S T A T E O F N E W Y O R K
________________________________________________________________________
8169
2019-2020 Regular Sessions
I N A S S E M B L Y
June 4, 2019
___________
Introduced by M. of A. LiPETRI -- read once and referred to the Commit-
tee on Governmental Operations
AN ACT to amend the state technology law, in relation to protecting
personal information
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The state technology law is amended by adding a new article
4 to read as follows:
ARTICLE IV
PROTECTION OF PERSONAL INFORMATION
SECTION 401. DEFINITIONS OF TERMS.
402. DUTY TO PROTECT PERSONAL INFORMATION.
403. BREACH OF SECURITY.
404. CAUSES OF ACTION.
§ 401. DEFINITIONS OF TERMS. THE FOLLOWING DEFINITIONS ARE APPLICABLE
TO THIS ARTICLE, EXCEPT WHERE DIFFERENT MEANINGS ARE EXPRESSLY SPECI-
FIED:
1. "PERSONAL INFORMATION SUBJECT" MEANS ANY NATURAL PERSON WHO HAS HIS
OR HER PERSONAL INFORMATION COLLECTED OR MAINTAINED BY A PERSONAL INFOR-
MATION RECIPIENT.
2. "PERSONAL INFORMATION RECIPIENT" MEANS ANY NATURAL PERSON, CORPO-
RATION, PARTNERSHIP, LIMITED LIABILITY COMPANY, UNINCORPORATED ASSOCI-
ATION, GOVERNMENT, OR OTHER ENTITY, THAT, IN THE COURSE OF THEIR
PERSONAL, BUSINESS, COMMERCIAL, CORPORATE, ASSOCIATION OR GOVERNMENTAL
OPERATIONS, COLLECTS, RECEIVES, STORES, MAINTAINS, PROCESSES, OR OTHER-
WISE HAS ACCESS TO, PERSONAL INFORMATION.
3. "PERSONAL INFORMATION COLLECTOR" MEANS ANY PERSONAL INFORMATION
RECIPIENT, THAT DOES NOT MAINTAIN OR STORE SUCH PERSONAL INFORMATION, OR
MAINTAIN ACCESS TO SUCH PERSONAL INFORMATION, FOR MORE THAN FIVE
MINUTES, AND WAS PROVIDED WITH THE PERSONAL INFORMATION BY THE PERSONAL
INFORMATION SUBJECT.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD09699-02-9
A. 8169 2
4. "PERSONAL INFORMATION HOLDER" MEANS ANY PERSONAL INFORMATION RECIP-
IENT, THAT MAINTAINS OR STORES SUCH PERSONAL INFORMATION, OR MAINTAINS
ACCESS TO SUCH PERSONAL INFORMATION, FOR MORE THAN FIVE MINUTES, AND WAS
PROVIDED WITH THE PERSONAL INFORMATION BY THE PERSONAL INFORMATION
SUBJECT. "PERSONAL INFORMATION HOLDER" SHALL NOT INCLUDE ANY OF THE
FOLLOWING: A CREDIT UNION AS DEFINED BY SUBDIVISION NINE OF SECTION TWO
OF THE BANKING LAW OR A FEDERALLY CHARTERED CREDIT UNION AS DEFINED BY
THE FEDERAL CREDIT UNION ACT LOCATED AND AUTHORIZED TO DO BUSINESS IN
NEW YORK; A SAVINGS BANK AS DEFINED BY SUBDIVISION FOUR OF SECTION TWO
OF THE BANKING LAW OR ANY FEDERAL SAVINGS BANK; OR ANY SAVINGS AND LOAN
ASSOCIATION AS DEFINED BY SUBDIVISION EIGHT OF SECTION TWO OF THE BAKING
LAW OR ANY FEDERAL SAVINGS AND LOAN ASSOCIATION.
5. "THIRD PARTY PERSONAL INFORMATION HOLDER" MEANS ANY PERSONAL INFOR-
MATION RECIPIENT, THAT AGREES TO COLLECT, RECEIVE, STORE, MAINTAIN,
PROCESS, OR OTHERWISE HAVE ACCESS TO, PERSONAL INFORMATION, AND WAS
PROVIDED WITH SUCH PERSONAL INFORMATION FROM A PERSONAL INFORMATION
COLLECTOR, A PERSONAL INFORMATION HOLDER, OR ANOTHER THIRD PARTY
PERSONAL INFORMATION HOLDER. "THIRD PARTY PERSONAL INFORMATION HOLDER"
SHALL NOT INCLUDE ANY OF THE FOLLOWING: A CREDIT UNION AS DEFINED BY
SUBDIVISION NINE OF SECTION TWO OF THE BANKING LAW OR A FEDERALLY CHAR-
TERED CREDIT UNION AS DEFINED BY THE FEDERAL CREDIT UNION ACT LOCATED
AND AUTHORIZED TO DO BUSINESS IN NEW YORK; A SAVINGS BANK AS DEFINED BY
SUBDIVISION FOUR OF SECTION TWO OF THE BANKING LAW OR ANY FEDERAL
SAVINGS BANK; OR ANY SAVINGS AND LOAN ASSOCIATION AS DEFINED BY SUBDIVI-
SION EIGHT OF SECTION TWO OF THE BANKING LAW OR ANY FEDERAL SAVINGS AND
LOAN ASSOCIATION.
6. "PERSONAL INFORMATION" (A) MEANS ANY INFORMATION, INCLUDING PAPER-
BASED INFORMATION OR ELECTRONIC INFORMATION, THAT CONTAINS A NEW YORK
STATE RESIDENT'S FIRST NAME AND LAST NAME, OR A NEW YORK STATE RESI-
DENT'S FIRST INITIAL AND LAST NAME, IN COMBINATION WITH ANY ONE OR MORE
OF THE FOLLOWING OTHER INFORMATIONAL ELEMENTS THAT RELATE TO SUCH RESI-
DENT:
(1) A GOVERNMENTALLY ISSUED IDENTIFICATION NUMBER, INCLUDING:
(I) SOCIAL SECURITY NUMBER;
(II) DRIVER'S LICENSE NUMBER;
(III) STATE ISSUED IDENTIFICATION CARD NUMBER;
(IV) MILITARY IDENTIFICATION CARD NUMBER;
(V) STUDENT IDENTIFICATION NUMBER; OR
(VI) A UNITED STATES PASSPORT NUMBER;
(2) PERSONAL FINANCIAL INFORMATION, INCLUDING:
(I) FINANCIAL ACCOUNT INFORMATION, INCLUDING:
(A) BANK ACCOUNT INFORMATION;
(B) INVESTMENT ACCOUNT INFORMATION;
(C) RETIREMENT ACCOUNT INFORMATION;
(D) DEFERRED COMPENSATION ACCOUNT INFORMATION;
(E) MORTGAGE ACCOUNT INFORMATION;
(F) CAR LOAN ACCOUNT INFORMATION;
(G) CREDIT LINE ACCOUNT INFORMATION;
(H) PERSONAL LOAN ACCOUNT INFORMATION; OR
(I) ANY OTHER MONETARY FUND OR LOAN ACCOUNT INFORMATION; INCLUDING:
(I) THE NUMBER OF SUCH FINANCIAL ACCOUNT;
(II) ANY RECORD OF SUCH FINANCIAL ACCOUNT;
(III) A TRANSACTION HISTORY OF SUCH ACCOUNT;
(IV) A BALANCE OF SUCH ACCOUNT; AND/OR
A. 8169 3
(V) ANY SECURITY CODE, ACCESS CODE, PERSONAL IDENTIFICATION NUMBER OR
PASSWORD, THAT WOULD PERMIT ACCESS TO, OR USE OF, SUCH FINANCIAL
ACCOUNT;
(II) CREDIT OR DEBIT CARD INFORMATION, INCLUDING:
(A) THE NUMBER OF SUCH CREDIT CARD OR DEBIT CARD;
(B) THE EXPIRATION DATE OF SUCH CREDIT OR DEBIT CARD;
(C) THE CARD VERIFICATION VALUE CODE NUMBER OF SUCH CREDIT OR DEBIT
CARD;
(D) ANY RECORD OF SUCH CREDIT OR DEBIT CARD ACCOUNT;
(E) ANY TRANSACTION HISTORY OF SUCH CREDIT OR DEBIT CARD;
(F) ANY BALANCE OF SUCH CREDIT OR DEBIT CARD; AND/OR
(G) ANY REQUIRED SECURITY CODE, ACCESS CODE, PERSONAL IDENTIFICATION
NUMBER OR PASSWORD, THAT WOULD PERMIT ACCESS TO, OR USE OF, SUCH CREDIT
OR DEBIT CARD; OR
(III) CREDIT STATUS INFORMATION, INCLUDING:
(A) CREDIT SCORE;
(B) CREDIT HISTORY; OR
(C) ANY INFORMATION DESCRIBING CREDIT TRANSACTIONS OF THE PERSONAL
INFORMATION SUBJECT;
(3) PHYSICAL CHARACTERISTIC INFORMATION, INCLUDING:
(I) THE HEIGHT OF THE PERSONAL INFORMATION SUBJECT;
(II) THE WEIGHT OF THE PERSONAL INFORMATION SUBJECT;
(III) THE HAIR COLOR OF THE PERSONAL INFORMATION SUBJECT;
(IV) THE EYE COLOR OF THE PERSONAL INFORMATION SUBJECT; AND/OR
(V) ANY OTHER DISTINGUISHING CHARACTERISTICS OF THE PERSONAL INFORMA-
TION SUBJECT;
(4) BIOMETRIC INFORMATION, INCLUDING:
(I) FINGERPRINTS OF THE PERSONAL INFORMATION SUBJECT;
(II) VOICE-PRINTS OF THE PERSONAL INFORMATION SUBJECT;
(III) EYE SCANS OF THE PERSONAL INFORMATION SUBJECT;
(IV) BLOOD SAMPLES OF THE PERSONAL INFORMATION SUBJECT;
(V) DEOXYRIBONUCLEIC ACID (DNA) BASED SAMPLES OF THE PERSONAL INFORMA-
TION SUBJECT;
(VI) SKIN SAMPLES OF THE PERSONAL INFORMATION SUBJECT;
(VII) HAIR SAMPLES OF THE PERSONAL INFORMATION SUBJECT; AND/OR
(VIII) ANY OTHER BIOMETRIC INFORMATION WHICH IS INTENDED OR COLLECTED
FOR THE PURPOSE OF IDENTIFICATION OF THE PERSONAL INFORMATION SUBJECT;
OR
(5) MEDICAL INFORMATION, INCLUDING BUT NOT LIMITED TO, ANY INFORMATION
COLLECTED OR MAINTAINED ABOUT A PERSONAL INFORMATION SUBJECT PURSUANT TO
EXAMINATION, TESTING OR TREATMENT FOR PHYSICAL OR MENTAL ILLNESS OR
WELLNESS, OR ANY OTHER INFORMATION COLLECTED OR MAINTAINED ON A PERSONAL
INFORMATION SUBJECT BY A HEALTH CARE PROVIDER OR HEALTH CARE INSURER;
(B) SHALL NOT INCLUDE:
(1) PERSONAL INFORMATION THAT IS LAWFULLY OBTAINED FROM PUBLICLY
AVAILABLE INFORMATION, OR FROM FEDERAL, STATE OR LOCAL GOVERNMENT
RECORDS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC; OR
(2) PAPER-BASED INFORMATION THAT HAS BEEN INTENTIONALLY DISCARDED OR
ABANDONED BY THE PERSONAL INFORMATION SUBJECT.
7. "BREACH OF SECURITY" MEANS THE UNAUTHORIZED ACCESS, VIEWING, ACQUI-
SITION, COPYING, DUPLICATION, REMOVAL OR ANY OTHER USE OF PERSONAL
INFORMATION, EITHER IN UNENCRYPTED FORM OR IN ENCRYPTED FORM TOGETHER
WITH THE CONFIDENTIAL PROCESS OR KEY THAT IS CAPABLE OF COMPROMISING THE
SECURITY, CONFIDENTIALITY, OR INTEGRITY OF PERSONAL INFORMATION. A GOOD
FAITH UNAUTHORIZED ACCESS, VIEWING OR ACQUISITION OF PERSONAL INFORMA-
TION, FOR THE LAWFUL PURPOSES OF A PERSONAL INFORMATION COLLECTOR, SHALL
A. 8169 4
NOT BE DEEMED TO BE A BREACH OF SECURITY UNLESS THE PERSONAL INFORMATION
IS THEREAFTER USED IN AN UNAUTHORIZED MANNER OR IS SUBJECT TO FURTHER
UNAUTHORIZED DISCLOSURE, AS A RESULT OF SUCH GOOD FAITH UNAUTHORIZED
ACCESS OR ACQUISITION.
8. "RECORD" MEANS ANY INFORMATION UPON WHICH WRITTEN, DRAWN, SPOKEN,
VISUAL, OR ELECTROMAGNETIC DATA OR IMAGES ARE RECORDED OR PRESERVED,
EITHER AS PAPER-BASED INFORMATION OR ELECTRONIC INFORMATION.
9. "PAPER-BASED INFORMATION" MEANS PERSONAL INFORMATION COLLECTED OR
MAINTAINED VIA PAPER, WRITING OR OTHER DRAWING MEDIUM, OR ANY OTHER
PHYSICAL BASED, TANGIBLE, RECORDING MEDIUM.
10. "ELECTRONIC INFORMATION" MEANS PERSONAL INFORMATION COLLECTED OR
MAINTAINED VIA COMPUTER, TELEPHONE, INTERNET, COMPUTER NETWORK OR OTHER
ELECTRICAL, DIGITAL, MAGNETIC, WIRELESS, OPTICAL, ELECTROMAGNETIC OR
SIMILAR DEVICE.
11. "ENCRYPTION" MEANS THE TRANSFORMATION OF DATA INTO A FORM IN WHICH
THE MEANING OF SUCH DATA CANNOT BE ACCESSED WITHOUT THE USE OF A CONFI-
DENTIAL PROCESS OR KEY.
12. "OFFICE" MEANS THE OFFICE OF INFORMATION TECHNOLOGY SERVICES.
§ 402. DUTY TO PROTECT PERSONAL INFORMATION. EVERY PERSONAL INFORMA-
TION RECIPIENT SHALL HAVE A LEGAL DUTY TO PROTECT THE SECURITY AND
INTEGRITY OF ALL PERSONAL INFORMATION IN THEIR CUSTODY FROM UNAUTHORIZED
ACCESS OR UNAUTHORIZED USE.
§ 403. BREACH OF SECURITY. 1. NOTIFICATION TO THE DIVISION OF STATE
POLICE. IN ADDITION TO ANY OTHER REQUIREMENTS CONTAINED WITHIN ANY OTHER
PROVISION OF LAW, NOT LATER THAN THREE DAYS AFTER DISCOVERING A SECURITY
BREACH INVOLVING PERSONAL INFORMATION, ANY PERSONAL INFORMATION RECIPI-
ENT THAT HAS EXPERIENCED A BREACH OF SECURITY INVOLVING PERSONAL INFOR-
MATION, SHALL MAKE A COMPREHENSIVE REPORT TO THE DIVISION OF STATE
POLICE, IN THE FORM AND MANNER REQUIRED BY SUCH DIVISION, NOTIFYING THE
DIVISION OF STATE POLICE OF SUCH SECURITY BREACH.
2. NOTIFICATION OF THE CHIEF INFORMATION OFFICER. NOT MORE THAN TWO
DAYS AFTER RECEIVING THE NOTIFICATION REQUIRED PURSUANT TO SUBDIVISION
ONE OF THIS SECTION, THE DIVISION OF STATE POLICE SHALL PROVIDE THE
COMPREHENSIVE REPORT PROVIDED TO SUCH DIVISION TO THE CHIEF INFORMATION
OFFICER OF THE OFFICE.
3. NOTIFICATION OF PERSONAL INFORMATION SUBJECTS. IN ADDITION TO ANY
OTHER REQUIREMENTS PURSUANT TO ANY OTHER PROVISION OF LAW, UPON THE
RECEIPT OF THE COMPREHENSIVE REPORT REQUIRED BY SUBDIVISION TWO OF THIS
SECTION, THE CHIEF INFORMATION OFFICER OF THE OFFICE SHALL REQUIRE, IN A
SPECIFIED TIMEFRAME, AND IN A SPECIFIED FORM AND MANNER, THAT THE
PERSONAL INFORMATION RECIPIENT, OR THIRD PARTY PERSONAL INFORMATION
RECIPIENT, WHICH SUSTAINED THE BREACH OF SECURITY OF THE PERSONAL INFOR-
MATION, NOTIFY ALL PERSONAL INFORMATION SUBJECTS IMPACTED BY THE SECURI-
TY BREACH, OF THE FACT THAT THERE HAS BEEN A BREACH OF SECURITY INVOLV-
ING THEIR PERSONAL INFORMATION.
§ 404. CAUSES OF ACTION. 1. CIVIL ACTIONS. ANY PERSONAL INFORMATION
SUBJECT MAY BRING A CIVIL ACTION, AGAINST A PERSONAL INFORMATION HOLDER
IN THE SUPREME COURT OF ANY COUNTY IN WHICH THE PERSONAL INFORMATION
RECIPIENT RESIDES OR CONDUCTS BUSINESS OPERATIONS, FOR DAMAGES OR EQUI-
TABLE RELIEF, ARISING FROM A BREACH OF SECURITY, AND IN ACCORDANCE WITH
THE PROVISIONS OF THIS SECTION. A CIVIL ACTION FOR DAMAGES OR EQUITABLE
RELIEF, SHALL NOT, HOWEVER, BE BROUGHT BY A PERSONAL INFORMATION
SUBJECT, IN ANY OTHER STATE COURT OF COMPETENT JURISDICTION, OTHER THAN
IN ACCORDANCE WITH THE PROVISIONS OF THIS SECTION, IF SUCH CIVIL ACTION
ARISES OUT OF A BREACH OF SECURITY BY A PERSONAL INFORMATION HOLDER. NO
ACTION SHALL BE BROUGHT UNDER THIS SECTION AGAINST A PERSONAL INFORMA-
A. 8169 5
TION COLLECTOR OR A THIRD PARTY PERSONAL INFORMATION COLLECTOR UNLESS
BROUGHT IN ACCORDANCE WITH THE PROVISIONS OF SUBPARAGRAPH FOUR OF PARA-
GRAPH (C) OF SUBDIVISION TWO OF THIS SECTION.
2. CIVIL ACTIONS THAT MAY BE BROUGHT BY A PERSONAL INFORMATION SUBJECT
AGAINST A PERSONAL INFORMATION RECIPIENT.
(A) TIMELINESS OF ACTIONS. A CIVIL ACTION MAY BE BROUGHT IN ACCORDANCE
WITH THIS SECTION IF SUCH CIVIL ACTION IS BROUGHT WITHIN SIX YEARS OF
THE DATE OF THE REPORTING OF THE BREACH OF SECURITY AS REQUIRED BY
SECTION FOUR HUNDRED THREE OF THIS ARTICLE, OR IN THE EVENT NO SUCH
REPORT WAS EVER MADE, WITHIN ANY TIME AFTER THE DATE OF THE DISCOVERY OF
THE BREACH OF SECURITY BY THE PERSONAL INFORMATION SUBJECT.
(B) EQUITABLE ACTION. ANY ACTION BROUGHT IN ACCORDANCE WITH THIS
SECTION, MAY SEEK DAMAGES AND/OR EQUITABLE RELIEF. IF A PERSONAL INFOR-
MATION SUBJECT SEEKS EQUITABLE RELIEF FOR A BREACH OF SECURITY INVOLVING
A SECURITY BREACH OF PERSONAL INFORMATION FROM A PERSONAL INFORMATION
RECIPIENT, AND THE COURT DETERMINES THAT SUCH EQUITABLE RELIEF IS JUST
AND PROPER AND SHOULD BE AWARDED, THEN IN ADDITION TO SUCH EQUITABLE
RELIEF, THE COURT MAY ALSO AWARD THE PERSONAL INFORMATION SUBJECT COSTS,
DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. NO ACTION BROUGHT UNDER
THIS SECTION FOR EQUITABLE RELIEF SHALL PROHIBIT A PERSONAL INFORMATION
SUBJECT FROM ALSO BRINGING ANY ADDITIONAL CAUSE OF ACTION FOR DAMAGES,
WHEN SUCH ADDITIONAL CAUSE OF ACTION IS ALLOWED UNDER THIS ARTICLE.
(C) ACTIONS INVOLVING DAMAGES. ANY ACTION BROUGHT IN ACCORDANCE WITH
THIS SECTION, SEEKING DAMAGES FOR A BREACH OF SECURITY INVOLVING A SECU-
RITY BREACH OF PERSONAL INFORMATION FROM A PERSONAL INFORMATION RECIPI-
ENT, SHALL BE BROUGHT AS FOLLOWS:
(1) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF TEN MILLION DOLLARS OR MORE. ANY
PERSONAL INFORMATION HOLDER, OR THIRD PARTY PERSONAL INFORMATION HOLDER,
THAT HAS ANNUAL REVENUES OF TEN MILLION DOLLARS OR MORE, THAT EXPERI-
ENCES A BREACH OF SECURITY INVOLVING SUCH PERSONAL INFORMATION, SHALL BE
STRICTLY LIABLE IN A CIVIL ACTION BROUGHT IN ACCORDANCE WITH THIS
SECTION, FOR DAMAGES, IF THE PERSONAL INFORMATION SUBJECT INVOLVED IN
THE BREACH OF SECURITY SUSTAINS ANY DAMAGES AS A RESULT OF SUCH BREACH.
SUCH STRICT LIABILITY SHALL EXTEND TO DAMAGES IN THE AMOUNT OF THREE
TIMES THE AMOUNT OF SUCH DAMAGES SUSTAINED BY THE PERSONAL INFORMATION
SUBJECT, OR AN AMOUNT OF UP TO TEN THOUSAND DOLLARS, WHICHEVER IS GREAT-
ER, TOGETHER WITH COSTS, DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION.
WHERE THE COURT FINDS THAT THE PERSONAL INFORMATION HOLDER OR A THIRD
PARTY PERSONAL INFORMATION HOLDER, INTENTIONALLY FAILED TO ESTABLISH A
COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM OR INTENTIONALLY
FAILED TO MAINTAIN SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES
FOR THE PROTECTION OF PERSONAL INFORMATION, THEN THE COURT MAY ALSO
AWARD PUNITIVE DAMAGES TO THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS
SUBDIVISION.
(2) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF BETWEEN ONE MILLION DOLLARS AND TEN
MILLION DOLLARS. ANY PERSONAL INFORMATION HOLDER, OR THIRD PARTY
PERSONAL INFORMATION HOLDER, THAT HAS ANNUAL REVENUES OF BETWEEN ONE
MILLION DOLLARS AND TEN MILLION DOLLARS THAT EXPERIENCES A BREACH OF
SECURITY INVOLVING SUCH PERSONAL INFORMATION, SHALL BE STRICTLY LIABLE
IN A CIVIL ACTION BROUGHT IN ACCORDANCE WITH THIS SECTION, FOR DAMAGES,
IF THE PERSONAL INFORMATION SUBJECT INVOLVED IN THE BREACH OF SECURITY
SUSTAINS ANY DAMAGES AS A RESULT OF SUCH BREACH. SUCH STRICT LIABILITY
SHALL EXTEND TO DAMAGES IN THE AMOUNT OF THREE TIMES THE AMOUNT OF SUCH
DAMAGES SUSTAINED BY THE PERSONAL INFORMATION SUBJECT, OR AN AMOUNT OF
A. 8169 6
UP TO FIVE THOUSAND DOLLARS, WHICHEVER IS GREATER, TOGETHER WITH COSTS,
DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. WHERE THE COURT FINDS
THAT THE PERSONAL INFORMATION HOLDER OR A THIRD PARTY PERSONAL INFORMA-
TION HOLDER, INTENTIONALLY FAILED TO ESTABLISH A COMPREHENSIVE PERSONAL
INFORMATION SECURITY PROGRAM OR INTENTIONALLY FAILED TO MAINTAIN SAFE-
GUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE PROTECTION OF
PERSONAL INFORMATION, THEN THE COURT MAY ALSO AWARD PUNITIVE DAMAGES TO
THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS SUBDIVISION.
(3) PERSONAL INFORMATION HOLDERS OR THIRD PARTY PERSONAL INFORMATION
HOLDERS WITH ANNUAL REVENUES OF LESS THAN ONE MILLION DOLLARS. ANY
PERSONAL INFORMATION HOLDER, OR THIRD PARTY PERSONAL INFORMATION HOLDER,
THAT HAS ANNUAL REVENUES OF LESS THAN ONE MILLION DOLLARS, AND THAT
FAILS TO MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES
FOR THE PROTECTION OF PERSONAL INFORMATION AS ESTABLISHED IN ITS COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM AND THAT EXPERIENCES A
BREACH OF SECURITY INVOLVING SUCH PERSONAL INFORMATION, SHALL BE STRICT-
LY LIABLE IN A CIVIL ACTION BROUGHT IN ACCORDANCE WITH THIS SECTION, FOR
DAMAGES, IF THE PERSONAL INFORMATION SUBJECT INVOLVED IN THE BREACH OF
SECURITY SUSTAINS ANY DAMAGES AS A RESULT OF SUCH BREACH. SUCH STRICT
LIABILITY SHALL EXTEND TO DAMAGES IN THE AMOUNT OF THREE TIMES THE
AMOUNT OF SUCH DAMAGES SUSTAINED BY THE PERSONAL INFORMATION SUBJECT, OR
AN AMOUNT OF UP TO ONE THOUSAND DOLLARS, WHICHEVER IS GREATER, TOGETHER
WITH COSTS, DISBURSEMENTS AND ATTORNEYS FEES OF THE ACTION. WHERE THE
COURT FINDS THAT THE PERSONAL INFORMATION HOLDER OR A THIRD PARTY
PERSONAL INFORMATION HOLDER, INTENTIONALLY FAILED TO ESTABLISH A COMPRE-
HENSIVE PERSONAL INFORMATION SECURITY PROGRAM OR INTENTIONALLY FAILED TO
MAINTAIN SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST PRACTICES FOR THE
PROTECTION OF PERSONAL INFORMATION, THEN THE COURT MAY ALSO AWARD PUNI-
TIVE DAMAGES TO THE PLAINTIFF OF AN ACTION BROUGHT UNDER THIS SUBDIVI-
SION.
(4) PERSONAL INFORMATION COLLECTORS. ANY PERSONAL INFORMATION COLLEC-
TOR THAT FAILS TO MAINTAIN THE SAFEGUARDS, STANDARDS, PROTOCOLS OR BEST
PRACTICES FOR THE PROTECTION OF PERSONAL INFORMATION, OR THAT FAILS TO
ESTABLISH A COMPREHENSIVE PERSONAL INFORMATION SECURITY PROGRAM AND THAT
EXPERIENCES A BREACH OF SECURITY INVOLVING SUCH PERSONAL INFORMATION,
SHALL BE STRICTLY LIABLE IN A CIVIL ACTION FOR DAMAGES BROUGHT IN
ACCORDANCE WITH THIS SECTION, IN THE AMOUNT OF SUCH DAMAGES SO
SUSTAINED. WHERE THE COURT FINDS THAT THE PERSONAL INFORMATION COLLECTOR
INTENTIONALLY FAILED TO ESTABLISH A COMPREHENSIVE PERSONAL INFORMATION
SECURITY PROGRAM OR INTENTIONALLY FAILED TO MAINTAIN SAFEGUARDS, STAND-
ARDS, PROTOCOLS OR BEST PRACTICES FOR THE PROTECTION OF PERSONAL INFOR-
MATION, THEN THE COURT MAY ALSO AWARD PUNITIVE DAMAGES TO THE PLAINTIFF
OF AN ACTION BROUGHT UNDER THIS SUBDIVISION.
(5) NO ACTION BROUGHT UNDER THIS SECTION FOR DAMAGES SHALL PROHIBIT A
PERSONAL INFORMATION SUBJECT FROM ALSO BRINGING ANY ADDITIONAL CAUSE OF
ACTION FOR EQUITABLE RELIEF, WHEN SUCH ADDITIONAL CAUSE OF ACTION IS
ALSO ALLOWED UNDER THIS ARTICLE.
3. CIVIL ACTIONS THAT MAY BE BROUGHT BY THE ATTORNEY GENERAL AGAINST A
PERSONAL INFORMATION RECIPIENT.
(A) WHENEVER THE ATTORNEY GENERAL BELIEVES FROM EVIDENCE SATISFACTORY
TO HIM OR HER THAT THERE IS A VIOLATION OF THIS ARTICLE BY A PERSONAL
INFORMATION HOLDER OR THIRD PARTY PERSONAL INFORMATION HOLDER WITH ANNU-
AL REVENUES OF TEN MILLION DOLLARS OR MORE, HE OR SHE MAY BRING AN
ACTION IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK,
IN A COURT OF JUSTICE HAVING JURISDICTION TO ISSUE AN INJUNCTION, TO
ENJOIN AND RESTRAIN THE CONTINUATION OF SUCH VIOLATION. IN SUCH ACTION,
A. 8169 7
PRELIMINARY RELIEF MAY BE GRANTED UNDER ARTICLE SIXTY-THREE OF THE CIVIL
PRACTICE LAW AND RULES.
(B) IN SUCH ACTION THE COURT MAY AWARD DAMAGES FOR ACTUAL COSTS OR
LOSSES INCURRED BY A PERSONAL INFORMATION SUBJECT SUFFERING DAMAGES
PURSUANT TO THIS ARTICLE, IF THE BREACH OCCURRED PURSUANT TO THIS ARTI-
CLE, INCLUDING CONSEQUENTIAL FINANCIAL LOSSES. WHENEVER THE COURT SHALL
DETERMINE IN SUCH ACTION THAT A PERSONAL INFORMATION HOLDER OR THIRD
PARTY PERSONAL INFORMATION HOLDER WITH ANNUAL REVENUES OF TEN MILLION
DOLLARS OR MORE VIOLATED THIS ARTICLE, THE PERSONAL INFORMATION HOLDER
OR THIRD PARTY PERSONAL INFORMATION HOLDER SHALL BE HELD STRICTLY LIABLE
AND RESPONSIBLE FOR DAMAGES FOR ACTUAL COSTS OR LOSSES INCURRED BY A
PERSONAL INFORMATION SUBJECT SUFFERING DAMAGES.
(C) WHENEVER THE COURT SHALL DETERMINE IN SUCH ACTION THAT A PERSONAL
INFORMATION HOLDER OR THIRD PARTY PERSONAL INFORMATION HOLDER WITH ANNU-
AL REVENUES OF TEN MILLION DOLLARS OR MORE VIOLATED THIS ARTICLE, THE
COURT MAY IMPOSE A CIVIL PENALTY OF TWO HUNDRED FIFTY THOUSAND DOLLARS
PER INSTANCE OF BREACH, PROVIDED THAT THE TOTAL AMOUNTS SHALL NOT EXCEED
ONE HUNDRED MILLION DOLLARS.
(D) THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
OTHER LAWFUL REMEDY AVAILABLE.
(E) NO ACTION MAY BE BROUGHT UNDER THE PROVISIONS OF THIS SECTION
UNLESS SUCH ACTION IS COMMENCED WITHIN SIX YEARS IMMEDIATELY AFTER
EITHER THE DATE OF THE ACT COMPLAINED OF OR THE DATE OF DISCOVERY OF
SUCH ACT ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION, OR
THE DATE OF NOTICE SENT PURSUANT TO SECTION FOUR HUNDRED THREE OF THIS
ARTICLE.
§ 2. This act shall take effect on the one hundred eightieth day after
it shall have become a law.