNET ACCOUNT IN ANY OF THE FOLLOWING WAYS. AN
EMPLOYER MAY NOT:
(A) REQUEST OR REQUIRE AN EMPLOYEE OR AN APPLICANT FOR EMPLOYMENT TO
DISCLOSE A USERNAME AND PASSWORD, OR A PASSWORD, THAT ALLOWS ACCESS TO
THE EMPLOYEE'S OR APPLICANT'S PERSONAL INTERNET ACCOUNT;
(B) REQUEST OR REQUIRE AN EMPLOYEE OR APPLICANT FOR EMPLOYMENT TO ADD
THE EMPLOYER OR AN EMPLOYMENT AGENCY TO THE EMPLOYEE'S OR APPLICANT'S
LIST OF CONTACTS ASSOCIATED WITH A PERSONAL INTERNET ACCOUNT;
(C) REQUEST OR REQUIRE AN EMPLOYEE OR AN APPLICANT FOR EMPLOYMENT TO
ACCESS A PERSONAL INTERNET ACCOUNT IN THE PRESENCE OF THE EMPLOYER IN A
MANNER THAT ENABLES THE EMPLOYER TO OBSERVE THE CONTENTS OF THE EMPLOY-
EE'S OR APPLICANT'S PERSONAL INTERNET ACCOUNT; OR
(D) TAKE ADVERSE ACTION, INCLUDING FAIL TO HIRE, OR OTHERWISE PENALIZE
AN EMPLOYEE OR APPLICANT FOR EMPLOYMENT FOR FAILURE TO DISCLOSE INFORMA-
TION OR FAILURE TO TAKE ACTIONS SPECIFIED IN THIS SUBDIVISION.
2. THE FOREGOING PROVISIONS OF THIS SECTION TO THE CONTRARY NOTWITH-
STANDING, NOTHING CONTAINED HEREIN SHALL PROHIBIT AN EMPLOYER FROM DOING
ANY OF THE FOLLOWING:
(A) REQUESTING OR REQUIRING AN EMPLOYEE TO DISCLOSE A USERNAME OR
PASSWORD REQUIRED SOLELY FOR THE PURPOSE OF GAINING ACCESS TO AN ELEC-
TRONIC COMMUNICATIONS DEVICE SUPPLIED BY OR PAID FOR IN WHOLE OR IN PART
BY THE EMPLOYER; OR AN ACCOUNT OR SERVICE PROVIDED BY THE EMPLOYER,
OBTAINED BY VIRTUE OF THE EMPLOYEE'S EMPLOYMENT RELATIONSHIP WITH THE
EMPLOYER, OR USED FOR THE EMPLOYER'S BUSINESS PURPOSES;
(B) DISCIPLINING OR DISCHARGING AN EMPLOYEE FOR TRANSFERRING THE
EMPLOYER'S PROPRIETARY OR CONFIDENTIAL INFORMATION OR FINANCIAL DATA TO
AN EMPLOYEE'S PERSONAL INTERNET ACCOUNT WITHOUT THE EMPLOYER'S AUTHORI-
ZATION;
(C) CONDUCTING AN INVESTIGATION OR REQUIRING AN EMPLOYEE TO COOPERATE
IN AN INVESTIGATION IF THERE IS SPECIFIC INFORMATION ABOUT ACTIVITY ON
THE EMPLOYEE'S PERSONAL INTERNET ACCOUNT, FOR THE PURPOSE OF ENSURING
COMPLIANCE WITH APPLICABLE LAWS, REGULATORY REQUIREMENTS, OR PROHIBI-
TIONS AGAINST WORK-RELATED EMPLOYEE MISCONDUCT; OR IF THE EMPLOYER HAS
SPECIFIC INFORMATION ABOUT AN UNAUTHORIZED TRANSFER OF THE EMPLOYER'S
PROPRIETARY INFORMATION, CONFIDENTIAL INFORMATION, OR FINANCIAL DATA TO
AN EMPLOYEE'S PERSONAL INTERNET ACCOUNT. IN SUCH CASES AN EMPLOYER MAY
REQUIRE AN EMPLOYEE TO SHARE THE CONTENT THAT HAS BEEN REPORTED IN ORDER
TO MAKE A FACTUAL DETERMINATION;
(D) RESTRICTING OR PROHIBITING AN EMPLOYEE'S ACCESS TO CERTAIN
WEBSITES WHILE USING AN ELECTRONIC COMMUNICATIONS DEVICE SUPPLIED BY, OR
PAID FOR IN WHOLE OR IN PART BY, THE EMPLOYER OR WHILE USING AN EMPLOY-
ER'S NETWORK OR RESOURCES, TO THE EXTENT PERMISSIBLE UNDER APPLICABLE
LAWS; OR
(E) MONITORING, REVIEWING, ACCESSING, OR BLOCKING ELECTRONIC DATA
STORED ON AN ELECTRONIC COMMUNICATIONS DEVICE SUPPLIED BY, OR PAID FOR
IN WHOLE OR IN PART BY, THE EMPLOYER, OR STORED ON AN EMPLOYER'S
NETWORK, TO THE EXTENT PERMISSIBLE UNDER APPLICABLE LAWS.
3. NOTHING CONTAINED HEREIN SHALL BE DEEMED TO PROHIBIT OR RESTRICT AN
EMPLOYER FROM COMPLYING WITH A DUTY TO SCREEN EMPLOYEES OR APPLICANTS
BEFORE HIRING OR TO MONITOR OR RETAIN EMPLOYEE COMMUNICATIONS ESTAB-
LISHED UNDER FEDERAL LAW, BY A SELF-REGULATORY ORGANIZATION UNDER THE
SECURITIES AND EXCHANGE ACT OF 1934, 15 U.S.C. SEC. 78C(A)(26), OR IN
S. 3657 6
THE COURSE OF A LAW ENFORCEMENT EMPLOYMENT APPLICATION OR LAW ENFORCE-
MENT OFFICER CONDUCT INVESTIGATION PERFORMED BY A LAW ENFORCEMENT AGEN-
CY.
4. NOTHING CONTAINED HEREIN SHALL BE DEEMED TO PROHIBIT OR RESTRICT AN
EMPLOYER FROM VIEWING, ACCESSING, OR USING INFORMATION ABOUT AN EMPLOYEE
OR APPLICANT THAT CAN BE OBTAINED WITHOUT ACCESSING THE PERSONAL INFOR-
MATION ACCOUNT DESCRIBED IN SUBDIVISION ONE OF THIS SECTION OR THAT IS
OTHERWISE AVAILABLE IN THE PUBLIC DOMAIN.
5. WAIVER OF ANY PROVISION OF SUBDIVISION ONE OF THIS SECTION WITH
RESPECT TO ACCESS BY AN EMPLOYER TO THE PERSONAL INTERNET ACCOUNT OF AN
EMPLOYEE IS HEREBY DECLARED TO BE CONTRARY TO PUBLIC POLICY AND VOID AND
UNENFORCEABLE, AND NOTHING CONTAINED HEREIN SHALL BE DEEMED TO ALLOW AN
EMPLOYER TO REQUIRE A VIOLATION OF SUCH SUBDIVISION AS A CONDITION OF
EMPLOYMENT OR IN A CONTRACT OR ORAL AGREEMENT WITH AN EMPLOYEE OR APPLI-
CANT FOR EMPLOYMENT.
§ 904. REQUESTS FOR DISCLOSURE BY AN EDUCATIONAL INSTITUTION. 1.
EXCEPT AS OTHERWISE PROVIDED HEREIN, AN EDUCATIONAL INSTITUTION MAY NOT
SEEK DISCLOSURE OF INFORMATION RELATED TO A PERSONAL INTERNET ACCOUNT OF
A STUDENT OR PROSPECTIVE STUDENT IN ANY OF THE FOLLOWING WAYS. AN EDUCA-
TIONAL INSTITUTION MAY NOT:
(A) REQUEST OR REQUIRE A STUDENT OR PROSPECTIVE STUDENT TO DISCLOSE A
USERNAME AND PASSWORD, OR A PASSWORD THAT ALLOWS ACCESS TO THE STUDENT'S
OR PROSPECTIVE STUDENT'S PERSONAL INTERNET ACCOUNT;
(B) REQUEST OR REQUIRE A STUDENT OR PROSPECTIVE STUDENT TO ADD THE
EDUCATIONAL INSTITUTION TO THE STUDENT'S OR PROSPECTIVE STUDENT'S LIST
OF CONTACTS ASSOCIATED WITH A PERSONAL INTERNET ACCOUNT;
(C) REQUEST OR REQUIRE A STUDENT OR PROSPECTIVE STUDENT TO ACCESS A
PERSONAL INTERNET ACCOUNT IN THE PRESENCE OF THE EDUCATIONAL INSTITUTION
IN A MANNER THAT ENABLES THE EDUCATIONAL INSTITUTION TO OBSERVE THE
CONTENTS OF THE STUDENT OR PROSPECTIVE STUDENT'S PERSONAL INTERNET
ACCOUNT; OR
(D) EXPEL, SUSPEND, DISCIPLINE, OR OTHERWISE PENALIZE A STUDENT OR
PROSPECTIVE STUDENT FOR FAILURE TO DISCLOSE INFORMATION OR TAKE ACTIONS
PROHIBITED IN THIS SUBDIVISION.
2. THE FOREGOING PROVISIONS OF THIS SECTION TO THE CONTRARY NOTWITH-
STANDING, NOTHING CONTAINED HEREIN SHALL PROHIBIT AN EDUCATIONAL INSTI-
TUTION FROM REQUESTING OR REQUIRING A STUDENT TO DISCLOSE ACCESS INFOR-
MATION TO THE EDUCATIONAL INSTITUTION IN ORDER FOR THE INSTITUTION TO
GAIN ACCESS TO OR OPERATE AN ELECTRONIC COMMUNICATIONS DEVICE SUPPLIED
OR PAID FOR IN WHOLE OR IN PART BY THE INSTITUTION OR IN ORDER FOR THE
EDUCATIONAL INSTITUTION TO GAIN ACCESS TO AN ACCOUNT OR SERVICE PROVIDED
BY THE INSTITUTION, OR OBTAINED BY VIRTUE OF THE STUDENT'S ADMISSION TO
OR ENROLLMENT IN THE EDUCATIONAL INSTITUTION; OR FROM VIEWING, ACCESS-
ING, OR USING INFORMATION ABOUT A STUDENT OR PROSPECTIVE STUDENT THAT
CAN BE OBTAINED WITHOUT ACCESSING INFORMATION OR THAT IS AVAILABLE IN
THE PUBLIC DOMAIN. IN ADDITION:
(A) NOTHING CONTAINED IN THIS SECTION SHALL BE DEEMED TO AFFECT THE
RIGHTS AND OBLIGATIONS OF AN EDUCATIONAL INSTITUTION TO PROTECT AGAINST
AND INVESTIGATE ALLEGED STUDENT MISCONDUCT OR VIOLATIONS OF APPLICABLE
LAWS AND REGULATIONS.
(B) NOTHING CONTAINED IN THIS SECTION SHALL BE DEEMED TO PROHIBIT SUCH
INSTITUTION FROM TAKING ANY ADVERSE ACTION AGAINST A STUDENT, PROSPEC-
TIVE STUDENT, OR STUDENT GROUP FOR ANY LAWFUL REASON.
(C) NOTHING CONTAINED IN THIS SECTION SHALL BE DEEMED TO PROHIBIT A
STUDENT FROM VOLUNTARILY CONSENTING TO SUCH DISCLOSURE.
S. 3657 7
§ 905. PROHIBITED AND PERMITTED ACTIVITIES BY LANDLORD. 1. A LANDLORD
MAY NOT REQUEST DISCLOSURE OF INFORMATION RELATED TO THE PERSONAL INTER-
NET ACCOUNT OF A TENANT OR PROSPECTIVE TENANT IN ANY OF THE FOLLOWING
WAYS. A LANDLORD MAY NOT:
(A) REQUEST OR REQUIRE A TENANT OR PROSPECTIVE TENANT TO DISCLOSE A
USERNAME AND PASSWORD, OR A PASSWORD THAT ALLOWS ACCESS TO THE TENANT OR
PROSPECTIVE TENANT'S PERSONAL INTERNET ACCOUNT;
(B) REQUEST OR REQUIRE A TENANT OR PROSPECTIVE TENANT TO ADD THE LAND-
LORD TO THE TENANT OR PROSPECTIVE TENANT'S LIST OF CONTACTS ASSOCIATED
WITH A PERSONAL INTERNET ACCOUNT;
(C) REQUEST OR REQUIRE A TENANT OR PROSPECTIVE TENANT TO ACCESS A
PERSONAL INTERNET ACCOUNT IN THE PRESENCE OF THE LANDLORD IN A MANNER
THAT ENABLES THE LANDLORD TO OBSERVE THE CONTENTS OF THE TENANT OR
PROSPECTIVE TENANT'S PERSONAL INTERNET ACCOUNT; OR
(D) DISCRIMINATE AGAINST OR OTHERWISE PENALIZE A TENANT OR PROSPECTIVE
TENANT FOR FAILURE TO DISCLOSE INFORMATION OR TAKE ACTIONS SPECIFIED IN
THIS SUBDIVISION.
2. THE FOREGOING PROVISIONS OF THIS SECTION TO THE CONTRARY NOTWITH-
STANDING, NOTHING CONTAINED HEREIN SHALL PROHIBIT A LANDLORD FROM VIEW-
ING, ACCESSING, OR USING INFORMATION ABOUT A TENANT OR PROSPECTIVE
TENANT THAT CAN BE OBTAINED WITHOUT ACCESSING INFORMATION OR THAT IS
AVAILABLE IN THE PUBLIC DOMAIN.
§ 906. CONSTRUCTION. NOTHING CONTAINED IN THIS ARTICLE SHALL BE DEEMED
TO CREATE A DUTY FOR AN EMPLOYER, EDUCATIONAL INSTITUTION, OR LANDLORD
TO SEARCH OR MONITOR THE ACTIVITY OF A PERSONAL INTERNET ACCOUNT OR TO
CREATE A LIABILITY FOR AN EMPLOYER, EDUCATIONAL INSTITUTION, OR LANDLORD
FOR ANY FAILURE TO REQUEST OR REQUIRE THAT AN EMPLOYEE, APPLICANT FOR
EMPLOYMENT, STUDENT, PROSPECTIVE STUDENT, TENANT, OR PROSPECTIVE TENANT
GRANT ACCESS TO, ALLOW OBSERVATION OF, OR DISCLOSE INFORMATION THAT
ALLOWS ACCESS TO OR OBSERVATION OF A PERSONAL INTERNET ACCOUNT OF THE
EMPLOYEE, APPLICANT FOR EMPLOYMENT, STUDENT, PROSPECTIVE STUDENT,
TENANT, OR PROSPECTIVE TENANT.
§ 907. REMEDIES. 1. THE ATTORNEY GENERAL MAY BRING A CIVIL CAUSE OF
ACTION AGAINST AN EMPLOYER, EDUCATIONAL INSTITUTION, OR LANDLORD IN A
COURT OF COMPETENT JURISDICTION ON BEHALF OF A CITIZEN AGGRIEVED BY A
VIOLATION OF THIS ARTICLE.
2. ANY EMPLOYER, EDUCATIONAL INSTITUTION, OR LANDLORD WHO VIOLATES ANY
PROVISION OF THIS ARTICLE SHALL BE SUBJECT TO A CIVIL PENALTY NOT TO
EXCEED FIVE HUNDRED DOLLARS FOR EACH SUCH VIOLATION.
§ 7. Subdivision 2 of section 390-b of the general business law is
amended by adding a new paragraph (e) to read as follows:
(E) THE TERM "SOCIAL MEDIA" MEANS AN INTERNET-BASED SERVICE THAT
ALLOWS INDIVIDUALS TO ENGAGE IN ACTIVITIES WHICH INCLUDE BUT ARE NOT
LIMITED TO THE FOLLOWING: CONSTRUCT A PUBLIC OR SEMI-PUBLIC PROFILE
WITHIN A BOUNDED SYSTEM, CREATED BY THE SERVICE; CREATE A LIST OF OTHER
USERS WITH WHOM THEY SHARE A CONNECTION WITHIN THE SYSTEM; AND VIEW AND
NAVIGATE THEIR LIST OF CONNECTIONS AND THOSE MADE BY OTHERS WITHIN THE
SYSTEM. SOCIAL MEDIA INCLUDES FACEBOOK, E-MAIL, AND TWITTER ACCOUNTS,
AND OTHER SIMILAR SERVICES, AND WEBSITES AND ONLINE SERVICES WHICH
INCLUDE THE ACTIVITIES DESCRIBED IN THIS PARAGRAPH, AND THE DIGITAL
MEDIA CONTAINED IN THOSE SITES, INCLUDING PHOTOS, VIDEOS, TEXTS AND
E-MAIL MESSAGES.
§ 8. Subdivision 3 of section 390-b of the general business law, as
amended by chapter 414 of the laws of 2006, is amended to read as
follows:
S. 3657 8
3. It is unlawful for any person, by means of a web page, electronic
message, SOCIAL MEDIA, or other use of the internet to solicit, request
or collect identifying information by deceptively representing himself
or herself, either directly or by implication, to be a business or a
governmental entity and doing so without the authority or approval of
such business or such governmental entity, OR BY DECEPTIVELY REPRESENT-
ING HIMSELF OR HERSELF TO BE ANOTHER PERSON WITHOUT THE AUTHORITY OR
APPROVAL OF SUCH OTHER PERSON, AND DOING SO WITH THE INTENT TO OBTAIN
FINANCIAL INFORMATION OR INFORMATION THAT WOULD ALLOW SUCH INDIVIDUAL TO
OBTAIN FINANCIAL INFORMATION FROM ONE OR MORE OTHER PERSONS OR BUSI-
NESSES.
§ 9. Subdivision 1 of section 899-aa of the general business law is
amended by adding a new paragraph (e) to read as follows:
(E) "DATA BREACH GROUP" MEANS THE ENTITY CREATED BY SECTION EIGHT
HUNDRED NINETY-NINE-BB OF THIS ARTICLE.
§ 10. Paragraph (a) of subdivision 8 of section 899-aa of the general
business law, as amended by section 6 of part N of chapter 55 of the
laws of 2013, is amended to read as follows:
(a) In the event that any New York residents are to be notified, the
person or business shall notify the [state attorney general, the depart-
ment of state and the division of state police] OFFICE OF ONLINE PRIVACY
PROTECTION AND INTERNET SECURITY, WHICH SHALL IMMEDIATELY NOTIFY THE
DATA BREACH GROUP as to the timing, content and distribution of the
notices and approximate number of affected persons. Such notice shall be
made without delaying notice to affected New York residents.
§ 11. The general business law is amended by adding a new section
899-bb to read as follows:
§ 899-BB. DATA BREACH GROUP. 1. THE DATA BREACH GROUP IS HEREBY
CREATED, TO CONSIST OF THE ATTORNEY GENERAL, THE SECRETARY OF STATE, THE
COMMISSIONER OF THE DIVISION OF HOMELAND SECURITY AND EMERGENCY
SERVICES, THE CHIEF INFORMATION OFFICER OF THE OFFICE OF INFORMATION
TECHNOLOGY SERVICES, THE SUPERINTENDENT OF THE DIVISION OF STATE POLICE,
AND THE COMMISSIONER OF THE OFFICE OF ONLINE PRIVACY AND INTERNET SAFE-
TY, OR THEIR DESIGNEES. ITS PURPOSES SHALL BE: TO RECEIVE, EVALUATE, AND
ACT ON ANY REPORT OF A BREACH OF THE SECURITY OF THE SYSTEM MADE PURSU-
ANT TO SECTION EIGHT HUNDRED NINETY-NINE-AA OF THIS ARTICLE, OR TO
SECTION TWO HUNDRED EIGHT OF THE STATE TECHNOLOGY LAW; TO ESTABLISH
PRIORITIES AND RESPONSIBILITIES PURSUANT TO LAW AMONG ITS MEMBERS SO AS
TO PROMOTE EFFICIENCY IN RESPONSES TO VIOLATIONS OF INTERNET PRIVACY AND
AVOID DUPLICATION, OVERLAP, AND UNNECESSARY PAPERWORK, INCLUDING MULTI-
PLE FILINGS BY FOR-PROFIT AND NOT-FOR-PROFIT BUSINESSES AND ENTITIES,
AND OTHER GOVERNMENTAL ENTITIES; TO ESTABLISH WHERE APPROPRIATE SIMPLI-
FIED REPORTING FORMS AND PROCEDURES IN ACCORDANCE WITH LAW, AND A SINGLE
REPORTING INTAKE SYSTEM; TO MAINTAIN DATABASE RECORDS AND REPORTS
CONCERNING SECURITY BREACHES; TO ESTABLISH COOPERATIVE WORKING RELATION-
SHIPS WITH FEDERAL, STATE, AND LOCAL POLICE AND INVESTIGATORS; AND TO
INSURE APPROPRIATE AND TIMELY PUBLIC NOTIFICATION OF SECURITY BREACHES
THAT INCLUDES INFORMATION SUFFICIENT FOR INDIVIDUALS TO TAKE APPROPRIATE
STEPS TO PROTECT THEMSELVES.
2. THE DATA BREACH GROUP SHALL BE CHAIRED BY THE COMMISSIONER OF THE
DIVISION OF HOMELAND SECURITY AND EMERGENCY SERVICES WITH ADMINISTRATIVE
SERVICES PROVIDED BY THE OFFICE OF ONLINE PRIVACY AND INTERNET SAFETY.
THE DATA BREACH GROUP SHALL MEET ON A MONTHLY BASIS, OR MORE OFTEN IF
THEIR WORK REQUIRES, PROVIDED THAT ATTENDANCE AT SUCH MEETINGS MAY BE BY
TELEPHONIC OR VIDEO CONFERENCE, AS THE GROUP SHALL DECIDE.
S. 3657 9
§ 12. The general business law is amended by adding a new article 39-I
to read as follows:
ARTICLE 39-I
REQUIREMENTS FOR USE AND DESTRUCTION OF ONLINE PERSONAL AND
PRIVATE INFORMATION
SECTION 910. SHORT TITLE.
911. DEFINITIONS.
912. PURPOSE.
913. APPLICATION.
914. LIABILITY FOR FAILURE TO COMPLY.
§ 910. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY BE CITED AS
THE "NEW YORK STATE ONLINE PRIVACY ACT".
§ 911. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL
HAVE THE FOLLOWING MEANINGS: 1. "PERSONAL INFORMATION" AND "PRIVATE
INFORMATION" SHALL HAVE THE SAME MEANINGS AS IN PARAGRAPHS (A) AND (B)
OF SUBDIVISION ONE OF SECTION EIGHT HUNDRED NINETY-NINE-AA OF THIS CHAP-
TER.
2. "DESTRUCTION OF INFORMATION" MEANS ACTIONS TAKEN BY THE PROVIDER OF
A PERSONAL INTERNET ACCOUNT TO RENDER THE PERSONAL INFORMATION AND
PRIVATE INFORMATION OF A USER UNREADABLE AND INCAPABLE OF RECON-
STRUCTION.
3. "PRIVACY POLICY" MEANS A POLICY CONCERNING THE PRIVACY OF
PERSONALLY IDENTIFIABLE INFORMATION COLLECTED BY AN OPERATOR THROUGH ITS
WEBSITE OR ONLINE SERVICE THAT MEETS THE FAIR INFORMATION PRACTICE PRIN-
CIPLES GUIDELINES ESTABLISHED BY THE FEDERAL TRADE COMMISSION, OR ANY
SUCCESSOR THERETO IN THE FORM OF GUIDELINES OR LAW.
4. "PERSONAL INTERNET ACCOUNT" HAS THE SAME MEANING AS SUCH TERM IS
DEFINED IN SUBDIVISION FOUR OF SECTION NINE HUNDRED ONE OF THIS CHAPTER.
§ 912. PURPOSE. THE PURPOSE OF THIS ARTICLE IS TO SAFEGUARD THE
PERSONAL AND PRIVATE INFORMATION OF USERS OF THE INTERNET BY REQUIRING
THAT OPERATORS OF SERVICES OFFERING PERSONAL INTERNET ACCOUNTS ESTABLISH
PRIVACY POLICIES THAT MEET FEDERAL STANDARDS, DISCLOSE SUCH POLICIES TO
USERS OF THEIR SERVICES, AND DISCLOSE THEIR PROCESSES FOR DESTRUCTION OF
INFORMATION.
§ 913. APPLICATION. 1. THE PROVIDER OF A SERVICE WHICH OFFERS
PERSONAL INTERNET ACCOUNTS SHALL PROMULGATE, POST, AND IMPLEMENT A
PRIVACY POLICY AS DEFINED HEREIN.
2. A PROVIDER OF A SERVICE WHICH OFFERS A PERSONAL INTERNET ACCOUNT
SHALL PROVIDE FOR DESTRUCTION OF INFORMATION OF A USER WHO CANCELS SUCH
ACCOUNT AND SHALL NOTIFY USERS ABOUT ITS POLICY AND PROCESSES REGARDING
SUCH DESTRUCTION.
§ 914. LIABILITY FOR FAILURE TO COMPLY. A PROVIDER OF A SERVICE WHICH
OFFERS A PERSONAL INTERNET ACCOUNT WHICH IS NEGLIGENT IN FAILING TO
COMPLY WITH ANY REQUIREMENT IMPOSED PURSUANT TO THIS ARTICLE FOR POSTING
OF A PRIVACY POLICY OR DESTRUCTION OF INFORMATION IS LIABLE TO THAT USER
IN AN AMOUNT EQUAL TO THE SUM OF ANY ACTUAL DAMAGES SUSTAINED AS A
RESULT OF SUCH FAILURE, AND IN THE CASE OF ANY SUCCESSFUL ACTION TO
ENFORCE ANY LIABILITY UNDER THIS SECTION, THE COSTS OF THE ACTION
TOGETHER WITH REASONABLE ATTORNEY'S FEES AS DETERMINED BY THE COURT;
PROVIDED HOWEVER THAT SOLELY WITH RESPECT TO AN ALLEGED FAILURE TO POST
A PRIVACY POLICY, OR TO POST TIMELY OR TO POST ALL THE INFORMATION
REQUIRED, OR TO POST ACCURATE INFORMATION, AN OPERATOR MAY ASSERT AS A
COMPLETE DEFENSE IN ANY ACTION IN LAW OR EQUITY THAT IT THEREAFTER
PROVIDED SUCH INFORMATION TO ALL AFFECTED USERS WITHIN THIRTY DAYS OF
THE DATE THAT OPERATOR KNEW OF SUCH FAILURE. THE RIGHTS AND REMEDIES
S. 3657 10
AVAILABLE UNDER THIS SECTION ARE CUMULATIVE TO EACH OTHER AND TO ANY
OTHER RIGHTS AND REMEDIES AVAILABLE UNDER LAW.
§ 13. Any other provision of any other law to the contrary notwith-
standing, the director of the division of the budget, the office of
state comptroller, and the commissioner of the department of civil
service shall develop a plan providing for the orderly transition of
such employees and functions as shall be necessary and appropriate to
the operations and functioning of the office of online privacy
protection and internet safety created by this act. Such plan shall be
completed and submitted to the legislature not later than 180 days after
this act shall have become law, but in no case later than February first
of the succeeding calendar year, at which time such agencies and agen-
cies affected by the plan shall begin implementation of the plan. Any
other provision of any other law to the contrary notwithstanding, and in
accordance with section 4 of the state finance law, the comptroller is
hereby authorized and directed to transfer, at the request of the direc-
tor of the budget and pursuant to such plan, such funds as shall be
necessary and appropriate for the creation and operation of the office
of online privacy and internet safety, but in no case shall such trans-
fers total more than 10 million dollars within the fiscal year in which
the office shall have been created.
§ 14. Severability. If any clause, sentence, paragraph, subdivision,
section or part of this act shall be adjudged by a court of competent
jurisdiction to be invalid, such judgment shall not affect, impair or
invalidate the remainder thereof, but shall be confined in its operation
to the clause, sentence, paragraph, subdivision, section or part of this
act directly involved in the controversy in which such judgment shall
have been rendered.
§ 15. This act shall take effect on the first of January next succeed-
ing the date on which it shall have become a law.