|
Assembly Actions -
Lowercase Senate Actions - UPPERCASE |
|
|---|---|
| May 22, 2024 |
amended on third reading 48d |
| May 06, 2024 |
amended on third reading 48c |
| Jan 03, 2024 |
ordered to third reading cal.3 |
| Jun 06, 2023 |
ordered to third reading rules cal.567 rules report cal.567 reported |
| May 23, 2023 |
reported referred to rules |
| May 18, 2023 |
print number 48b |
| May 18, 2023 |
amend and recommit to codes |
| May 16, 2023 |
reported referred to codes |
| May 12, 2023 |
print number 48a |
| May 12, 2023 |
amend (t) and recommit to housing |
| Jan 04, 2023 |
referred to housing |
Assembly Bill A48D
2023-2024 Legislative Session
Relates to the use of smart access systems and the information that may be gathered from such systems
download bill text pdfSponsored By
ROSENTHAL L
Current Bill Status - On Floor Calendar
- Introduced
-
- In Committee Assembly
- In Committee Senate
-
- On Floor Calendar Assembly
- On Floor Calendar Senate
-
- Passed Assembly
- Passed Senate
- Delivered to Governor
- Signed By Governor
Actions
Bill Amendments
co-Sponsors
Jeffrey Dinowitz
Deborah Glick
Jo Anne Simon
Harvey Epstein
Karen McMahon
William Colton
David Weprin
2023-A48 - Details
2023-A48 - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
48
2023-2024 Regular Sessions
I N A S S E M B L Y
(PREFILED)
January 4, 2023
___________
Introduced by M. of A. L. ROSENTHAL, DINOWITZ, GLICK, SIMON, EPSTEIN,
McMAHON, COLTON, WEPRIN -- read once and referred to the Committee on
Housing
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of electronic or computerized entry
systems and the information that may be gathered from such systems
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The multiple dwelling law is amended by adding a new
section 50-b to read as follows:
§ 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
(A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
(B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT A POINT
OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A CLASS A
MULTIPLE DWELLING OR COMMON AREA WITH AN ELECTRONIC OR COMPUTERIZED
ENTRY SYSTEM, EXCEPT THAT "AUTHENTICATION DATA" SHALL NOT INCLUDE DATA
GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED
TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
(C) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY
THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
AREA SECURED BY AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
(D) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION
DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
IN ORDER TO GRANT A USER ENTRY TO A SMART ACCESS BUILDING OR COMMON AREA
OF SUCH BUILDING.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00692-01-3
A. 48 2 (E) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS AND/OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDIVIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. 2. ENTRY. A. WHERE A LANDLORD INSTALLS OR PLANS TO INSTALL AN ELEC- TRONIC OR COMPUTERIZED ENTRY SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. B. LANDLORDS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APARTMENTS INCLUDING A MECHANICAL KEY OR AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, LANDLORDS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT DUE TO A RELIGIOUS PREFERENCE. D. ALL LAWFUL TENANTS AND OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS. THE TERM "OCCU- PANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS MAY ALSO RECEIVE UP TO FOUR ADDITIONAL KEYS, KEY FOBS, DIGITAL KEY OR KEY CARDS AT NO COST TO THE TENANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT OR THE APARTMENT IF THE TENANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT'S OR OCCUPANT'S REQUEST. TENANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE LANDLORD OR HIS OR HER AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE LANDLORD PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS. E. THE LANDLORD SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A LAWFUL TENANT OR OCCUPANT MAY REQUEST. F. ANY DOOR THAT HAS AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. A LANDLORD, OR HIS OR HER AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE LAWFUL TENANTS AND OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, OCCUPANT OR THE TENANT'S OR OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. LANDLORDS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT AT THE TIME THE TENANT SIGNS THE LEASE, OR WHEN THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. A. IF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL BE LIMITED TO ACCOUNT A. 48 3 INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO THE ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM, OR REFERENCE DATA, SUCH AS THE LESSEE OR TENANT'S NAME, APARTMENT NUMBER, THE PREFERRED METHOD OF CONTACT FOR SUCH LESSEE OR TENANT, OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR ELECTRONIC AND COMPUTERIZED ENTRY SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, A BIOMETRIC IDENTIFIER MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A LESSEE OR TENANT FOR AN ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM. NO NEW ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH TENANTS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR OCCUPANT AS A CONDITION OF USE OF THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILD- ING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. SUCH REFERENCE DATA MAY BE RETAINED ONLY FOR TENANTS OR THOSE AUTHORIZED BY THE TENANT OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A TENANT OR THOSE AUTHORIZED BY A TENANT SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT PERMA- NENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT TO WITHDRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT. B. (I) FOR THE PURPOSES OF THIS SECTION, "BIOMETRIC IDENTIFIER" MEANS A RETINA OR IRIS SCAN, FINGERPRINT, VOICEPRINT, OR RECORD OF HAND, FACE GEOMETRY OR OTHER SIMILAR FEATURE. (II) AN ENTITY MAY NOT CAPTURE A BIOMETRIC IDENTIFIER OF AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR PERSON AUTHORIZED BY THE TENANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER. (III) ANY ENTITY THAT POSSESSES A BIOMETRIC IDENTIFIER OF AN INDIVID- UAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING: (1) MAY NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTIFIER TO ANOTHER PERSON UNLESS PURSUANT TO A GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND A. 48 4 (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMATION SHALL BE DESTROYED IMMEDIATELY. C. THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, MUST DEVELOP WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT TO ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEMS ON A TEMPORARY OR PERMANENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES MUST CLEARLY ESTABLISH THE OWNER'S RETENTION SCHED- ULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES CANNOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT EXCEPT AS REQUESTED BY THE TENANT. 5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO TENANTS OR GUESTS AS PART OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. B. IT SHALL BE PROHIBITED TO COLLECT THROUGH AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS, LESSEES AND/OR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUEN- CY AND TIME OF USE OF SUCH SYSTEM BY A TENANT AND/OR GUESTS TO HARASS OR EVICT A TENANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. C. INFORMATION THAT IS ACQUIRED VIA THE USE OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE OR TENANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST MUST CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES MAY A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. ELEC- TRONIC AND/OR COMPUTERIZED SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PAR- TY INFRASTRUCTURE SERVICES MUST MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND WILL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED ABOVE, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE LANDLORD OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS DISCOVERS A SECURI- TY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE A. 48 5 TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFTWARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; B. CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN SMART ACCESS BUILDINGS AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING HIS OR HER RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION IS SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAIL- ING PLAINTIFF. (B) WHERE A LANDLORD OR HIS OR HER AGENT USES AN ELECTRONIC OR COMPUT- ERIZED ENTRY SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH LANDLORD OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. (C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF AN ELECTRONIC OR COMPUT- ERIZED ENTRY SYSTEM PURSUANT TO THIS SECTION IN A RENT REGULATED DWELL- ING SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE LANDLORD OF SUCH DWELLING OR HIS OR HER AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. A. NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 2. The multiple residence law is amended by adding a new section 130-a to read as follows: § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW- ING MEANINGS: (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER ACCOUNTS RELATED TO AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT A POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A CLASS A A. 48 6 MULTIPLE DWELLING OR COMMON AREA WITH AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM, EXCEPT THAT "AUTHENTICATION DATA" SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY. (C) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. (D) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A SMART ACCESS BUILDING OR COMMON AREA OF SUCH BUILDING. (E) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS AND/OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDIVIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. 2. ENTRY. (A) WHERE A LANDLORD INSTALLS OR PLANS TO INSTALL AN ELEC- TRONIC OR COMPUTERIZED ENTRY SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. (B) LANDLORDS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APARTMENTS INCLUDING A MECHANICAL KEY OR AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS SUBDIVISION, LAND- LORDS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT DUE TO A RELIGIOUS PREFERENCE. (D) ALL LAWFUL TENANTS AND OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS. THE TERM "OCCU- PANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS MAY ALSO RECEIVE UP TO FOUR ADDITIONAL KEYS, KEY FOBS, DIGITAL KEY OR KEY CARDS AT NO COST TO THE TENANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT OR THE APARTMENT IF THE TENANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT'S OR OCCUPANT'S REQUEST. TENANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE LANDLORD OR HIS OR HER AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE LANDLORD PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS. (E) THE LANDLORD SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A LAWFUL TENANT OR OCCUPANT MAY REQUEST. (F) ANY DOOR THAT HAS AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. A LANDLORD, OR HIS OR HER AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL A. 48 7 PROVIDE LAWFUL TENANTS AND OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, OCCUPANT OR THE TENANT'S OR OCCU- PANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. LANDLORDS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT AT THE TIME THE TENANT SIGNS THE LEASE, OR WHEN THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. (A) IF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO THE ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM, OR REFERENCE DATA, SUCH AS THE LESSEE OR TENANT'S NAME, APARTMENT NUMBER, THE PREFERRED METHOD OF CONTACT FOR SUCH LESSEE OR TENANT, OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR ELECTRONIC AND COMPUTERIZED ENTRY SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, A BIOMETRIC IDENTIFIER MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A LESSEE OR TENANT FOR AN ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM. NO NEW ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE ELECTRONIC AND/OR COMPUTER- IZED ENTRY SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH TENANTS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR OCCUPANT AS A CONDITION OF USE OF THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILD- ING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. SUCH REFERENCE DATA MAY BE RETAINED ONLY FOR TENANTS OR THOSE AUTHORIZED BY THE TENANT OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A TENANT OR THOSE AUTHORIZED BY A TENANT SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT PERMA- NENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT TO WITHDRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT. (B) (I) FOR THE PURPOSES OF THIS SECTION, "BIOMETRIC IDENTIFIER" MEANS A RETINA OR IRIS SCAN, FINGERPRINT, VOICEPRINT, OR RECORD OF HAND, FACE GEOMETRY OR OTHER SIMILAR FEATURE. (II) AN ENTITY MAY NOT CAPTURE A BIOMETRIC IDENTIFIER OF AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR PERSON AUTHORIZED BY THE TENANT, AND INFORMS THE INDIVIDUAL A. 48 8 BEFORE CAPTURING THE BIOMETRIC IDENTIFIER; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER. (III) ANY ENTITY THAT POSSESSES A BIOMETRIC IDENTIFIER OF AN INDIVID- UAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING: (1) MAY NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTIFIER TO ANOTHER PERSON UNLESS PURSUANT TO A GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMATION SHALL BE DESTROYED IMMEDIATELY. (C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, MUST DEVELOP WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT TO ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEMS ON A TEMPORARY OR PERMANENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES MUST CLEARLY ESTABLISH THE OWNER'S RETENTION SCHED- ULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES CANNOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT EXCEPT AS REQUESTED BY THE TENANT. 5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO TENANTS OR GUESTS AS PART OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. (B) IT SHALL BE PROHIBITED TO COLLECT THROUGH AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS, LESSEES AND/OR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUEN- CY AND TIME OF USE OF SUCH SYSTEM BY A TENANT AND/OR GUESTS TO HARASS OR EVICT A TENANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. (C) INFORMATION THAT IS ACQUIRED VIA THE USE OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE OR TENANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST MUST CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES MAY A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. ELEC- TRONIC AND/OR COMPUTERIZED SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PAR- TY INFRASTRUCTURE SERVICES MUST MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND WILL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. (D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED ABOVE, INCLUDING BUT NOT A. 48 9 LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE LANDLORD OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS DISCOVERS A SECURI- TY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFTWARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: (A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND (C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN SMART ACCESS BUILDINGS AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING HIS OR HER RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION IS SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAIL- ING PLAINTIFF. (B) WHERE A LANDLORD OR HIS OR HER AGENT USES AN ELECTRONIC OR COMPUT- ERIZED ENTRY SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH LANDLORD OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. (C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF AN ELECTRONIC OR COMPUT- ERIZED ENTRY SYSTEM PURSUANT TO THIS SECTION IN A RENT REGULATED DWELL- ING SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE LANDLORD OF SUCH DWELLING OR HIS OR HER AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. (B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS INSTALLED IN MULTIPLE A. 48 10 DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 3. Severability. If any provision of this act, or any application of any provision of this act, is held to be invalid, that shall not affect the validity or effectiveness of any other provision of this act, or of any other application of any provision of this act, which can be given effect without that provision or application; and to that end, the provisions and applications of this act are severable. § 4. This act shall take effect on the one hundred eightieth day after it shall have become a law.
co-Sponsors
Jeffrey Dinowitz
Deborah Glick
Jo Anne Simon
Harvey Epstein
Karen McMahon
William Colton
David Weprin
2023-A48A - Details
2023-A48A - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
48--A
2023-2024 Regular Sessions
I N A S S E M B L Y
(PREFILED)
January 4, 2023
___________
Introduced by M. of A. L. ROSENTHAL, DINOWITZ, GLICK, SIMON, EPSTEIN,
McMAHON, COLTON, WEPRIN -- read once and referred to the Committee on
Housing -- committee discharged, bill amended, ordered reprinted as
amended and recommitted to said committee
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the informa-
tion that may be gathered from such systems
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The multiple dwelling law is amended by adding a new
section 50-b to read as follows:
§ 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
B. "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE
POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A
CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON
AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT
SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR
CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
C. "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA
OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00692-04-3
A. 48--A 2 ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. D. "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. E. "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. F. "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. G. "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL- ING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELL- ING UNIT IN SUCH MULTIPLE DWELLING. H. "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. I. "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A CLASS A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. A. WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. B. OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. D. ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT'S OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY A. 48--A 3 REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY- FIVE DOLLARS. E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. F. ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA- TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. A. 48--A 4 (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. C. THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. A. 48--A 5 C. INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH C OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; B. CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING A. 48--A 6 AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. B. WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. C. FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. A. NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 2. The multiple residence law is amended by adding a new section 130-a to read as follows: § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW- ING MEANINGS: (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER ACCOUNTS RELATED TO A SMART ACCESS SYSTEM. (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY. (C) "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG- ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS, OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. (D) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. (E) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. (F) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING A. 48--A 7 UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. (G) "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A MULTIPLE DWELLING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELLING UNIT IN SUCH MULTIPLE DWELLING. (H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. (I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. (A) WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. (B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. (D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS. (E) THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. (F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM A. 48--A 8 SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH- OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. (B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. A. 48--A 9 (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. (C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. (B) IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. (C) INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE A. 48--A 10 SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. (D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH (C) OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: (A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND (C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. (B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. (C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR A. 48--A 11 APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. (B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 3. Severability. If any provision of this act, or any application of any provision of this act, is held to be invalid, that shall not affect the validity or effectiveness of any other provision of this act, or of any other application of any provision of this act, which can be given effect without that provision or application; and to that end, the provisions and applications of this act are severable. § 4. This act shall take effect on the one hundred eightieth day after it shall have become a law.
co-Sponsors
Jeffrey Dinowitz
Deborah Glick
Jo Anne Simon
Harvey Epstein
Karen McMahon
William Colton
David Weprin
Al Taylor
Steven Raga
2023-A48B - Details
2023-A48B - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
48--B
2023-2024 Regular Sessions
I N A S S E M B L Y
(PREFILED)
January 4, 2023
___________
Introduced by M. of A. L. ROSENTHAL, DINOWITZ, GLICK, SIMON, EPSTEIN,
McMAHON, COLTON, WEPRIN -- read once and referred to the Committee on
Housing -- committee discharged, bill amended, ordered reprinted as
amended and recommitted to said committee -- reported and referred to
the Committee on Codes -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the informa-
tion that may be gathered from such systems
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The multiple dwelling law is amended by adding a new
section 50-b to read as follows:
§ 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
B. "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE
POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A
CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON
AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT
SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR
CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
C. "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA
OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00692-06-3 A. 48--B 2 OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. D. "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. E. "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. F. "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. G. "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL- ING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELL- ING UNIT IN SUCH MULTIPLE DWELLING. H. "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. I. "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A CLASS A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. A. WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. B. OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. D. ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE A. 48--B 3 TENANT'S OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY- FIVE DOLLARS. E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. F. ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA- TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. A. 48--B 4 (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. C. THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. A. 48--B 5 C. INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH C OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; B. CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. A. 48--B 6 B. WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. C. FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. A. NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 2. The multiple residence law is amended by adding a new section 130-a to read as follows: § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW- ING MEANINGS: (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER ACCOUNTS RELATED TO A SMART ACCESS SYSTEM. (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY. (C) "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG- ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS, OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. (D) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. (E) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. (F) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- A. 48--B 7 VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. (G) "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A MULTIPLE DWELLING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELLING UNIT IN SUCH MULTIPLE DWELLING. (H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. (I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. (A) WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. (B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. (D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS. (E) THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. (F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL A. 48--B 8 OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH- OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. (B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. A. 48--B 9 (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. (C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. (B) IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. (C) INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE A. 48--B 10 SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. (D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH (C) OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: (A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND (C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. (B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION. (C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR A. 48--B 11 APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES. (B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 3. Severability. If any provision of this act, or any application of any provision of this act, is held to be invalid, that shall not affect the validity or effectiveness of any other provision of this act, or of any other application of any provision of this act, which can be given effect without that provision or application; and to that end, the provisions and applications of this act are severable. § 4. This act shall take effect on the one hundred eightieth day after it shall have become a law.
co-Sponsors
Jeffrey Dinowitz
Deborah Glick
Jo Anne Simon
Harvey Epstein
Karen McMahon
William Colton
David Weprin
Al Taylor
Steven Raga
2023-A48C - Details
2023-A48C - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
48--C
Cal. No. 3
2023-2024 Regular Sessions
I N A S S E M B L Y
(PREFILED)
January 4, 2023
___________
Introduced by M. of A. L. ROSENTHAL, DINOWITZ, GLICK, SIMON, EPSTEIN,
McMAHON, COLTON, WEPRIN, TAYLOR, RAGA -- read once and referred to the
Committee on Housing -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee -- reported and
referred to the Committee on Codes -- committee discharged, bill
amended, ordered reprinted as amended and recommitted to said commit-
tee -- ordered to a third reading, amended and ordered reprinted,
retaining its place on the order of third reading
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the informa-
tion that may be gathered from such systems
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The multiple dwelling law is amended by adding a new
section 50-b to read as follows:
§ 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
B. "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE
POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A
CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON
AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT
SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR
CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
C. "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00692-08-4
A. 48--C 2
OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED
ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO
ESTABLISH INDIVIDUAL IDENTITY.
D. "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY
THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
AREA SECURED BY A SMART ACCESS SYSTEM.
E. "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION
DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
IN ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING, DWELLING
UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
F. "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED
ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL
OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
G. "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR
COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER
DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL-
ING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELL-
ING UNIT IN SUCH MULTIPLE DWELLING.
H. "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE
DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER
DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
I. "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A CLASS A MULTIPLE
DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN
WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH
TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART
ACCESS SYSTEM.
2. ENTRY. A. WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART
ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD,
CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM
SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE
BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR
TENANT USE.
B. OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART-
MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB,
KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS SHALL
PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR
LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
D. ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A
KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND
LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN
UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL
KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED
WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE
TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS"
SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED
TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT,
LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT
IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR
A. 48--C 3
OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR
KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE
TENANT'S OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY
REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT
ANY TIME THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY. THE OWNER
OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL
KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE
COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN
WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-
FIVE DOLLARS.
E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
F. ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES
TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL
ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL
OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE
TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN,
GUESTS OR EMPLOYEES BECOME LOCKED OUT.
3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR
LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE
LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS
OF SUBDIVISION TWO OF THIS SECTION.
4. DATA COLLECTION. A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN
ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA-
TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL
BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH
SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME,
DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER
HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION
USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE
USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING
MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH
AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF
ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY
ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN
INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC
IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN
ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS
SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED
IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE
OF THIS SECTION.
(I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM
DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO
EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH
USERS.
(II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
(III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS
SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT
RECORD ANY DEPARTURES.
(IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE
A. 48--C 4
RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY
THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
(V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL
DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY
SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
NINETY DAYS AFTER THE DATE COLLECTED.
(VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING
THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR
LAWFUL OCCUPANT.
B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF
AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE
PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE
TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING
THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
(II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN
INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE
DWELLING:
(1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI-
FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND
JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED
COURT ORDERED PROCESS.
(2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC
IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES,
TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES;
AND
(3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A
REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE
COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS
COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
TION SHALL BE DESTROYED IMMEDIATELY.
C. THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL
DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES
WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT
OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA-
NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS
TO SUCH BUILDING.
(I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA
COLLECTED.
(II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED
BY THE TENANT OR LAWFUL OCCUPANT.
5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT
LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS
SYSTEM.
B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE
LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF
TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS
SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF
USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO
A. 48--C 5
HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT
EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM.
C. INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM
SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND
MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR
SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR
AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE
THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL
CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR
INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE
CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE
THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE
SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE
PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET
OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF
THIS SECTION.
D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY
THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH C OF THIS
SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER
AUTHORIZED COURT ORDERED PROCESS.
6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE
STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR
AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A
SMART ACCESS SYSTEM.
7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE
OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY
CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY
BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO
REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN
THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL
IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES
APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT
THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS
TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS
DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER-
ABILITIES;
B. CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
DY THE VULNERABILITIES; AND
C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE
FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE
BUILDING AND SMART ACCESS SYSTEMS.
8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A
DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION
SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT
TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH
A. 48--C 6
VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL
PENALTY.
B. WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS
OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF
NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION.
C. FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
SHALL BE CONSIDERED A SEPARATE VIOLATION.
10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM
PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING
RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR
AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL
NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
11. EXEMPTIONS. A. NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR
ANY OF ITS SUBSIDIARIES.
B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS
REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF
SERVICES.
§ 2. The multiple residence law is amended by adding a new section
130-a to read as follows:
§ 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
(A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
(B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE
POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A
MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF
SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT SHALL NOT
INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM
THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
(C) "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA
OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED
ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO
ESTABLISH INDIVIDUAL IDENTITY.
(D) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY
THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
AREA SECURED BY A SMART ACCESS SYSTEM.
(E) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION
DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
IN ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF
SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
(F) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED
ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
A. 48--C 7
UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL
OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
(G) "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR
COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER
DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A MULTIPLE DWELLING,
COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELLING
UNIT IN SUCH MULTIPLE DWELLING.
(H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE
DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER
DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
(I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A MULTIPLE DWELLING,
AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR
THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL
OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM.
2. ENTRY. (A) WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART
ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD,
CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH SYSTEM SHALL
NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT
SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR
TENANT USE.
(B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART-
MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB,
KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
(C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS SUBDIVISION, OWNERS
SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE
TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
(D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A
KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND
LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN
UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL
KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED
WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE
TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS"
SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED
TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT,
LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT
IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR
OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR
KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE
TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY
REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT
ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR AGENT
SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY
CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND
AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER
PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS.
(E) THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
(F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES
TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL
ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
A. 48--C 8
SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL
OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE
TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN,
GUESTS OR EMPLOYEES BECOME LOCKED OUT.
3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR
LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE
LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS
OF SUBDIVISION TWO OF THIS SECTION.
4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN
ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND
ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED
TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS
SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT
NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE
PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A
USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS
RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF
AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH-
OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR
SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION
OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS
SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE
COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A
SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE
COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS
FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION.
(I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE MINIMUM
DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO
EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH
USERS.
(II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
(III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS
SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT
RECORD ANY DEPARTURES.
(IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE
RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE
TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
(V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL
DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY
SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
NINETY DAYS AFTER THE DATE COLLECTED.
(VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING
THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR
LAWFUL OCCUPANT.
(B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION
OF AN INDIVIDUAL TO GAIN ENTRANCE TO A MULTIPLE DWELLING UNLESS THE
PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE
TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING
THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
A. 48--C 9
(II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN
INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING:
(1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI-
FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND
JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED
COURT ORDERED PROCESS.
(2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC
IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES,
TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES;
AND
(3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A
REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE
COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS
COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
TION SHALL BE DESTROYED IMMEDIATELY.
(C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL
DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES
WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT
OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA-
NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS
TO SUCH BUILDING.
(I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA
COLLECTED.
(II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED
BY THE TENANT OR LAWFUL OCCUPANT.
5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT
LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS
SYSTEM.
(B) IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM
THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS
OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART
ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND
TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR
GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER
PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS
SYSTEM.
(C) INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM
SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND
MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR
SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR
AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE
THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL
CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR
INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE
CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE
THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE
SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE
PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET
OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
A. 48--C 10
SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF
THIS SECTION.
(D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY
THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH (C) OF THIS
SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER
AUTHORIZED COURT ORDERED PROCESS.
6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE
STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR
AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A
SMART ACCESS SYSTEM.
7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE
OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY
CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY
BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO
REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN
THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL
IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES
APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT
THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS
TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS
DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
(A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER-
ABILITIES;
(B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
DY THE VULNERABILITIES; AND
(C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE
FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE
BUILDING AND SMART ACCESS SYSTEMS.
8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A
DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION
SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT
TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH
VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE
CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY
BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS'
FEES TO A PREVAILING PLAINTIFF.
(B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS
OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF
NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION.
(C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
SHALL BE CONSIDERED A SEPARATE VIOLATION.
10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM
PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING
RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR
AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
A. 48--C 11
APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL
NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
11. EXEMPTIONS. (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR
ANY OF ITS SUBSIDIARIES.
(B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS
REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF
SERVICES.
§ 3. Severability. If any provision of this act, or any application of
any provision of this act, is held to be invalid, that shall not affect
the validity or effectiveness of any other provision of this act, or of
any other application of any provision of this act, which can be given
effect without that provision or application; and to that end, the
provisions and applications of this act are severable.
§ 4. This act shall take effect on the one hundred eightieth day after
it shall have become a law.
co-Sponsors
Jeffrey Dinowitz
Deborah Glick
Jo Anne Simon
Harvey Epstein
Karen McMahon
William Colton
David Weprin
Al Taylor
Steven Raga
2023-A48D (ACTIVE) - Details
2023-A48D (ACTIVE) - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
48--D
Cal. No. 3
2023-2024 Regular Sessions
I N A S S E M B L Y
(PREFILED)
January 4, 2023
___________
Introduced by M. of A. L. ROSENTHAL, DINOWITZ, GLICK, SIMON, EPSTEIN,
McMAHON, COLTON, WEPRIN, TAYLOR, RAGA -- read once and referred to the
Committee on Housing -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee -- reported and
referred to the Committee on Codes -- committee discharged, bill
amended, ordered reprinted as amended and recommitted to said commit-
tee -- ordered to a third reading, amended and ordered reprinted,
retaining its place on the order of third reading -- again amended on
third reading, ordered reprinted, retaining its place on the order of
third reading
AN ACT to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the informa-
tion that may be gathered from such systems
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The multiple dwelling law is amended by adding a new
section 50-b to read as follows:
§ 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
ING MEANINGS:
A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A
USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
B. "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE
POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A
CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON
AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT
SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR
CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00692-10-4 A. 48--D 2 C. "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG- ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS, OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. D. "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. E. "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. F. "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. G. "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL- ING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELL- ING UNIT IN SUCH MULTIPLE DWELLING. H. "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. I. "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A CLASS A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. A. WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. B. OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. D. ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED A. 48--D 3 TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT'S OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY- FIVE DOLLARS. E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. F. ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA- TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, A. 48--D 4 DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. C. THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF A. 48--D 5 TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. C. INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH C OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; B. CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. A. 48--D 6 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. B. WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION. C. FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. A. NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES, OR MULTIPLE DWELLINGS THAT ARE PRIMARILY OCCU- PIED BY TRANSIENT OCCUPANTS FOR A PERIOD OF LESS THAN THIRTY DAYS. B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 2. The multiple residence law is amended by adding a new section 130-a to read as follows: § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW- ING MEANINGS: (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED TO GRANT A USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER ACCOUNTS RELATED TO A SMART ACCESS SYSTEM. (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT THE POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT IT SHALL NOT INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY. (C) "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG- ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS, OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO ESTABLISH INDIVIDUAL IDENTITY. (D) "CRITICAL SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN AREA SECURED BY A SMART ACCESS SYSTEM. A. 48--D 7 (E) "REFERENCE DATA" MEANS INFORMATION AGAINST WHICH AUTHENTICATION DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM IN ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING. (F) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI- VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER. (G) "SMART ACCESS SYSTEM" MEANS ANY SYSTEM THAT USES ELECTRONIC OR COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE PHONE APPLICATION, BIOMETRIC IDENTIFIER INFORMATION, OR ANY OTHER DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A MULTIPLE DWELLING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELLING UNIT IN SUCH MULTIPLE DWELLING. (H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA. (I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A MULTIPLE DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM. 2. ENTRY. (A) WHERE AN OWNER INSTALLS OR PLANS TO INSTALL A SMART ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE. (B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART- MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION. (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS SUBDIVISION, OWNERS SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE. (D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND LAWFUL OCCUPANTS. THE TERM "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI- TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS AT NO COST TO THE TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS" SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT, LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR LAWFUL OCCUPANT IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE PLACED ON THEIR KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS OR LAWFUL OCCUPANTS MAY REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS. A. 48--D 8 (E) THE OWNER SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS, DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST. (F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. AN OWNER, OR THEIR AGENT, SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT. 3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR LAWFUL OCCUPANT AT THE TIME THE TENANT OR LAWFUL OCCUPANT SIGNS THE LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION TWO OF THIS SECTION. 4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED TO ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS SYSTEM, OR REFERENCE DATA, INCLUDING THE USER'S NAME, DWELLING UNIT NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE USER ACCOUNTS RELATED TO SUCH BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH- OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE COLLECTED PURSUANT TO THIS SECTION IN ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM. NO NEW SMART ACCESS SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION. (I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE MINIMUM DATA REQUIRED BY THE TECHNOLOGY USED IN THE SMART ACCESS SYSTEM TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND SECURITY OF SUCH USERS. (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS A CONDITION OF USE OF THE SMART ACCESS SYSTEM. (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A SMART ACCESS SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILDING, BUT SHALL NOT RECORD ANY DEPARTURES. (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF AUTHENTICATION BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING. (V) THE OWNER OF THE MULTIPLE DWELLING OR ANY THIRD PARTY SHALL DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED BY SUCH SMART ACCESS SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY DAYS AFTER THE DATE COLLECTED. (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH- DRAW AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT. A. 48--D 9 (B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL TO GAIN ENTRANCE TO A MULTIPLE DWELLING UNLESS THE PERSON IS A TENANT OR LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION. (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING: (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI- FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT TO ANY LAW, GRAND JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. (2) SHALL STORE, TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES, TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND (3) SHALL DESTROY THE BIOMETRIC IDENTIFIER INFORMATION WITHIN A REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA- TION SHALL BE DESTROYED IMMEDIATELY. (C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA- NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING. (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE- DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA COLLECTED. (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED BY THE TENANT OR LAWFUL OCCUPANT. 5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS SYSTEM. (B) IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM. (C) INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND MONITORING BUILDING ENTRANCES AND SHALL NOT BE USED AS THE BASIS OR SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY POLICIES WHICH WILL PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES SHALL A LEASE OR A RENEWAL BE A. 48--D 10 CONTINGENT UPON AUTHORIZING SUCH USE. SMART ACCESS SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION. (D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN PARAGRAPH (C) OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS. 6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY- EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE OWNER OR THEIR AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU- ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO THE USE OF A SMART ACCESS SYSTEM. 7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT- WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS TO THE EMBEDDED SOFTWARE OR FIRMWARE ON THE SMART ACCESS SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL: (A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER- ABILITIES; (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME- DY THE VULNERABILITIES; AND (C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE FOR FREE TO CUSTOMERS FOR THE DURATION OF THE CONTRACT BETWEEN THE BUILDING AND SMART ACCESS SYSTEMS. 8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY. 9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. (B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION. (C) FOR PURPOSES OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS SHALL BE CONSIDERED A SEPARATE VIOLATION. 10. RENT REGULATED DWELLINGS. INSTALLATION OF A SMART ACCESS SYSTEM PURSUANT TO THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT A. 48--D 11 PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE EMERGENCY HOUSING RENT CONTROL LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING OR THEIR AGENT TO APPLY TO THE DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH INSTALLATION. SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION. 11. EXEMPTIONS. (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437 ET SEQ., OR ANY OF ITS SUBSIDIARIES, OR MULTIPLE DWELLINGS THAT ARE PRIMARILY OCCU- PIED BY TRANSIENT OCCUPANTS FOR A PERIOD OF LESS THAN THIRTY DAYS. (B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION OF HOUSING AND COMMUNITY RENEWAL TO IMPOSE ADDITIONAL REQUIREMENTS REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF SERVICES. § 3. Severability. If any provision of this act, or any application of any provision of this act, is held to be invalid, that shall not affect the validity or effectiveness of any other provision of this act, or of any other application of any provision of this act, which can be given effect without that provision or application; and to that end, the provisions and applications of this act are severable. § 4. This act shall take effect on the one hundred eightieth day after it shall have become a law.
Comments
Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.
Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.
Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.