NY State Senate Bill 2023-S2078B

Senate Bill S2078B

2023-2024 Legislative Session

Relates to the use of smart access systems and the information that may be gathered from such systems

download bill text pdf

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 04, 2024	referred to codes delivered to assembly passed senate
May 20, 2024	amended on third reading 2078b
May 15, 2024	advanced to third reading
May 14, 2024	2nd report cal.
May 13, 2024	1st report cal.1016
Jan 03, 2024	referred to housing, construction and community development
May 30, 2023	print number 2078a
May 30, 2023	amend (t) and recommit to housing, construction and community development
Jan 18, 2023	referred to housing, construction and community development

Votes

- Jun 4, 2024 - Floor Vote
  S2078B
  
  38
  
  Aye
  
  23
  
  Nay
  
  0
  
  Absent
  
  1
  
  Excused
  
  0
  
  Abstained
  - - Floor Vote: Jun 4, 2024
      
      aye (38)
      
      Addabbo Jr.
      
      Bailey
      
      Breslin
      
      Brisport
      
      Brouk
      
      Chu
      
      Cleare
      
      Comrie
      
      Cooney
      
      Fernandez
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Harckham
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Krueger
      
      Liu
      
      Mannion
      
      Martinez
      
      May
      
      Myrie
      
      Parker
      
      Persaud
      
      Ramos
      
      Rivera
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Stavisky
      
      Stewart-Cousins
      
      Thomas
      
      Webb
      
      nay (23)
      
      Ashby
      
      Borrello
      
      Canzoneri-Fitzpatrick
      
      Felder
      
      Gallivan
      
      Griffo
      
      Helming
      
      Lanza
      
      Martins
      
      Mattera
      
      Mayer
      
      Murray
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Rhoads
      
      Rolison
      
      Skoufis
      
      Stec
      
      Tedisco
      
      Weber
      
      Weik
      
      excused (1)
      
      Walczyk
  May 13, 2024 - Housing, Construction And Community Development Committee Vote
  S2078B
  
  8
  
  Aye
  
  2
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Housing, Construction And Community Development Committee Vote: May 13, 2024
      
      aye (8)
      
      Brisport
      
      Cleare
      
      Jackson
      
      Kavanagh
      
      May
      
      Myrie
      
      Rivera
      
      Salazar
      
      nay (2)
      
      Borrello
      
      Helming
      
      aye wr (1)
      
      Martins

Bill Amendments

Original

B (Active)

co-Sponsors

2023-S2078 - Details

See Assembly Version of this Bill:: A48
Current Committee:: Assembly Codes
Law Section:: Multiple Dwelling Law
Laws Affected:: Add §50-b, Mult Dwell L; add §130-a, Mult Res L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S5125, A6788
2021-2022: S6463, A706

2023-S2078 - Summary

Relates to limitations on the use of smart access systems; restricts information that may be gathered on lessees, tenants, owners or guests.

2023-S2078 - Sponsor Memo

                                 
BILL NUMBER: S2078

SPONSOR: KAVANAGH
 
TITLE OF BILL:

An act to amend the multiple dwelling law and the multiple residence
law, in relation to the use of electronic or computerized entry systems
and the information that may be gathered from such systems

 
PURPOSE:

This legislation relates to limitations on electronic or computerized
systems for entry.

 
SUMMARY OF PROVISIONS:

Section one of the bill amends the multiple dwelling law by adding a new
section 50-b.

Section two of the bill amends the multiple residence law by adding new
section 130-a. Respectively, the new sections 50-b of the multiple
dwelling law and 130-a of the multiple residence law:

* sets forth definitions;

* requires for every entrance to a class A multiple dwelling does not
rely on an electronic or computerized system for entry, landlords to
provides to lawful tenants occupants with alternative non-electronic
means of entry where requested, and backup power or alternative means of
entry that are operable during a power outage;

* requires landlords to provide notice to a tenant of above provisions;

* limits collection of data from electronic and/or computerized entry
systems, and provides that no new electronic and/or computerized entry
systems that rely on the collection of biometric data shall be installed
in class A multiple dwellings for three years after this bill becomes
law;

* prohibits collection or use of certain information from electronic
and/or computerized entry systems;

* requires secure storage of information or data collected, to prevent
unauthorized access;

* requires the company of the electronic or computerized entry system to
implement reasonable security procedures and practices, and if the
company discovers a security breach or vulnerability in their software,
the company is required to notify customers no later than 24 hours after
discover and repair within a reasonable time, not longer than 30 days;

* prohibits conditioning continuing or future tenancy upon consenting to
the use of an electronic and/or computerized entry system;

* voids any agreement by a lessee or tenant modifying his or her rights
as set forth in this section; subjects anyone violating this section to
a civil penalty; and *exempts certain multiple dwellings owned or
managed by an entity subject to 42 U.S.C. § 1437 et seq., or any of its
Subsidiaries.
Section three provides for severability.

Section four establishes the effective date.

 
JUSTIFICATION:

Electronic and computerized entry systems for residential buildings can
pose serious threats to privacy rights of tenants and their guests. This
legislation seeks to establish protections for individuals entering a
class A multiple dwelling and prohibits landlords from requiring tenants
to use keyless entry systems as a condition of their tenancy. This
legislation sets limits on the sharing and storing of information and
prohibits the use of any information gathered via the system as the
basis of any proceeding against a tenant.

 
LEGISLATIVE HISTORY:

2022: S6463A (Kavanagh) / A706C (Rosenthal L) - HOUSING/housing

2020: S5125-8 (Montgomery) / A6788-8 (Rosenthal L) - JUDICIARY/housing

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

Minimal.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become a law.

2023-S2078 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2078
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 18, 2023
                                ___________
 
 Introduced by Sens. KAVANAGH, KRUEGER -- read twice and ordered printed,
   and  when  printed  to  be  committed  to  the  Committee  on Housing,
   Construction and Community Development
 
 AN ACT to amend the multiple dwelling law  and  the  multiple  residence
   law,  in  relation  to  the  use  of  electronic or computerized entry
   systems and the information that may be gathered from such systems
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  The  multiple  dwelling  law  is  amended by adding a new
 section 50-b to read as follows:
   § 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1.  DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED  TO  GRANT  A
 USER  ENTRY  OR  ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
 ACCOUNTS RELATED TO AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT A POINT
 OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A CLASS  A
 MULTIPLE  DWELLING  OR  COMMON  AREA  WITH AN ELECTRONIC OR COMPUTERIZED
 ENTRY SYSTEM, EXCEPT THAT "AUTHENTICATION DATA" SHALL NOT  INCLUDE  DATA
 GENERATED  THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED
 TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   (C) "CRITICAL SECURITY VULNERABILITY" MEANS A  SECURITY  VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   (D)  "REFERENCE  DATA"  MEANS INFORMATION AGAINST WHICH AUTHENTICATION
 DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART  ACCESS  SYSTEM
 IN ORDER TO GRANT A USER ENTRY TO A SMART ACCESS BUILDING OR COMMON AREA
 OF SUCH BUILDING.
   (E)  "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED
 ACCESS OF DATA,  APPLICATIONS,  SERVICES,  NETWORKS  AND/OR  DEVICES  BY
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD00692-01-3

 S. 2078                             2
 
 BYPASSING  UNDERLYING  SECURITY  MECHANISMS.  A "SECURITY BREACH" OCCURS
 WHEN AN INDIVIDUAL OR AN APPLICATION ILLEGITIMATELY  ENTERS  A  PRIVATE,
 CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   2.  ENTRY.  A.  WHERE A LANDLORD INSTALLS OR PLANS TO INSTALL AN ELEC-
 TRONIC OR COMPUTERIZED ENTRY SYSTEM ON ANY  ENTRANCE  FROM  THE  STREET,
 PASSAGEWAY,  COURT,  YARD,  CELLAR,  OR  OTHER  COMMON AREA OF A CLASS A
 MULTIPLE DWELLING, SUCH SYSTEM SHALL NOT  RELY  SOLELY  ON  A  WEB-BASED
 APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY
 CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE.
   B.  LANDLORDS  MAY  PROVIDE  VARIOUS  METHODS OF ENTRY INTO INDIVIDUAL
 APARTMENTS INCLUDING A MECHANICAL KEY OR AN ELECTRONIC  OR  COMPUTERIZED
 ENTRY  SYSTEM  OF  A KEY FOB, KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER
 THAT SUCH ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL NOT RELY  SOLELY
 ON A WEB-BASED APPLICATION.
   C.  NOTWITHSTANDING  PARAGRAPH  A  OR B OF THIS SUBDIVISION, LANDLORDS
 SHALL PROVIDE A NON-ELECTRONIC MEANS OF ENTRY  WHERE  REQUESTED  BY  THE
 TENANT DUE TO A RELIGIOUS PREFERENCE.
   D.  ALL LAWFUL TENANTS AND OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY
 FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS. THE TERM "OCCU-
 PANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF  EIGHTEEN  WHO  SHALL  BE
 ISSUED  A  KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN
 REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS MAY ALSO RECEIVE UP TO
 FOUR ADDITIONAL KEYS, KEY FOBS, DIGITAL KEY OR KEY CARDS AT NO  COST  TO
 THE  TENANT  FOR  EMPLOYEES  OR  GUESTS. THE TERM "GUESTS" SHALL INCLUDE
 FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON  A
 REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT OR THE APARTMENT
 IF  THE  TENANT  IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL
 CAREGIVERS OR OTHER SERVICES PROVIDERS,  MAY  HAVE  AN  EXPIRATION  DATE
 PLACED  ON  THEIR  KEY,  KEY  CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE
 EXTENDED UPON THE TENANT'S OR OCCUPANT'S REQUEST.  TENANTS MAY REQUEST A
 NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY  CARD  AT  ANY  TIME
 THROUGHOUT  THE COURSE OF THE TENANCY.  THE LANDLORD OR HIS OR HER AGENT
 SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB,  DIGITAL  KEY  OR  KEY
 CARD  TO  THE  TENANT  FREE OF CHARGE. THE COST OF SECOND AND SUBSEQUENT
 REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT THE LANDLORD PAID FOR  THE
 REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS.
   E.  THE LANDLORD SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
 DIGITAL KEYS OR KEY CARDS A LAWFUL TENANT OR OCCUPANT MAY REQUEST.
   F. ANY DOOR THAT HAS AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM  SHALL
 HAVE  BACKUP  POWER  OR AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE
 ENTRY SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. A LANDLORD,  OR
 HIS  OR  HER  AGENT,  SHALL ROUTINELY INSPECT THE BACKUP POWER AND SHALL
 REPLACE ACCORDING TO SYSTEM SPECIFICATIONS.    OWNERS  OR  THEIR  AGENTS
 SHALL  PROVIDE  LAWFUL TENANTS AND OCCUPANTS WITH INFORMATION ABOUT WHOM
 TO CONTACT IN THE EVENT THAT THE TENANT, OCCUPANT  OR  THE  TENANT'S  OR
 OCCUPANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3.  NOTICE. LANDLORDS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT
 AT THE TIME THE TENANT SIGNS  THE  LEASE,  OR  WHEN  THE  ELECTRONIC  OR
 COMPUTERIZED ENTRY SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION
 TWO OF THIS SECTION.
   4.  DATA  COLLECTION.  A.  IF  AN ELECTRONIC AND/OR COMPUTERIZED ENTRY
 SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING,  THE
 ONLY  REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL BE LIMITED TO  ACCOUNT
 INFORMATION  USED  TO  GRANT  A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS
 USED TO MANAGE USER ACCOUNTS RELATED TO THE ELECTRONIC AND/OR  COMPUTER-
 S. 2078                             3
 
 IZED  ENTRY  SYSTEM,  OR  REFERENCE DATA, SUCH AS THE LESSEE OR TENANT'S
 NAME, APARTMENT NUMBER, THE PREFERRED METHOD OF CONTACT FOR SUCH  LESSEE
 OR  TENANT,  OTHER  DOORS  OR COMMON AREAS TO WHICH THE USER HAS ACCESS,
 MOVE-IN  AND,  IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH
 AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A  PHOTOGRAPH  OF
 ACCESS  EVENTS  FOR  SECURITY  PURPOSES. FOR ELECTRONIC AND COMPUTERIZED
 ENTRY SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC  DATA  AND  WHICH
 HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A
 LAW, A BIOMETRIC IDENTIFIER MAY BE COLLECTED PURSUANT TO THIS SECTION IN
 ORDER  TO REGISTER A LESSEE OR TENANT FOR AN ELECTRONIC AND/OR COMPUTER-
 IZED ENTRY SYSTEM.  NO NEW ELECTRONIC AND/OR COMPUTERIZED ENTRY  SYSTEMS
 THAT  RELY  ON  THE  COLLECTION  OF BIOMETRIC DATA SHALL BE INSTALLED IN
 CLASS A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE  DATE  OF
 THIS SECTION.
   (I)  THE  OWNER  OF THE MULTIPLE DWELLING MAY COLLECT ONLY THE MINIMUM
 DATA REQUIRED BY THE TECHNOLOGY USED IN THE ELECTRONIC AND/OR  COMPUTER-
 IZED  ENTRY  SYSTEM  TO EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY
 AND SECURITY OF SUCH TENANTS.
   (II) THE OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR  RETAIN,  IN
 ANY  FORM,  THE  SOCIAL  SECURITY  NUMBER OF ANY TENANT OR OCCUPANT AS A
 CONDITION OF USE OF THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF AN ELECTRONIC OR
 COMPUTERIZED ENTRY SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME  A
 KEY  FOB,  KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER THE BUILD-
 ING, BUT SHALL NOT RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION BY THE ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.  SUCH
 REFERENCE  DATA  MAY BE RETAINED ONLY FOR TENANTS OR THOSE AUTHORIZED BY
 THE TENANT OR OWNER OF THE MULTIPLE DWELLING.
   (V) THE OWNER OF THE MULTIPLE  DWELLING  SHALL  DESTROY  OR  ANONYMIZE
 AUTHENTICATION  DATA WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY
 DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A TENANT OR THOSE AUTHORIZED BY A TENANT SHALL
 BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE  TENANT  PERMA-
 NENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT TO WITHDRAW
 AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT.
   B.  (I) FOR THE PURPOSES OF THIS SECTION, "BIOMETRIC IDENTIFIER" MEANS
 A RETINA OR IRIS SCAN, FINGERPRINT, VOICEPRINT, OR RECORD OF HAND,  FACE
 GEOMETRY OR OTHER SIMILAR FEATURE.
   (II) AN ENTITY MAY NOT CAPTURE A BIOMETRIC IDENTIFIER OF AN INDIVIDUAL
 TO  GAIN  ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON IS A
 TENANT OR PERSON AUTHORIZED BY THE TENANT, AND  INFORMS  THE  INDIVIDUAL
 BEFORE  CAPTURING  THE  BIOMETRIC IDENTIFIER; AND RECEIVES THEIR EXPRESS
 CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER.
   (III) ANY ENTITY THAT POSSESSES A BIOMETRIC IDENTIFIER OF AN  INDIVID-
 UAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING:
   (1) MAY NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTIFIER
 TO  ANOTHER  PERSON  UNLESS  PURSUANT  TO A GRAND JURY SUBPOENA OR COURT
 ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS.
   (2) SHALL STORE, TRANSMIT AND PROTECT FROM  DISCLOSURE  THE  BIOMETRIC
 IDENTIFIER  USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR
 MORE PROTECTIVE THAN THE MANNER IN WHICH THE  PERSON  STORES,  TRANSMITS
 AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND
   (3)  SHALL  DESTROY THE BIOMETRIC IDENTIFIER WITHIN A REASONABLE TIME,
 BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE  DATE  COLLECTED,  EXCEPT
 FOR REFERENCE DATA.  IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS
 S. 2078                             4
 
 THE  LIKENESS  OF  A  MINOR  OR  A  NON-TENANT, THE INFORMATION SHALL BE
 DESTROYED IMMEDIATELY.
   C.  THE  OWNER  OF  THE MULTIPLE DWELLING, OR THE MANAGING AGENT, MUST
 DEVELOP WRITTEN PROCEDURES  WHICH  DESCRIBE  THE  PROCESS  USED  TO  ADD
 PERSONS AUTHORIZED BY THE TENANT TO ELECTRONIC AND/OR COMPUTERIZED ENTRY
 SYSTEMS  ON  A TEMPORARY OR PERMANENT BASIS, SUCH AS VISITORS, CHILDREN,
 THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING.
   (I) THE PROCEDURES MUST CLEARLY ESTABLISH THE OWNER'S RETENTION SCHED-
 ULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR  ANONYMIZING  THE  DATA
 COLLECTED.
   (II)  THE  PROCEDURES  CANNOT  LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
 PEOPLE AUTHORIZED BY THE TENANT EXCEPT AS REQUESTED BY THE TENANT.
   5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING,  INCLUDING  BUT  NOT
 LIMITED  TO  SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
 EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO TENANTS OR GUESTS AS PART OF  AN
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   B.  IT  SHALL  BE  PROHIBITED  TO COLLECT THROUGH AN ELECTRONIC AND/OR
 COMPUTERIZED ENTRY SYSTEM THE LIKENESS OF A MINOR OCCUPANT,  INFORMATION
 ON  THE RELATIONSHIP STATUS OF TENANTS, LESSEES AND/OR GUESTS, OR TO USE
 A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUEN-
 CY AND TIME OF USE OF SUCH SYSTEM BY A TENANT AND/OR GUESTS TO HARASS OR
 EVICT A TENANT OR FOR ANY OTHER PURPOSE NOT  EXPRESSLY  RELATED  TO  THE
 OPERATION OF THE SMART ACCESS SYSTEM.
   C.  INFORMATION  THAT  IS ACQUIRED VIA THE USE OF AN ELECTRONIC AND/OR
 COMPUTERIZED ENTRY SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER  THAN
 MONITORING  BUILDING  ENTRANCES  AND  SHALL  NOT BE USED AS THE BASIS OR
 SUPPORT FOR AN ACTION TO EVICT A LESSEE OR TENANT, OR AN  ADMINISTRATIVE
 HEARING  SEEKING  A  CHANGE  IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR
 UNIT.  HOWEVER, A TENANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY A
 THIRD PARTY, BUT SUCH A REQUEST MUST CLEARLY STATE WHO WILL HAVE  ACCESS
 TO  SUCH  INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND THE PRIVACY
 POLICIES WHICH WILL PROTECT THEIR INFORMATION.  UNDER  NO  CIRCUMSTANCES
 MAY  A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE. ELEC-
 TRONIC AND/OR COMPUTERIZED SYSTEMS MAY USE THIRD-PARTY SERVICES  TO  THE
 EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING
 CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PAR-
 TY  INFRASTRUCTURE  SERVICES MUST MEET OR EXCEED THE PRIVACY PROTECTIONS
 SET FORTH IN THIS SECTION AND WILL BE SUBJECT TO THE SAME LIABILITY  FOR
 BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION.
   D.  INFORMATION  AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY
 THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED  ABOVE,  INCLUDING  BUT  NOT
 LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT
 ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS.
   6.  STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES AND CONTRACTORS AND THOSE UNAFFILIATED WITH THE  LANDLORD  OR  THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING  TENANCY  SHALL  NOT BE CONDITIONED UPON CONSENTING TO THE USE OF AN
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES  AVAILABLE
 OR INSTALLS ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS DISCOVERS A SECURI-
 TY  BREACH  OR  CRITICAL  SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH
 COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE
 TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR  HOURS  AFTER  DISCOVERY
 AND  SHALL  MAKE SOFTWARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS
 MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A  REASONABLE  TIME,
 S. 2078                             5
 
 BUT  NOT  LONGER THAN THIRTY DAYS AFTER DISCOVERY.  SMART ACCESS SYSTEMS
 AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY  PROCEDURES
 AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN
 THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT
 PERTAINS  TO  THE  EMBEDDED  SOFTWARE  OR  FIRMWARE  ON THE SMART ACCESS
 SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO  CORRECT  THE  VULNER-
 ABILITIES;
   B.  CONTRACTUALLY  COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE  UPDATES  AVAILABLE
 FOR  FREE  TO  CUSTOMERS  FOR THE DURATION OF THE CONTRACT BETWEEN SMART
 ACCESS BUILDINGS AND SMART ACCESS SYSTEMS.
   8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR  TENANT  OF  A
 DWELLING  WAIVING  OR  MODIFYING  HIS OR HER RIGHTS AS SET FORTH IN THIS
 SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION IS SUBJECT  TO  A
 CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION.
 THE  ATTORNEY  GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY.
 AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION
 TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAIL-
 ING PLAINTIFF.
   (B) WHERE A LANDLORD OR HIS OR HER AGENT USES AN ELECTRONIC OR COMPUT-
 ERIZED ENTRY SYSTEM TO HARASS OR  OTHERWISE  DEPRIVE  A  TENANT  OF  ANY
 RIGHTS AVAILABLE UNDER LAW, SUCH LANDLORD OR AGENT SHALL BE SUBJECT TO A
 CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   (C)  FOR  PURPOSES  OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF AN ELECTRONIC OR COMPUT-
 ERIZED ENTRY SYSTEM PURSUANT TO THIS SECTION IN A RENT REGULATED  DWELL-
 ING  SHALL  CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE LANDLORD
 OF SUCH DWELLING OR HIS OR HER AGENT TO APPLY TO THE DIVISION OF HOUSING
 AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH  INSTALLATION.
 SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  A.  NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY OF ITS SUBSIDIARIES.
   B.  NOTHING  IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
 OF HOUSING AND  COMMUNITY  RENEWAL  TO  IMPOSE  ADDITIONAL  REQUIREMENTS
 REGARDING ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS INSTALLED IN MULTIPLE
 DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR
 MODIFICATIONS OF SERVICES.
   §  2.  The  multiple  residence law is amended by adding a new section
 130-a to read as follows:
   § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED  TO  GRANT  A
 USER  ENTRY  OR  ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
 ACCOUNTS RELATED TO AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   (B) "AUTHENTICATION DATA" MEANS DATA GENERATED OR COLLECTED AT A POINT
 OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER ENTRY TO A CLASS  A
 MULTIPLE  DWELLING  OR  COMMON  AREA  WITH AN ELECTRONIC OR COMPUTERIZED
 ENTRY SYSTEM, EXCEPT THAT "AUTHENTICATION DATA" SHALL NOT  INCLUDE  DATA
 S. 2078                             6

 GENERATED  THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM THAT IS USED
 TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   (C)  "CRITICAL  SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY AN ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   (D) "REFERENCE DATA" MEANS INFORMATION  AGAINST  WHICH  AUTHENTICATION
 DATA  IS  VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
 IN ORDER TO GRANT A USER ENTRY TO A SMART ACCESS BUILDING OR COMMON AREA
 OF SUCH BUILDING.
   (E) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN  UNAUTHORIZED
 ACCESS  OF  DATA,  APPLICATIONS,  SERVICES,  NETWORKS  AND/OR DEVICES BY
 BYPASSING UNDERLYING SECURITY MECHANISMS.  A  "SECURITY  BREACH"  OCCURS
 WHEN  AN  INDIVIDUAL  OR AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE,
 CONFIDENTIAL OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   2. ENTRY. (A) WHERE A LANDLORD INSTALLS OR PLANS TO INSTALL  AN  ELEC-
 TRONIC  OR  COMPUTERIZED  ENTRY  SYSTEM ON ANY ENTRANCE FROM THE STREET,
 PASSAGEWAY, COURT, YARD, CELLAR, OR OTHER  COMMON  AREA  OF  A  CLASS  A
 MULTIPLE  DWELLING,  SUCH  SYSTEM  SHALL  NOT RELY SOLELY ON A WEB-BASED
 APPLICATION TO FACILITATE ENTRANCE BUT SHALL ALSO INCLUDE A KEY FOB, KEY
 CARD, DIGITAL KEY OR PASSCODE FOR TENANT USE.
   (B) LANDLORDS MAY PROVIDE VARIOUS METHODS  OF  ENTRY  INTO  INDIVIDUAL
 APARTMENTS  INCLUDING  A MECHANICAL KEY OR AN ELECTRONIC OR COMPUTERIZED
 ENTRY SYSTEM OF A KEY FOB, KEY CARD OR DIGITAL  KEY,  PROVIDED,  HOWEVER
 THAT  SUCH ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL NOT RELY SOLELY
 ON A WEB-BASED APPLICATION.
   (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF  THIS  SUBDIVISION,  LAND-
 LORDS  SHALL  PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY
 THE TENANT DUE TO A RELIGIOUS PREFERENCE.
   (D) ALL LAWFUL TENANTS AND OCCUPANTS SHALL BE PROVIDED WITH A KEY, KEY
 FOB, DIGITAL KEY OR KEY CARD AT NO COST TO SUCH TENANTS. THE TERM "OCCU-
 PANTS" SHALL INCLUDE CHILDREN UNDER THE AGE OF  EIGHTEEN  WHO  SHALL  BE
 ISSUED  A  KEY, KEY FOB, DIGITAL KEY OR KEY CARD IF A PARENT OR GUARDIAN
 REQUESTS SUCH CHILD BE PROVIDED WITH ONE. TENANTS MAY ALSO RECEIVE UP TO
 FOUR ADDITIONAL KEYS, KEY FOBS, DIGITAL KEY OR KEY CARDS AT NO  COST  TO
 THE  TENANT  FOR  EMPLOYEES  OR  GUESTS. THE TERM "GUESTS" SHALL INCLUDE
 FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED TO VISIT ON  A
 REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT OR THE APARTMENT
 IF  THE  TENANT  IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS, PROFESSIONAL
 CAREGIVERS OR OTHER SERVICES PROVIDERS,  MAY  HAVE  AN  EXPIRATION  DATE
 PLACED  ON  THEIR  KEY,  KEY  CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE
 EXTENDED UPON THE TENANT'S OR OCCUPANT'S REQUEST. TENANTS MAY REQUEST  A
 NEW  OR  REPLACEMENT  KEY,  KEY FOB, DIGITAL KEY OR KEY CARD AT ANY TIME
 THROUGHOUT THE COURSE OF THE TENANCY. THE LANDLORD OR HIS OR  HER  AGENT
 SHALL  PROVIDE  THE  FIRST  REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY
 CARD TO THE TENANT FREE OF CHARGE. THE COST  OF  SECOND  AND  SUBSEQUENT
 REPLACEMENT  CARDS SHALL NOT BE MORE THAN WHAT THE LANDLORD PAID FOR THE
 REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS.
   (E) THE LANDLORD SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
 DIGITAL KEYS OR KEY CARDS A LAWFUL TENANT OR OCCUPANT MAY REQUEST.
   (F) ANY DOOR THAT HAS AN ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM SHALL
 HAVE BACKUP POWER OR AN ALTERNATIVE MEANS OF ENTRY TO  ENSURE  THAT  THE
 ENTRY  SYSTEM CONTINUES TO OPERATE DURING A POWER OUTAGE. A LANDLORD, OR
 HIS OR HER AGENT, SHALL ROUTINELY INSPECT THE  BACKUP  POWER  AND  SHALL
 REPLACE ACCORDING TO SYSTEM SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL
 PROVIDE  LAWFUL  TENANTS  AND  OCCUPANTS  WITH INFORMATION ABOUT WHOM TO
 S. 2078                             7
 
 CONTACT IN THE EVENT THAT THE TENANT, OCCUPANT OR THE TENANT'S OR  OCCU-
 PANT'S CHILDREN, GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3.  NOTICE. LANDLORDS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT
 AT THE TIME THE TENANT SIGNS  THE  LEASE,  OR  WHEN  THE  ELECTRONIC  OR
 COMPUTERIZED ENTRY SYSTEM IS INSTALLED, OF THE PROVISIONS OF SUBDIVISION
 TWO OF THIS SECTION.
   4.  DATA  COLLECTION.  (A)  IF AN ELECTRONIC AND/OR COMPUTERIZED ENTRY
 SYSTEM IS UTILIZED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING,  THE
 ONLY  REFERENCE, AUTHENTICATION, AND ACCOUNT INFORMATION GATHERED BY ANY
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM SHALL BE LIMITED TO  ACCOUNT
 INFORMATION  USED  TO  GRANT  A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS
 USED TO MANAGE USER ACCOUNTS RELATED TO THE ELECTRONIC AND/OR  COMPUTER-
 IZED  ENTRY  SYSTEM,  OR  REFERENCE DATA, SUCH AS THE LESSEE OR TENANT'S
 NAME, APARTMENT NUMBER, THE PREFERRED METHOD OF CONTACT FOR SUCH  LESSEE
 OR  TENANT,  OTHER  DOORS  OR COMMON AREAS TO WHICH THE USER HAS ACCESS,
 MOVE-IN AND, IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION  DATA  SUCH
 AS  TIME  AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF
 ACCESS EVENTS FOR SECURITY PURPOSES.  FOR  ELECTRONIC  AND  COMPUTERIZED
 ENTRY  SYSTEMS  THAT  RELY ON THE COLLECTION OF BIOMETRIC DATA AND WHICH
 HAVE ALREADY BEEN INSTALLED AT THE TIME THIS SECTION SHALL HAVE BECOME A
 LAW, A BIOMETRIC IDENTIFIER MAY BE COLLECTED PURSUANT TO THIS SECTION IN
 ORDER TO REGISTER A LESSEE OR TENANT FOR AN ELECTRONIC AND/OR  COMPUTER-
 IZED  ENTRY  SYSTEM. NO NEW ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEMS
 THAT RELY ON THE COLLECTION OF BIOMETRIC  DATA  SHALL  BE  INSTALLED  IN
 CLASS  A  MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE OF
 THIS SECTION.
   (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT  ONLY  THE  MINIMUM
 DATA  REQUIRED BY THE TECHNOLOGY USED IN THE ELECTRONIC AND/OR COMPUTER-
 IZED ENTRY SYSTEM TO EFFECTUATE SUCH ENTRANCE AND  PROTECT  THE  PRIVACY
 AND SECURITY OF SUCH TENANTS.
   (II)  THE  OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
 ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY  TENANT  OR  OCCUPANT  AS  A
 CONDITION OF USE OF THE ELECTRONIC OR COMPUTERIZED ENTRY SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF AN ELECTRONIC OR
 COMPUTERIZED  ENTRY SYSTEM ON BEHALF OF THE OWNER MAY RECORD EACH TIME A
 KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE IS USED TO ENTER  THE  BUILD-
 ING, BUT SHALL NOT RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION BY THE ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.  SUCH
 REFERENCE  DATA  MAY BE RETAINED ONLY FOR TENANTS OR THOSE AUTHORIZED BY
 THE TENANT OR OWNER OF THE MULTIPLE DWELLING.
   (V) THE OWNER OF THE MULTIPLE  DWELLING  SHALL  DESTROY  OR  ANONYMIZE
 AUTHENTICATION  DATA WITHIN A REASONABLE TIME, BUT NOT LATER THAN NINETY
 DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A TENANT OR THOSE AUTHORIZED BY A TENANT SHALL
 BE DESTROYED OR ANONYMIZED WITHIN NINETY DAYS OF (1) THE  TENANT  PERMA-
 NENTLY VACATING THE DWELLING, OR (2) A REQUEST BY THE TENANT TO WITHDRAW
 AUTHORIZATION FOR THOSE PREVIOUSLY AUTHORIZED BY THE TENANT.
   (B) (I) FOR THE PURPOSES OF THIS SECTION, "BIOMETRIC IDENTIFIER" MEANS
 A  RETINA OR IRIS SCAN, FINGERPRINT, VOICEPRINT, OR RECORD OF HAND, FACE
 GEOMETRY OR OTHER SIMILAR FEATURE.
   (II) AN ENTITY MAY NOT CAPTURE A BIOMETRIC IDENTIFIER OF AN INDIVIDUAL
 TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE PERSON  IS  A
 TENANT  OR  PERSON  AUTHORIZED BY THE TENANT, AND INFORMS THE INDIVIDUAL
 BEFORE CAPTURING THE BIOMETRIC IDENTIFIER; AND  RECEIVES  THEIR  EXPRESS
 CONSENT TO CAPTURE THE BIOMETRIC IDENTIFIER.
 S. 2078                             8
 
   (III)  ANY ENTITY THAT POSSESSES A BIOMETRIC IDENTIFIER OF AN INDIVID-
 UAL THAT IS CAPTURED TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING:
   (1) MAY NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTIFIER
 TO  ANOTHER  PERSON  UNLESS  PURSUANT  TO A GRAND JURY SUBPOENA OR COURT
 ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS.
   (2) SHALL STORE, TRANSMIT AND PROTECT FROM  DISCLOSURE  THE  BIOMETRIC
 IDENTIFIER  USING REASONABLE CARE AND IN A MANNER THAT IS THE SAME AS OR
 MORE PROTECTIVE THAN THE MANNER IN WHICH THE  PERSON  STORES,  TRANSMITS
 AND PROTECTS CONFIDENTIAL INFORMATION THE PERSON POSSESSES; AND
   (3)  SHALL  DESTROY THE BIOMETRIC IDENTIFIER WITHIN A REASONABLE TIME,
 BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER THE  DATE  COLLECTED,  EXCEPT
 FOR  REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS COLLECTED, SUCH AS
 THE LIKENESS OF A MINOR  OR  A  NON-TENANT,  THE  INFORMATION  SHALL  BE
 DESTROYED IMMEDIATELY.
   (C)  THE  OWNER  OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, MUST
 DEVELOP WRITTEN PROCEDURES  WHICH  DESCRIBE  THE  PROCESS  USED  TO  ADD
 PERSONS AUTHORIZED BY THE TENANT TO ELECTRONIC AND/OR COMPUTERIZED ENTRY
 SYSTEMS  ON  A TEMPORARY OR PERMANENT BASIS, SUCH AS VISITORS, CHILDREN,
 THEIR EMPLOYEES, AND CAREGIVERS TO SUCH BUILDING.
   (I) THE PROCEDURES MUST CLEARLY ESTABLISH THE OWNER'S RETENTION SCHED-
 ULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR  ANONYMIZING  THE  DATA
 COLLECTED.
   (II)  THE  PROCEDURES  CANNOT  LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
 PEOPLE AUTHORIZED BY THE TENANT EXCEPT AS REQUESTED BY THE TENANT.
   5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING  BUT  NOT
 LIMITED  TO  SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
 EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO TENANTS OR GUESTS AS PART OF  AN
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   (B)  IT  SHALL  BE  PROHIBITED TO COLLECT THROUGH AN ELECTRONIC AND/OR
 COMPUTERIZED ENTRY SYSTEM THE LIKENESS OF A MINOR OCCUPANT,  INFORMATION
 ON  THE RELATIONSHIP STATUS OF TENANTS, LESSEES AND/OR GUESTS, OR TO USE
 A SMART ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUEN-
 CY AND TIME OF USE OF SUCH SYSTEM BY A TENANT AND/OR GUESTS TO HARASS OR
 EVICT A TENANT OR FOR ANY OTHER PURPOSE NOT  EXPRESSLY  RELATED  TO  THE
 OPERATION OF THE SMART ACCESS SYSTEM.
   (C)  INFORMATION  THAT IS ACQUIRED VIA THE USE OF AN ELECTRONIC AND/OR
 COMPUTERIZED ENTRY SYSTEM SHALL NOT BE USED FOR ANY PURPOSES OTHER  THAN
 MONITORING  BUILDING  ENTRANCES  AND  SHALL  NOT BE USED AS THE BASIS OR
 SUPPORT FOR AN ACTION TO EVICT A LESSEE OR TENANT, OR AN  ADMINISTRATIVE
 HEARING  SEEKING  A  CHANGE  IN REGULATORY COVERAGE FOR AN INDIVIDUAL OR
 UNIT. HOWEVER, A TENANT MAY AUTHORIZE THEIR INFORMATION TO BE USED BY  A
 THIRD  PARTY, BUT SUCH A REQUEST MUST CLEARLY STATE WHO WILL HAVE ACCESS
 TO SUCH INFORMATION, FOR WHAT PURPOSE IT WILL BE USED, AND  THE  PRIVACY
 POLICIES  WHICH  WILL  PROTECT THEIR INFORMATION. UNDER NO CIRCUMSTANCES
 MAY A LEASE OR A RENEWAL BE CONTINGENT UPON AUTHORIZING SUCH USE.  ELEC-
 TRONIC  AND/OR  COMPUTERIZED SYSTEMS MAY USE THIRD-PARTY SERVICES TO THE
 EXTENT REQUIRED TO MAINTAIN AND OPERATE SYSTEM INFRASTRUCTURE, INCLUDING
 CLOUD-BASED HOSTING AND STORAGE. THE PROVIDER OR PROVIDERS OF THIRD-PAR-
 TY INFRASTRUCTURE SERVICES MUST MEET OR EXCEED THE  PRIVACY  PROTECTIONS
 SET  FORTH IN THIS SECTION AND WILL BE SUBJECT TO THE SAME LIABILITY FOR
 BREACH OF ANY OF THE REQUIREMENTS OF THIS SECTION.
   (D) INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO  ANY
 THIRD  PARTY,  UNLESS  AUTHORIZED  AS DESCRIBED ABOVE, INCLUDING BUT NOT
 LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A GRAND JURY SUBPOENA OR A COURT
 ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED COURT ORDERED PROCESS.
 S. 2078                             9
 
   6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL  BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES  AND  CONTRACTORS  AND THOSE UNAFFILIATED WITH THE LANDLORD OR THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING  TENANCY  SHALL  NOT BE CONDITIONED UPON CONSENTING TO THE USE OF AN
 ELECTRONIC AND/OR COMPUTERIZED ENTRY SYSTEM.
   7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES  AVAILABLE
 OR INSTALLS ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS DISCOVERS A SECURI-
 TY  BREACH  OR  CRITICAL  SECURITY VULNERABILITY IN THEIR SOFTWARE, SUCH
 COMPANY SHALL NOTIFY CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE
 TIME OF DISCOVERY BUT NO LATER THAN TWENTY-FOUR  HOURS  AFTER  DISCOVERY
 AND  SHALL  MAKE SOFTWARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS
 MAY BE NECESSARY TO REPAIR THE VULNERABILITY WITHIN A  REASONABLE  TIME,
 BUT  NOT  LONGER  THAN THIRTY DAYS AFTER DISCOVERY. SMART ACCESS SYSTEMS
 AND VENDORS SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY  PROCEDURES
 AND PRACTICES APPROPRIATE TO THE NATURE OF THE INFORMATION COLLECTED. IN
 THE EVENT THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT
 PERTAINS  TO  THE  EMBEDDED  SOFTWARE  OR  FIRMWARE  ON THE SMART ACCESS
 SYSTEMS IS DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   (A) BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT  THE  VULNER-
 ABILITIES;
   (B)  CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   (C) MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES  AVAILABLE
 FOR  FREE  TO  CUSTOMERS  FOR THE DURATION OF THE CONTRACT BETWEEN SMART
 ACCESS BUILDINGS AND SMART ACCESS SYSTEMS.
   8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR  TENANT  OF  A
 DWELLING  WAIVING  OR  MODIFYING  HIS OR HER RIGHTS AS SET FORTH IN THIS
 SECTION SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9. PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION IS SUBJECT  TO  A
 CIVIL PENALTY OF NOT MORE THAN FIVE THOUSAND DOLLARS FOR EACH VIOLATION.
 THE  ATTORNEY  GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL PENALTY.
 AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION MAY BRING AN ACTION
 TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS' FEES TO A PREVAIL-
 ING PLAINTIFF.
   (B) WHERE A LANDLORD OR HIS OR HER AGENT USES AN ELECTRONIC OR COMPUT-
 ERIZED ENTRY SYSTEM TO HARASS OR  OTHERWISE  DEPRIVE  A  TENANT  OF  ANY
 RIGHTS AVAILABLE UNDER LAW, SUCH LANDLORD OR AGENT SHALL BE SUBJECT TO A
 CIVIL PENALTY OF TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   (C)  FOR  PURPOSES  OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF AN ELECTRONIC OR COMPUT-
 ERIZED ENTRY SYSTEM PURSUANT TO THIS SECTION IN A RENT REGULATED  DWELL-
 ING  SHALL  CONSTITUTE A MODIFICATION OF SERVICES REQUIRING THE LANDLORD
 OF SUCH DWELLING OR HIS OR HER AGENT TO APPLY TO THE DIVISION OF HOUSING
 AND COMMUNITY RENEWAL FOR APPROVAL BEFORE PERFORMING SUCH  INSTALLATION.
 SUCH INSTALLATION SHALL NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY OF ITS SUBSIDIARIES.
   (B)  NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
 OF HOUSING AND  COMMUNITY  RENEWAL  TO  IMPOSE  ADDITIONAL  REQUIREMENTS
 REGARDING ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS INSTALLED IN MULTIPLE
 DWELLINGS FOR WHICH THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS OR
 MODIFICATIONS OF SERVICES.
 S. 2078                            10
 
   § 3. Severability. If any provision of this act, or any application of
 any  provision of this act, is held to be invalid, that shall not affect
 the  validity or effectiveness of any other provision of this act, or of
 any other application of any provision of this act, which can  be  given
 effect  without  that  provision  or  application;  and to that end, the
 provisions and applications of this act are severable.
   § 4. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.

co-Sponsors

2023-S2078A - Details

See Assembly Version of this Bill:: A48
Current Committee:: Assembly Codes
Law Section:: Multiple Dwelling Law
Laws Affected:: Add §50-b, Mult Dwell L; add §130-a, Mult Res L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S5125, A6788
2021-2022: S6463, A706

2023-S2078A - Summary

Relates to limitations on the use of smart access systems; restricts information that may be gathered on lessees, tenants, owners or guests.

2023-S2078A - Sponsor Memo

                                 
BILL NUMBER: S2078A

SPONSOR: KAVANAGH
 
TITLE OF BILL:

An act to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the information
that may be gathered from such systems

 
PURPOSE:  This legislation relates to limitations on electronic or
computerized systems for entry.

 
SUMMARY OF PROVISIONS:

Section 1 of the bill amends the multiple dwelling law by adding a new
section 50-b.

Section 2 of the bill amends the multiple residence law by adding new
section 130-a.

Respectively in the new sections 50-b of the multiple dwelling law and
130-a of the multiple residence law:

Subdivision 1 sets forth definitions.

Subdivision 2 requires that every entrance to a class A multiple dwell-
ing does not rely on an electronic or computerized system for entry,
that landlords must provide to lawful tenants and occupants with alter-
native non-electronic means of entry where requested, and for backup
power or alternative means of entry to be operable during a power
outage.

Subdivision 3 requires landlords or their agents to provide notice to a
tenant of the above provisions at the time of lease signing or when the
computerized entry system is installed.

Subdivision 4 sets limitations on the collection, management, utiliza-
tion, and disposal of data gathered by electronic and/or computerized
entry systems and by building owners, agents of owners, and utilized
vendors who use such entry systems. No new electronic and/or computer-
ized entry systems that rely on the collection of biometric data shall
be installed in class A multiple dwellings for three years after this
bill becomes law.

Subdivision 5 prohibits location tracking and capturing the likeness of
a minor occupant by electronic and/or computerized entry systems.
Information collected by such entry systems cannot be used as the basis
or support for an action to evict a lessee or tenant and cannot be made
available to any third party without authorization from a tenant.

Subdivision 6 requires secure storage of information or data collected
to prevent unauthorized access. It also prohibits conditioning continued
or future tenancy upon consenting to the use of an electronic and/or
computerized entry system.

Subdivision 7 provides that if any entity that produces, makes avail-
able, or installs the electronic or computerized entry system discovers
a security breach or vulnerability in the software, that entity is
required to notify customers no later than 24 hours after discovery and
to take actions necessary to address the discovery within a reasonable
time that is not longer than 30 days.

Subdivision 8 provides that any agreement by a lessee or tenant of a
dwelling waiving or modifying his or her rights as set forth in this
section shall be void as contrary to public policy.

Subdivision 9 subjects any person or entity violating this section to a
civil penalty.

Subdivision 10 requires that any installation of an electronic and/or
computerized entry system in rent-regulated housing shall constitute a
modification of services and must receive approval from the Division of
Housing and Community Renewal prior to installation.

Subdivision 11 provides for the exemption of multiple dwellings owned or
managed by an entity subject to 42 U.S.C. § 1437 et seq., or any of its
subsidiaries, from this act.

Section 3 sets forth severability provisions.

Section 4 sets forth the effective date.

 
JUSTIFICATION:

Electronic and computerized entry systems for residential buildings can
pose serious threats to privacy rights of tenants and their guests. This
legislation seeks to establish protections for individuals entering a
class A multiple dwelling and prohibits landlords from requiring tenants
to use keyless entry systems as a condition of their tenancy. This
legislation sets limits on the sharing and storing of information and
prohibits the use of any information gathered via the system as the
basis of any proceeding against a tenant.

 
LEGISLATIVE HISTORY:

2022: S6463A (Kavanagh) / A706C (Rosenthal L) - HOUSING/housing

2020:  S5125B (Montgomery) / A6788B (Rosenthal L) - JUDICIARY/housing

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

Minimal.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become a law.

2023-S2078A - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  2078--A
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 18, 2023
                                ___________
 
 Introduced by Sens. KAVANAGH, KRUEGER -- read twice and ordered printed,
   and  when  printed  to  be  committed  to  the  Committee  on Housing,
   Construction and Community Development -- committee  discharged,  bill
   amended,  ordered reprinted as amended and recommitted to said commit-
   tee

 AN ACT to amend the multiple dwelling law  and  the  multiple  residence
   law,  in  relation to the use of smart access systems and the informa-
   tion that may be gathered from such systems
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  The  multiple  dwelling  law  is  amended by adding a new
 section 50-b to read as follows:
   § 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1.  DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS  USED  TO  GRANT  A
 USER  ENTRY  OR  ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
 ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
   B. "AUTHENTICATION DATA" MEANS DATA  GENERATED  OR  COLLECTED  AT  THE
 POINT  OF  AUTHENTICATION  IN CONNECTION WITH GRANTING A USER ENTRY TO A
 CLASS A MULTIPLE DWELLING, DWELLING UNIT OF  SUCH  BUILDING,  OR  COMMON
 AREA  OF  SUCH  BUILDING  THROUGH  A SMART ACCESS SYSTEM, EXCEPT THAT IT
 SHALL NOT INCLUDE DATA GENERATED THROUGH OR  COLLECTED  BY  A  VIDEO  OR
 CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   C.  "BIOMETRIC  IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
 ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
 IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A  RETINA
 OR  IRIS  SCAN,  (II)  A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
 RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
 OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT  CAN  BE  USED
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD00692-07-3
 S. 2078--A                          2

 
 ALONE  OR  IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO
 ESTABLISH INDIVIDUAL IDENTITY.
   D.  "CRITICAL  SECURITY  VULNERABILITY" MEANS A SECURITY VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY A SMART ACCESS SYSTEM.
   E. "REFERENCE DATA" MEANS  INFORMATION  AGAINST  WHICH  AUTHENTICATION
 DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
 IN  ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING, DWELLING
 UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
   F. "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS  IN  UNAUTHORIZED
 ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
 UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
 VIDUAL  OR  AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL
 OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   G. "SMART ACCESS SYSTEM" MEANS ANY  SYSTEM  THAT  USES  ELECTRONIC  OR
 COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
 PHONE  APPLICATION,  BIOMETRIC  IDENTIFIER  INFORMATION,  OR  ANY  OTHER
 DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL-
 ING, COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL  DWELL-
 ING UNIT IN SUCH MULTIPLE DWELLING.
   H.  "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE
 DIRECTLY SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO  USER
 DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
   I.  "USER"  MEANS  A  TENANT  OR LAWFUL OCCUPANT OF A CLASS A MULTIPLE
 DWELLING, AND ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS  REQUESTED,  IN
 WRITING  OR  THROUGH  A  MOBILE  APPLICATION,  BE GRANTED ACCESS TO SUCH
 TENANT OR LAWFUL OCCUPANT'S DWELLING  UNIT  AND  SUCH  BUILDING'S  SMART
 ACCESS SYSTEM.
   2.  ENTRY.  A.  WHERE  AN  OWNER  INSTALLS OR PLANS TO INSTALL A SMART
 ACCESS SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT,  YARD,
 CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM
 SHALL  NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE
 BUT SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE  FOR
 TENANT USE.
   B.  OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART-
 MENTS INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY  FOB,
 KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
 SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
   C.  NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS SHALL
 PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR
 LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
   D. ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE  PROVIDED  WITH  A
 KEY,  KEY  FOB,  DIGITAL  KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND
 LAWFUL OCCUPANTS. THE TERM "LAWFUL  OCCUPANTS"  SHALL  INCLUDE  CHILDREN
 UNDER  THE  AGE  OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL
 KEY OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE  PROVIDED
 WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
 TIONAL  KEYS,  KEY  FOBS,  DIGITAL  KEYS  OR KEY CARDS AT NO COST TO THE
 TENANT OR LAWFUL OCCUPANT FOR EMPLOYEES OR  GUESTS.  THE  TERM  "GUESTS"
 SHALL  INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE EXPECTED
 TO VISIT ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR  THE  TENANT,
 LAWFUL  OCCUPANT, OR THE DWELLING UNIT IF THE TENANT  OR LAWFUL OCCUPANT
 IS AWAY. EMPLOYEES, INCLUDING CONTRACTORS,  PROFESSIONAL  CAREGIVERS  OR
 OTHER  SERVICES  PROVIDERS,  MAY HAVE AN EXPIRATION DATE PLACED ON THEIR
 KEY, KEY CARD, DIGITAL KEY OR KEY FOB, WHICH MAY BE  EXTENDED  UPON  THE
 TENANT'S  OR LAWFUL OCCUPANT'S REQUEST.  TENANTS OR LAWFUL OCCUPANTS MAY
 S. 2078--A                          3
 
 REQUEST A NEW OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR  KEY  CARD  AT
 ANY  TIME  THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY.  THE OWNER
 OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL
 KEY  OR  KEY  CARD  TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE
 COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE  MORE  THAN
 WHAT  THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-
 FIVE DOLLARS.
   E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER  OF  KEYS,  KEY  FOBS,
 DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
   F.  ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
 AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM  CONTINUES
 TO  OPERATE  DURING  A  POWER  OUTAGE.  AN  OWNER, OR THEIR AGENT, SHALL
 ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
 SPECIFICATIONS.  OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL
 OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT  THAT  THE
 TENANT,  LAWFUL  OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN,
 GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT  OR
 LAWFUL  OCCUPANT  AT  THE  TIME  THE TENANT OR LAWFUL OCCUPANT SIGNS THE
 LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF  THE  PROVISIONS
 OF SUBDIVISION TWO OF THIS SECTION.
   4.  DATA  COLLECTION.  A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN
 ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA-
 TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM  SHALL
 BE  LIMITED  TO  ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH
 SMART ACCESS SYSTEM, OR  REFERENCE  DATA,  INCLUDING  THE  USER'S  NAME,
 DWELLING  UNIT  NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER
 HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH  USER,  INFORMATION
 USED  TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE
 USER ACCOUNTS RELATED TO  SUCH  BUILDING,  LEASE  INFORMATION  INCLUDING
 MOVE-IN  AND,  IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH
 AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A  PHOTOGRAPH  OF
 ACCESS  EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY
 ON THE  COLLECTION  OF  BIOMETRIC  DATA  AND  WHICH  HAVE  ALREADY  BEEN
 INSTALLED  AT  THE  TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC
 IDENTIFIER INFORMATION MAY BE COLLECTED  PURSUANT  TO  THIS  SECTION  IN
 ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM.  NO NEW SMART ACCESS
 SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED
 IN  CLASS  A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE
 OF THIS SECTION.
   (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT  ONLY  THE  MINIMUM
 DATA  REQUIRED  BY  THE  TECHNOLOGY  USED  IN THE SMART ACCESS SYSTEM TO
 EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND  SECURITY  OF  SUCH
 USERS.
   (II)  THE  OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
 ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
 A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A  SMART  ACCESS
 SYSTEM  ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
 DIGITAL KEY OR PASSCODE IS USED TO ENTER THE  BUILDING,  BUT  SHALL  NOT
 RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION  BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE
 RETAINED ONLY FOR TENANTS  OR LAWFUL OCCUPANTS OR  THOSE  AUTHORIZED  BY
 THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
 S. 2078--A                          4
 
   (V)  THE  OWNER  OF  THE  MULTIPLE  DWELLING  OR ANY THIRD PARTY SHALL
 DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED  BY
 SUCH  SMART  ACCESS  SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
 NINETY DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
 NINETY  DAYS  OF  (1) THE TENANT OR LAWFUL OCCUPANT PERMANENTLY VACATING
 THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
 DRAW AUTHORIZATION FOR THOSE PREVIOUSLY  AUTHORIZED  BY  THE  TENANT  OR
 LAWFUL OCCUPANT.
   B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF
 AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE
 PERSON  IS  A  TENANT  OR  LAWFUL OCCUPANT OR A PERSON AUTHORIZED BY THE
 TENANT OR LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL  BEFORE  CAPTURING
 THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
 TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
   (II)  ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN
 INDIVIDUAL THAT IS CAPTURED TO GAIN  ENTRANCE  TO  A  CLASS  A  MULTIPLE
 DWELLING:
   (1)  SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI-
 FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT  TO  ANY  LAW,  GRAND
 JURY  SUBPOENA  OR  COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED
 COURT ORDERED PROCESS.
   (2) SHALL STORE, TRANSMIT AND PROTECT FROM  DISCLOSURE  THE  BIOMETRIC
 IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
 SAME  AS  OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES,
 TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION  THE  PERSON  POSSESSES;
 AND
   (3)  SHALL  DESTROY  THE  BIOMETRIC  IDENTIFIER  INFORMATION  WITHIN A
 REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT  HOURS  AFTER  THE  DATE
 COLLECTED,  EXCEPT FOR REFERENCE DATA.  IF ANY PROHIBITED INFORMATION IS
 COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
 TION SHALL BE DESTROYED IMMEDIATELY.
   C. THE OWNER OF THE MULTIPLE DWELLING, OR THE  MANAGING  AGENT,  SHALL
 DEVELOP  AND  PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES
 WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE  TENANT
 OR  LAWFUL  OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA-
 NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND  CAREGIVERS
 TO SUCH BUILDING.
   (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
 DULE  AND  GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA
 COLLECTED.
   (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY  SUCH
 PEOPLE  AUTHORIZED  BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED
 BY THE TENANT OR LAWFUL OCCUPANT.
   5. PROHIBITIONS. A. NO FORM OF LOCATION TRACKING,  INCLUDING  BUT  NOT
 LIMITED  TO  SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
 EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART  ACCESS
 SYSTEM.
   B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE
 LIKENESS  OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS OF
 TENANTS OR LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A  SMART  ACCESS
 SYSTEM  TO  COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND TIME OF
 USE OF SUCH SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND  THEIR  GUESTS  TO
 HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT
 EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM.
 S. 2078--A                          5

   C.  INFORMATION  THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM
 SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN  GRANTING  ACCESS  TO  AND
 MONITORING  BUILDING  ENTRANCES  AND  SHALL  NOT BE USED AS THE BASIS OR
 SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT,  OR
 AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
 INDIVIDUAL  OR UNIT.  HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE
 THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST  SHALL
 CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
 IT  WILL  BE  USED,  AND  THE  PRIVACY POLICIES WHICH WILL PROTECT THEIR
 INFORMATION. UNDER NO CIRCUMSTANCES  SHALL  A  LEASE  OR  A  RENEWAL  BE
 CONTINGENT  UPON  AUTHORIZING  SUCH  USE.  SMART  ACCESS SYSTEMS MAY USE
 THIRD-PARTY SERVICES TO THE EXTENT  REQUIRED  TO  MAINTAIN  AND  OPERATE
 SYSTEM  INFRASTRUCTURE,  INCLUDING  CLOUD-BASED HOSTING AND STORAGE. THE
 PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL  MEET
 OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
 SUBJECT  TO  THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF
 THIS SECTION.
   D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE  TO  ANY
 THIRD  PARTY,  UNLESS  AUTHORIZED  AS  DESCRIBED  IN PARAGRAPH C OF THIS
 SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
 GRAND JURY SUBPOENA OR A  COURT  ORDERED  WARRANT,  SUBPOENA,  OR  OTHER
 AUTHORIZED COURT ORDERED PROCESS.
   6.  STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES AND CONTRACTORS AND THOSE  UNAFFILIATED  WITH  THE  OWNER  OR  THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING  TENANCY  SHALL  NOT  BE CONDITIONED UPON CONSENTING TO THE USE OF A
 SMART ACCESS SYSTEM.
   7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES  AVAILABLE
 OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
 SECURITY  VULNERABILITY  IN  THEIR  SOFTWARE,  SUCH COMPANY SHALL NOTIFY
 CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE  TIME  OF  DISCOVERY
 BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
 WARE  UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO
 REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT  LONGER  THAN
 THIRTY  DAYS  AFTER  DISCOVERY.   SMART ACCESS SYSTEMS AND VENDORS SHALL
 IMPLEMENT AND MAINTAIN  REASONABLE  SECURITY  PROCEDURES  AND  PRACTICES
 APPROPRIATE  TO  THE  NATURE  OF THE INFORMATION COLLECTED. IN THE EVENT
 THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT  PERTAINS
 TO  THE  EMBEDDED  SOFTWARE  OR  FIRMWARE ON THE SMART ACCESS SYSTEMS IS
 DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO  CORRECT  THE  VULNER-
 ABILITIES;
   B.  CONTRACTUALLY  COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE  UPDATES  AVAILABLE
 FOR  FREE  TO  CUSTOMERS  FOR  THE  DURATION OF THE CONTRACT BETWEEN THE
 BUILDING AND SMART ACCESS SYSTEMS.
   8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR  TENANT  OF  A
 DWELLING  WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION
 SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL  BE  SUBJECT
 TO  A  CIVIL  PENALTY  OF  NOT  MORE THAN FIVE THOUSAND DOLLARS FOR EACH
 VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL
 PENALTY.
 S. 2078--A                          6
 
   B. WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO  HARASS
 OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
 UNDER  LAW,  SUCH  OWNER OR AGENT SHALL BE SUBJECT TO A CIVIL PENALTY OF
 TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   C.  FOR  PURPOSES  OF  THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF A  SMART  ACCESS  SYSTEM
 PURSUANT  TO  THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
 PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE  EMERGENCY  HOUSING
 RENT  CONTROL  LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
 RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
 MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING  OR  THEIR
 AGENT  TO  APPLY  TO  THE  DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
 APPROVAL BEFORE PERFORMING SUCH INSTALLATION.  SUCH  INSTALLATION  SHALL
 NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  A.  NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY OF ITS SUBSIDIARIES.
   B.  NOTHING  IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
 OF HOUSING AND  COMMUNITY  RENEWAL  TO  IMPOSE  ADDITIONAL  REQUIREMENTS
 REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
 THE  DIVISION  IS  REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF
 SERVICES.
   § 2. The multiple residence law is amended by  adding  a  new  section
 130-a to read as follows:
   § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   (A)  "ACCOUNT  INFORMATION"  MEANS INFORMATION THAT IS USED TO GRANT A
 USER ENTRY OR ACCESS TO ANY ONLINE TOOLS THAT ARE USED  TO  MANAGE  USER
 ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
   (B)  "AUTHENTICATION  DATA"  MEANS  DATA GENERATED OR COLLECTED AT THE
 POINT OF AUTHENTICATION IN CONNECTION WITH GRANTING A USER  ENTRY  TO  A
 MULTIPLE  DWELLING,  DWELLING  UNIT  OF SUCH BUILDING, OR COMMON AREA OF
 SUCH BUILDING THROUGH A SMART ACCESS SYSTEM, EXCEPT THAT  IT  SHALL  NOT
 INCLUDE  DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA SYSTEM
 THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   (C) "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL,  BIOLOG-
 ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
 IDENTIFYING,  AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A RETINA
 OR IRIS SCAN, (II) A FINGERPRINT, (III) A VOICEPRINT,  (IV)  A  SCAN  OR
 RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
 OR  (VI)  ANY  OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT CAN BE USED
 ALONE OR IN COMBINATION WITH EACH OTHER, OR WITH OTHER  INFORMATION,  TO
 ESTABLISH INDIVIDUAL IDENTITY.
   (D)  "CRITICAL  SECURITY VULNERABILITY" MEANS A SECURITY VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY A SMART ACCESS SYSTEM.
   (E) "REFERENCE DATA" MEANS INFORMATION  AGAINST  WHICH  AUTHENTICATION
 DATA  IS  VERIFIED AT A POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
 IN ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT  OF
 SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
   (F)  "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED
 ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
 UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
 S. 2078--A                          7
 
 VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A  PRIVATE,  CONFIDENTIAL
 OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   (G)  "SMART  ACCESS  SYSTEM"  MEANS ANY SYSTEM THAT USES ELECTRONIC OR
 COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
 PHONE  APPLICATION,  BIOMETRIC  IDENTIFIER  INFORMATION,  OR  ANY  OTHER
 DIGITAL  TECHNOLOGY  IN  ORDER  TO  GRANT ACCESS TO A MULTIPLE DWELLING,
 COMMON AREAS IN SUCH MULTIPLE DWELLING, OR  TO  AN  INDIVIDUAL  DWELLING
 UNIT IN SUCH MULTIPLE DWELLING.
   (H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE
 DIRECTLY  SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER
 DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
   (I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A  MULTIPLE  DWELLING,
 AND  ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR
 THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL
 OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM.
   2. ENTRY. (A) WHERE AN OWNER INSTALLS OR  PLANS  TO  INSTALL  A  SMART
 ACCESS  SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD,
 CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH  SYSTEM  SHALL
 NOT  RELY  SOLELY  ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT
 SHALL ALSO INCLUDE A KEY FOB, KEY CARD,  DIGITAL  KEY  OR  PASSCODE  FOR
 TENANT USE.
   (B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART-
 MENTS  INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB,
 KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
 SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
   (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS  SUBDIVISION,  OWNERS
 SHALL  PROVIDE  A  NON-ELECTRONIC  MEANS OF ENTRY WHERE REQUESTED BY THE
 TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
   (D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED  WITH  A
 KEY,  KEY  FOB,  DIGITAL  KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND
 LAWFUL OCCUPANTS. THE TERM "LAWFUL  OCCUPANTS"  SHALL  INCLUDE  CHILDREN
 UNDER  THE  AGE  OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL
 KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED
 WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
 TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY  CARDS  AT  NO  COST  TO  THE
 TENANT  OR  LAWFUL  OCCUPANT  FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS"
 SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE  EXPECTED
 TO  VISIT  ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT,
 LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR  LAWFUL  OCCUPANT
 IS  AWAY.  EMPLOYEES,  INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR
 OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE  PLACED  ON  THEIR
 KEY,  KEY  CARD,  DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE
 TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS  OR  LAWFUL  OCCUPANTS  MAY
 REQUEST  A  NEW  OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT
 ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR  AGENT
 SHALL  PROVIDE  THE  FIRST  REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY
 CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND
 AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT  THE  OWNER
 PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS.
   (E)  THE  OWNER  SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
 DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
   (F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
 AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM  CONTINUES
 TO  OPERATE  DURING  A  POWER  OUTAGE.  AN  OWNER, OR THEIR AGENT, SHALL
 ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
 SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND  LAWFUL
 S. 2078--A                          8
 
 OCCUPANTS  WITH  INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE
 TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL  OCCUPANT'S  CHILDREN,
 GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3.  NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR
 LAWFUL OCCUPANT AT THE TIME THE TENANT  OR  LAWFUL  OCCUPANT  SIGNS  THE
 LEASE,  OR  WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS
 OF SUBDIVISION TWO OF THIS SECTION.
   4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED  TO  GAIN
 ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND
 ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED
 TO  ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS
 SYSTEM, OR REFERENCE DATA, INCLUDING  THE  USER'S  NAME,  DWELLING  UNIT
 NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE
 PREFERRED  METHOD  OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A
 USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO  MANAGE  USER  ACCOUNTS
 RELATED  TO  SUCH  BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF
 AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH-
 OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR
 SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE  COLLECTION
 OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS
 SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE
 COLLECTED  PURSUANT  TO  THIS  SECTION IN ORDER TO REGISTER A USER FOR A
 SMART ACCESS SYSTEM. NO NEW  SMART  ACCESS  SYSTEMS  THAT  RELY  ON  THE
 COLLECTION  OF  BIOMETRIC  DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS
 FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION.
   (I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE  MINIMUM
 DATA  REQUIRED  BY  THE  TECHNOLOGY  USED  IN THE SMART ACCESS SYSTEM TO
 EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND  SECURITY  OF  SUCH
 USERS.
   (II)  THE  OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
 ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
 A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A  SMART  ACCESS
 SYSTEM  ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
 DIGITAL KEY OR PASSCODE IS USED TO ENTER THE  BUILDING,  BUT  SHALL  NOT
 RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION BY THE SMART ACCESS SYSTEM.  SUCH REFERENCE DATA SHALL BE
 RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE
 TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
   (V)  THE  OWNER  OF  THE  MULTIPLE  DWELLING  OR ANY THIRD PARTY SHALL
 DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED  BY
 SUCH  SMART  ACCESS  SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
 NINETY DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
 NINETY DAYS OF (1) THE TENANT OR LAWFUL  OCCUPANT  PERMANENTLY  VACATING
 THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
 DRAW  AUTHORIZATION  FOR  THOSE  PREVIOUSLY  AUTHORIZED BY THE TENANT OR
 LAWFUL OCCUPANT.
   (B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC  IDENTIFIER  INFORMATION
 OF  AN  INDIVIDUAL  TO  GAIN  ENTRANCE TO A MULTIPLE DWELLING UNLESS THE
 PERSON IS A TENANT OR LAWFUL OCCUPANT OR  A  PERSON  AUTHORIZED  BY  THE
 TENANT  OR  LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING
 THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
 TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
 S. 2078--A                          9
 
   (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF  AN
 INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING:
   (1)  SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC IDENTI-
 FIER INFORMATION TO ANOTHER PERSON UNLESS PURSUANT  TO  ANY  LAW,  GRAND
 JURY  SUBPOENA  OR  COURT ORDERED WARRANT, SUBPOENA, OR OTHER AUTHORIZED
 COURT ORDERED PROCESS.
   (2) SHALL STORE, TRANSMIT AND PROTECT FROM  DISCLOSURE  THE  BIOMETRIC
 IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
 SAME  AS  OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE PERSON STORES,
 TRANSMITS AND PROTECTS CONFIDENTIAL INFORMATION  THE  PERSON  POSSESSES;
 AND
   (3)  SHALL  DESTROY  THE  BIOMETRIC  IDENTIFIER  INFORMATION  WITHIN A
 REASONABLE TIME, BUT NOT LATER THAN FORTY-EIGHT  HOURS  AFTER  THE  DATE
 COLLECTED,  EXCEPT  FOR REFERENCE DATA. IF ANY PROHIBITED INFORMATION IS
 COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
 TION SHALL BE DESTROYED IMMEDIATELY.
   (C) THE OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING  AGENT,  SHALL
 DEVELOP  AND  PROVIDE TO TENANTS AND LAWFUL OCCUPANTS WRITTEN PROCEDURES
 WHICH DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE  TENANT
 OR  LAWFUL  OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY OR PERMA-
 NENT BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND  CAREGIVERS
 TO SUCH BUILDING.
   (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
 DULE  AND  GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING THE DATA
 COLLECTED.
   (II) THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY  SUCH
 PEOPLE  AUTHORIZED  BY THE TENANT OR LAWFUL OCCUPANT EXCEPT AS REQUESTED
 BY THE TENANT OR LAWFUL OCCUPANT.
   5. PROHIBITIONS. (A) NO FORM OF LOCATION TRACKING, INCLUDING  BUT  NOT
 LIMITED  TO  SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED IN ANY
 EQUIPMENT, KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART  ACCESS
 SYSTEM.
   (B)  IT  SHALL  BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM
 THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS
 OF TENANTS OR LAWFUL OCCUPANTS AND THEIR  GUESTS,  OR  TO  USE  A  SMART
 ACCESS  SYSTEM  TO  COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND
 TIME OF USE OF SUCH SYSTEM BY A TENANT  OR  LAWFUL  OCCUPANT  AND  THEIR
 GUESTS  TO  HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER
 PURPOSE NOT EXPRESSLY RELATED TO  THE  OPERATION  OF  THE  SMART  ACCESS
 SYSTEM.
   (C)  INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM
 SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN  GRANTING  ACCESS  TO  AND
 MONITORING  BUILDING  ENTRANCES  AND  SHALL  NOT BE USED AS THE BASIS OR
 SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT,  OR
 AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
 INDIVIDUAL  OR  UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE
 THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST  SHALL
 CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
 IT  WILL  BE  USED,  AND  THE  PRIVACY POLICIES WHICH WILL PROTECT THEIR
 INFORMATION. UNDER NO CIRCUMSTANCES  SHALL  A  LEASE  OR  A  RENEWAL  BE
 CONTINGENT  UPON  AUTHORIZING  SUCH  USE.  SMART  ACCESS SYSTEMS MAY USE
 THIRD-PARTY SERVICES TO THE EXTENT  REQUIRED  TO  MAINTAIN  AND  OPERATE
 SYSTEM  INFRASTRUCTURE,  INCLUDING  CLOUD-BASED HOSTING AND STORAGE. THE
 PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL  MEET
 OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
 S. 2078--A                         10
 
 SUBJECT  TO  THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF
 THIS SECTION.
   (D)  INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY
 THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN  PARAGRAPH  (C)  OF  THIS
 SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
 GRAND  JURY  SUBPOENA  OR  A  COURT  ORDERED WARRANT, SUBPOENA, OR OTHER
 AUTHORIZED COURT ORDERED PROCESS.
   6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL  BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES  AND  CONTRACTORS  AND  THOSE  UNAFFILIATED  WITH THE OWNER OR THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO  THE  USE  OF  A
 SMART ACCESS SYSTEM.
   7.  SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE
 OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
 SECURITY VULNERABILITY IN THEIR  SOFTWARE,  SUCH  COMPANY  SHALL  NOTIFY
 CUSTOMERS  OF  SUCH  VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY
 BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
 WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY  TO
 REPAIR  THE  VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN
 THIRTY DAYS AFTER DISCOVERY. SMART  ACCESS  SYSTEMS  AND  VENDORS  SHALL
 IMPLEMENT  AND  MAINTAIN  REASONABLE  SECURITY  PROCEDURES AND PRACTICES
 APPROPRIATE TO THE NATURE OF THE INFORMATION  COLLECTED.  IN  THE  EVENT
 THAT  A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS
 TO THE EMBEDDED SOFTWARE OR FIRMWARE ON  THE  SMART  ACCESS  SYSTEMS  IS
 DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   (A)  BE  ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER-
 ABILITIES;
   (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM  OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   (C)  MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE
 FOR FREE TO CUSTOMERS FOR THE  DURATION  OF  THE  CONTRACT  BETWEEN  THE
 BUILDING AND SMART ACCESS SYSTEMS.
   8.  WAIVER  OF  RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A
 DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS  SECTION
 SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9.  PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT
 TO A CIVIL PENALTY OF NOT MORE  THAN  FIVE  THOUSAND  DOLLARS  FOR  EACH
 VIOLATION.    THE  ATTORNEY  GENERAL  MAY BRING AN ACTION TO RECOVER THE
 CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION  MAY
 BRING  AN  ACTION  TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS'
 FEES TO A PREVAILING PLAINTIFF.
   (B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS
 OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
 UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A  CIVIL  PENALTY  OF
 TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   (C)  FOR  PURPOSES  OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF A  SMART  ACCESS  SYSTEM
 PURSUANT  TO  THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
 PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE  EMERGENCY  HOUSING
 RENT  CONTROL  LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
 RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
 MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING  OR  THEIR
 AGENT  TO  APPLY  TO  THE  DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
 S. 2078--A                         11
 
 APPROVAL BEFORE PERFORMING SUCH INSTALLATION.  SUCH  INSTALLATION  SHALL
 NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY OF ITS SUBSIDIARIES.
   (B)  NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE DIVISION
 OF HOUSING AND  COMMUNITY  RENEWAL  TO  IMPOSE  ADDITIONAL  REQUIREMENTS
 REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
 THE  DIVISION  IS  REQUIRED TO APPROVE SUBSTITUTIONS OR MODIFICATIONS OF
 SERVICES.
   § 3. Severability. If any provision of this act, or any application of
 any provision of this act, is held to be invalid, that shall not  affect
 the  validity or effectiveness of any other provision of this act, or of
 any  other application of any provision of this act, which can  be given
 effect  without  that  provision  or  application;  and to that end, the
 provisions and applications of this act are severable.
   § 4. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.

co-Sponsors

2023-S2078B (ACTIVE) - Details

See Assembly Version of this Bill:: A48
Current Committee:: Assembly Codes
Law Section:: Multiple Dwelling Law
Laws Affected:: Add §50-b, Mult Dwell L; add §130-a, Mult Res L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S5125, A6788
2021-2022: S6463, A706

2023-S2078B (ACTIVE) - Summary

Relates to limitations on the use of smart access systems; restricts information that may be gathered on lessees, tenants, owners or guests.

2023-S2078B (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S2078B

SPONSOR: KAVANAGH
 
TITLE OF BILL:

An act to amend the multiple dwelling law and the multiple residence
law, in relation to the use of smart access systems and the information
that may be gathered from such systems

 
PURPOSE:

This legislation relates to limitations on electronic or computerized
systems for entry.

 
SUMMARY OF PROVISIONS:

Section 1 of the bill amends the multiple dwelling law by adding a new
section 50-b.

Section 2 of the bill amends the multiple residence law by adding new
section 130-a.

Respectively in the new sections 50-b of the multiple dwelling law and
130-a of the multiple residence law:

Subdivision 1 sets forth definitions.

Subdivision 2 requires that every entrance to a class A multiple dwell-
ing does not rely on an electronic or computerized system for entry,
that landlords must provide to lawful tenants and occupants with alter-
native non-electronic means of entry where requested, and for backup
power or alternative means of entry to be operable during a power
outage.

Subdivision 3 requires landlords or their agents to provide notice to a
tenant of the above provisions at the time of lease signing or when the
computerized entry system is installed.

Subdivision 4 sets limitations on the collection, management, utiliza-
tion, and disposal of data gathered by electronic and/or computerized
entry systems and by building owners, agents of owners, and utilized
vendors who use such entry systems. No new electronic and/or computer-
ized entry systems that rely on the collection of biometric data shall
be installed in class A multiple dwellings for three years after this
bill becomes law.

Subdivision 5 prohibits location tracking and capturing the likeness of
a minor occupant by electronic and/or computerized entry systems.
Information collected by such entry systems cannot be used as the basis
or support for an action to evict a lessee or tenant and cannot be made
available to any third party without authorization from a tenant.

Subdivision 6 requires secure storage of information or data collected
to prevent unauthorized access. It also prohibits conditioning continued
or future tenancy upon consenting to the use of an electronic and/or
computerized entry system.

Subdivision 7 provides that if any entity that produces, makes avail-
able, or installs the electronic or computerized entry system discovers
a security breach or vulnerability in the software, that entity is
required to notify customers no later than 24 hours after discovery and
to take actions necessary to address the discovery within a reasonable
time that is not longer than 30 days.

Subdivision 8 provides that any agreement by a lessee or tenant of a
dwelling waiving or modifying his or her rights as set forth In this
section shall be void as contrary to public policy.

Subdivision 9 subjects any person or entity violating this section to a
civil penalty.

Subdivision 10 requires that any installation of an electronic and/or
computerized entry system in rent-regulated housing shall constitute a
modification of services and must receive approval from the Division of
Housing and Community Renewal prior to installation.

Subdivision 11 provides for the exemption of multiple dwellings owned or
managed by an entity subject to 42 U.S.C. § 1437 et seq. or any of its
subsidiaries, or multiple dwellings primarily occupied by transient
occupants for less than thirty days from this act.

Section 3 sets forth severability provisions.

Section 4 sets forth the effective date.

 
JUSTIFICATION:

Electronic and computerized entry systems for residential buildings can
pose serious threats to privacy rights of tenants and their guests. This
legislation seeks to establish protections for individuals entering a
class A multiple dwelling and prohibits landlords from requiring tenants
to use keyless entry systems as a condition of their tenancy. This
legislation sets limits on the sharing and storing of information and
prohibits the use of any information gathered via the system as the
basis of any proceeding against a tenant.

 
LEGISLATIVE HISTORY:

2022: S6463A (Kavanagh) / A706C (Rosenthal L) HOUSING/housing

2020:  S51258 (Montgomery) / A67888 (Rosenthal L) - JUDICIARY/housing

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

Minimal.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become a law.

2023-S2078B (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  2078--B
     Cal. No. 1016
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 18, 2023
                                ___________
 
 Introduced by Sens. KAVANAGH, KRUEGER -- read twice and ordered printed,
   and  when  printed  to  be  committed  to  the  Committee  on Housing,
   Construction and Community Development -- committee  discharged,  bill
   amended,  ordered reprinted as amended and recommitted to said commit-
   tee -- recommitted to  the  Committee  on  Housing,  Construction  and
   Community  Development  in  accordance  with  Senate Rule 6, sec. 8 --
   reported favorably from said committee, ordered to  first  and  second
   report,  ordered  to  a  third reading, amended and ordered reprinted,
   retaining its place in the order of third reading
 
 AN ACT to amend the multiple dwelling law  and  the  multiple  residence
   law,  in  relation to the use of smart access systems and the informa-
   tion that may be gathered from such systems
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  The  multiple  dwelling  law  is  amended by adding a new
 section 50-b to read as follows:
   § 50-B. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1.  DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   A. "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS  USED  TO  GRANT  A
 USER  ENTRY  OR  ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
 ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
   B. "AUTHENTICATION DATA" MEANS DATA  GENERATED  OR  COLLECTED  AT  THE
 POINT  OF  AUTHENTICATION  IN CONNECTION WITH GRANTING A USER ENTRY TO A
 CLASS A MULTIPLE DWELLING, DWELLING UNIT OF  SUCH  BUILDING,  OR  COMMON
 AREA  OF  SUCH  BUILDING  THROUGH  A SMART ACCESS SYSTEM, EXCEPT THAT IT
 SHALL NOT INCLUDE DATA GENERATED THROUGH OR  COLLECTED  BY  A  VIDEO  OR
 CAMERA SYSTEM THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   C.  "BIOMETRIC  IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
 ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
 IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A  RETINA
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD00692-11-4
 S. 2078--B                          2
 
 OR  IRIS  SCAN,  (II)  A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
 RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
 OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT  CAN  BE  USED
 ALONE  OR  IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO
 ESTABLISH INDIVIDUAL IDENTITY.
   D. "CRITICAL SECURITY VULNERABILITY" MEANS  A  SECURITY  VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY A SMART ACCESS SYSTEM.
   E.  "REFERENCE  DATA"  MEANS  INFORMATION AGAINST WHICH AUTHENTICATION
 DATA IS VERIFIED AT THE POINT OF AUTHENTICATION BY A SMART ACCESS SYSTEM
 IN ORDER TO GRANT A USER ENTRY TO A CLASS A MULTIPLE DWELLING,  DWELLING
 UNIT OF SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
   F.  "SECURITY  BREACH" MEANS ANY INCIDENT THAT RESULTS IN UNAUTHORIZED
 ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
 UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
 VIDUAL OR AN APPLICATION ILLEGITIMATELY ENTERS A  PRIVATE,  CONFIDENTIAL
 OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   G.  "SMART  ACCESS  SYSTEM"  MEANS  ANY SYSTEM THAT USES ELECTRONIC OR
 COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
 PHONE  APPLICATION,  BIOMETRIC  IDENTIFIER  INFORMATION,  OR  ANY  OTHER
 DIGITAL TECHNOLOGY IN ORDER TO GRANT ACCESS TO A CLASS A MULTIPLE DWELL-
 ING,  COMMON AREAS IN SUCH MULTIPLE DWELLING, OR TO AN INDIVIDUAL DWELL-
 ING UNIT IN SUCH MULTIPLE DWELLING.
   H. "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR  OTHERWISE
 DIRECTLY  SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER
 DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
   I. "USER" MEANS A TENANT OR LAWFUL OCCUPANT  OF  A  CLASS  A  MULTIPLE
 DWELLING,  AND  ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN
 WRITING OR THROUGH A MOBILE  APPLICATION,  BE  GRANTED  ACCESS  TO  SUCH
 TENANT  OR  LAWFUL  OCCUPANT'S  DWELLING  UNIT AND SUCH BUILDING'S SMART
 ACCESS SYSTEM.
   2. ENTRY. A. WHERE AN OWNER INSTALLS  OR  PLANS  TO  INSTALL  A  SMART
 ACCESS  SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD,
 CELLAR, OR OTHER COMMON AREA OF A CLASS A MULTIPLE DWELLING, SUCH SYSTEM
 SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION TO FACILITATE  ENTRANCE
 BUT  SHALL ALSO INCLUDE A KEY FOB, KEY CARD, DIGITAL KEY OR PASSCODE FOR
 TENANT USE.
   B. OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL  APART-
 MENTS  INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB,
 KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
 SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
   C. NOTWITHSTANDING PARAGRAPH A OR B OF THIS SUBDIVISION, OWNERS  SHALL
 PROVIDE A NON-ELECTRONIC MEANS OF ENTRY WHERE REQUESTED BY THE TENANT OR
 LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
   D.  ALL  LAWFUL  TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED WITH A
 KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT NO COST  TO  SUCH  TENANTS  AND
 LAWFUL  OCCUPANTS.  THE  TERM  "LAWFUL OCCUPANTS" SHALL INCLUDE CHILDREN
 UNDER THE AGE OF EIGHTEEN WHO SHALL BE ISSUED A KEY,  KEY  FOB,  DIGITAL
 KEY  OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED
 WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
 TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY  CARDS  AT  NO  COST  TO  THE
 TENANT  OR  LAWFUL  OCCUPANT  FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS"
 SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE  EXPECTED
 TO  VISIT  ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT,
 LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT  OR LAWFUL  OCCUPANT
 IS  AWAY.  EMPLOYEES,  INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR
 S. 2078--B                          3

 OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE  PLACED  ON  THEIR
 KEY,  KEY  CARD,  DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE
 TENANT'S OR LAWFUL OCCUPANT'S REQUEST.  TENANTS OR LAWFUL OCCUPANTS  MAY
 REQUEST  A  NEW  OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT
 ANY TIME THROUGHOUT THE COURSE OF THE TENANCY OR OCCUPANCY.   THE  OWNER
 OR THEIR AGENT SHALL PROVIDE THE FIRST REPLACEMENT KEY, KEY FOB, DIGITAL
 KEY  OR  KEY  CARD  TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE
 COST OF SECOND AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE  MORE  THAN
 WHAT  THE OWNER PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-
 FIVE DOLLARS.
   E. THE OWNER SHALL NOT SET LIMITS ON THE NUMBER  OF  KEYS,  KEY  FOBS,
 DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
   F.  ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
 AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM  CONTINUES
 TO  OPERATE  DURING  A  POWER  OUTAGE.  AN  OWNER, OR THEIR AGENT, SHALL
 ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
 SPECIFICATIONS.  OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND LAWFUL
 OCCUPANTS WITH INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT  THAT  THE
 TENANT,  LAWFUL  OCCUPANT OR THE TENANT'S OR LAWFUL OCCUPANT'S CHILDREN,
 GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3. NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT  OR
 LAWFUL  OCCUPANT  AT  THE  TIME  THE TENANT OR LAWFUL OCCUPANT SIGNS THE
 LEASE, OR WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF  THE  PROVISIONS
 OF SUBDIVISION TWO OF THIS SECTION.
   4.  DATA  COLLECTION.  A. IF A SMART ACCESS SYSTEM IS UTILIZED TO GAIN
 ENTRANCE TO A CLASS A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICA-
 TION, AND ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM  SHALL
 BE  LIMITED  TO  ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH
 SMART ACCESS SYSTEM, OR  REFERENCE  DATA,  INCLUDING  THE  USER'S  NAME,
 DWELLING  UNIT  NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER
 HAS ACCESS, THE PREFERRED METHOD OF CONTACT FOR SUCH  USER,  INFORMATION
 USED  TO GRANT A USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO MANAGE
 USER ACCOUNTS RELATED TO  SUCH  BUILDING,  LEASE  INFORMATION  INCLUDING
 MOVE-IN  AND,  IF AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH
 AS TIME AND METHOD OF ACCESS FOR SECURITY PURPOSES AND A  PHOTOGRAPH  OF
 ACCESS  EVENTS FOR SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY
 ON THE  COLLECTION  OF  BIOMETRIC  DATA  AND  WHICH  HAVE  ALREADY  BEEN
 INSTALLED  AT  THE  TIME THIS SECTION SHALL HAVE BECOME A LAW, BIOMETRIC
 IDENTIFIER INFORMATION MAY BE COLLECTED  PURSUANT  TO  THIS  SECTION  IN
 ORDER TO REGISTER A USER FOR A SMART ACCESS SYSTEM.  NO NEW SMART ACCESS
 SYSTEMS THAT RELY ON THE COLLECTION OF BIOMETRIC DATA SHALL BE INSTALLED
 IN  CLASS  A MULTIPLE DWELLINGS FOR THREE YEARS AFTER THE EFFECTIVE DATE
 OF THIS SECTION.
   (I) THE OWNER OF THE MULTIPLE DWELLING MAY COLLECT  ONLY  THE  MINIMUM
 DATA  REQUIRED  BY  THE  TECHNOLOGY  USED  IN THE SMART ACCESS SYSTEM TO
 EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND  SECURITY  OF  SUCH
 USERS.
   (II)  THE  OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
 ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
 A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A  SMART  ACCESS
 SYSTEM  ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
 DIGITAL KEY OR PASSCODE IS USED TO ENTER THE  BUILDING,  BUT  SHALL  NOT
 RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION  BY THE SMART ACCESS SYSTEM. SUCH REFERENCE DATA SHALL BE
 S. 2078--B                          4
 
 RETAINED ONLY FOR TENANTS  OR LAWFUL OCCUPANTS OR  THOSE  AUTHORIZED  BY
 THE TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
   (V)  THE  OWNER  OF  THE  MULTIPLE  DWELLING  OR ANY THIRD PARTY SHALL
 DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED  BY
 SUCH  SMART  ACCESS  SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
 NINETY DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
 NINETY DAYS OF (1) THE TENANT OR LAWFUL  OCCUPANT  PERMANENTLY  VACATING
 THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
 DRAW  AUTHORIZATION  FOR  THOSE  PREVIOUSLY  AUTHORIZED BY THE TENANT OR
 LAWFUL OCCUPANT.
   B. (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC IDENTIFIER INFORMATION OF
 AN INDIVIDUAL TO GAIN ENTRANCE TO A CLASS A MULTIPLE DWELLING UNLESS THE
 PERSON IS A TENANT OR LAWFUL OCCUPANT OR  A  PERSON  AUTHORIZED  BY  THE
 TENANT  OR  LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING
 THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
 TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
   (II) ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF  AN
 INDIVIDUAL  THAT  IS  CAPTURED  TO  GAIN  ENTRANCE TO A CLASS A MULTIPLE
 DWELLING:
   (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC  IDENTI-
 FIER  INFORMATION  TO  ANOTHER  PERSON UNLESS PURSUANT TO ANY LAW, GRAND
 JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA,  OR  OTHER  AUTHORIZED
 COURT ORDERED PROCESS.
   (2)  SHALL  STORE,  TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC
 IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
 SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE  PERSON  STORES,
 TRANSMITS  AND  PROTECTS  CONFIDENTIAL INFORMATION THE PERSON POSSESSES;
 AND
   (3) SHALL  DESTROY  THE  BIOMETRIC  IDENTIFIER  INFORMATION  WITHIN  A
 REASONABLE  TIME,  BUT  NOT  LATER THAN FORTY-EIGHT HOURS AFTER THE DATE
 COLLECTED, EXCEPT FOR REFERENCE DATA.  IF ANY PROHIBITED INFORMATION  IS
 COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
 TION SHALL BE DESTROYED IMMEDIATELY.
   C.  THE  OWNER  OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL
 DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS  WRITTEN  PROCEDURES
 WHICH  DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT
 OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY  OR  PERMA-
 NENT  BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS
 TO SUCH BUILDING.
   (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
 DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING  THE  DATA
 COLLECTED.
   (II)  THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
 PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT  AS  REQUESTED
 BY THE TENANT OR LAWFUL OCCUPANT.
   5.  PROHIBITIONS.  A.  NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT
 LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED  IN  ANY
 EQUIPMENT,  KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS
 SYSTEM.
   B. IT SHALL BE PROHIBITED TO COLLECT THROUGH A SMART ACCESS SYSTEM THE
 LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS  OF
 TENANTS  OR  LAWFUL OCCUPANTS AND THEIR GUESTS, OR TO USE A SMART ACCESS
 SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT THE FREQUENCY AND  TIME  OF
 USE  OF  SUCH  SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR GUESTS TO
 S. 2078--B                          5
 
 HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR ANY OTHER PURPOSE NOT
 EXPRESSLY RELATED TO THE OPERATION OF THE SMART ACCESS SYSTEM.
   C.  INFORMATION  THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS SYSTEM
 SHALL NOT BE USED FOR ANY PURPOSES OTHER THAN  GRANTING  ACCESS  TO  AND
 MONITORING  BUILDING  ENTRANCES  AND  SHALL  NOT BE USED AS THE BASIS OR
 SUPPORT FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT,  OR
 AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
 INDIVIDUAL  OR UNIT.  HOWEVER, A TENANT OR LAWFUL OCCUPANT MAY AUTHORIZE
 THEIR INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST  SHALL
 CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
 IT  WILL  BE  USED,  AND  THE  PRIVACY POLICIES WHICH WILL PROTECT THEIR
 INFORMATION. UNDER NO CIRCUMSTANCES  SHALL  A  LEASE  OR  A  RENEWAL  BE
 CONTINGENT  UPON  AUTHORIZING  SUCH  USE.  SMART  ACCESS SYSTEMS MAY USE
 THIRD-PARTY SERVICES TO THE EXTENT  REQUIRED  TO  MAINTAIN  AND  OPERATE
 SYSTEM  INFRASTRUCTURE,  INCLUDING  CLOUD-BASED HOSTING AND STORAGE. THE
 PROVIDER OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL  MEET
 OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
 SUBJECT  TO  THE SAME LIABILITY FOR BREACH OF ANY OF THE REQUIREMENTS OF
 THIS SECTION.
   D. INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE  TO  ANY
 THIRD  PARTY,  UNLESS  AUTHORIZED  AS  DESCRIBED  IN PARAGRAPH C OF THIS
 SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
 GRAND JURY SUBPOENA OR A  COURT  ORDERED  WARRANT,  SUBPOENA,  OR  OTHER
 AUTHORIZED COURT ORDERED PROCESS.
   6.  STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES AND CONTRACTORS AND THOSE  UNAFFILIATED  WITH  THE  OWNER  OR  THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING  TENANCY  SHALL  NOT  BE CONDITIONED UPON CONSENTING TO THE USE OF A
 SMART ACCESS SYSTEM.
   7. SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES  AVAILABLE
 OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
 SECURITY  VULNERABILITY  IN  THEIR  SOFTWARE,  SUCH COMPANY SHALL NOTIFY
 CUSTOMERS OF SUCH VULNERABILITY WITHIN A REASONABLE  TIME  OF  DISCOVERY
 BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
 WARE  UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY TO
 REPAIR THE VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT  LONGER  THAN
 THIRTY  DAYS  AFTER  DISCOVERY.   SMART ACCESS SYSTEMS AND VENDORS SHALL
 IMPLEMENT AND MAINTAIN  REASONABLE  SECURITY  PROCEDURES  AND  PRACTICES
 APPROPRIATE  TO  THE  NATURE  OF THE INFORMATION COLLECTED. IN THE EVENT
 THAT A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT  PERTAINS
 TO  THE  EMBEDDED  SOFTWARE  OR  FIRMWARE ON THE SMART ACCESS SYSTEMS IS
 DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   A. BE ABLE TO CREATE UPDATES TO THE FIRMWARE TO  CORRECT  THE  VULNER-
 ABILITIES;
   B.  CONTRACTUALLY  COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   C. MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE  UPDATES  AVAILABLE
 FOR  FREE  TO  CUSTOMERS  FOR  THE  DURATION OF THE CONTRACT BETWEEN THE
 BUILDING AND SMART ACCESS SYSTEMS.
   8. WAIVER OF RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR  TENANT  OF  A
 DWELLING  WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS SECTION
 SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9. PENALTIES. A. A PERSON WHO VIOLATES THIS SECTION SHALL  BE  SUBJECT
 TO  A  CIVIL  PENALTY  OF  NOT  MORE THAN FIVE THOUSAND DOLLARS FOR EACH
 S. 2078--B                          6
 
 VIOLATION. THE ATTORNEY GENERAL MAY BRING AN ACTION TO RECOVER THE CIVIL
 PENALTY.
   B.  WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS
 OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
 UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A  CIVIL  PENALTY  OF
 NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   C.  FOR  PURPOSES  OF  THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF A  SMART  ACCESS  SYSTEM
 PURSUANT  TO  THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
 PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE  EMERGENCY  HOUSING
 RENT  CONTROL  LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
 RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
 MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING  OR  THEIR
 AGENT  TO  APPLY  TO  THE  DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
 APPROVAL BEFORE PERFORMING SUCH INSTALLATION.  SUCH  INSTALLATION  SHALL
 NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  A.  NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY  OF ITS SUBSIDIARIES, OR MULTIPLE DWELLINGS THAT ARE PRIMARILY OCCU-
 PIED BY TRANSIENT OCCUPANTS FOR A PERIOD OF LESS THAN THIRTY DAYS.
   B. NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF  THE  DIVISION
 OF  HOUSING  AND  COMMUNITY  RENEWAL  TO  IMPOSE ADDITIONAL REQUIREMENTS
 REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
 THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS  OR  MODIFICATIONS  OF
 SERVICES.
   §  2.  The  multiple  residence law is amended by adding a new section
 130-a to read as follows:
   § 130-A. ELECTRONIC OR COMPUTERIZED ENTRY SYSTEMS. 1. DEFINITIONS. FOR
 THE PURPOSES OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   (A) "ACCOUNT INFORMATION" MEANS INFORMATION THAT IS USED  TO  GRANT  A
 USER  ENTRY  OR  ACCESS TO ANY ONLINE TOOLS THAT ARE USED TO MANAGE USER
 ACCOUNTS RELATED TO A SMART ACCESS SYSTEM.
   (B) "AUTHENTICATION DATA" MEANS DATA GENERATED  OR  COLLECTED  AT  THE
 POINT  OF  AUTHENTICATION  IN CONNECTION WITH GRANTING A USER ENTRY TO A
 MULTIPLE DWELLING, DWELLING UNIT OF SUCH BUILDING,  OR  COMMON  AREA  OF
 SUCH  BUILDING  THROUGH  A SMART ACCESS SYSTEM, EXCEPT THAT IT SHALL NOT
 INCLUDE DATA GENERATED THROUGH OR COLLECTED BY A VIDEO OR CAMERA  SYSTEM
 THAT IS USED TO MONITOR ENTRANCES BUT NOT TO GRANT ENTRY.
   (C)  "BIOMETRIC IDENTIFIER INFORMATION" MEANS A PHYSIOLOGICAL, BIOLOG-
 ICAL OR BEHAVIORAL CHARACTERISTIC THAT IS USED TO IDENTIFY, OR ASSIST IN
 IDENTIFYING, AN INDIVIDUAL, INCLUDING, BUT NOT LIMITED TO: (I) A  RETINA
 OR  IRIS  SCAN,  (II)  A FINGERPRINT, (III) A VOICEPRINT, (IV) A SCAN OR
 RECORD OF A PALM, HAND, OR FACE GEOMETRY, (V) GAIT OR MOVEMENT PATTERNS,
 OR (VI) ANY OTHER SIMILAR IDENTIFYING CHARACTERISTIC THAT  CAN  BE  USED
 ALONE  OR  IN COMBINATION WITH EACH OTHER, OR WITH OTHER INFORMATION, TO
 ESTABLISH INDIVIDUAL IDENTITY.
   (D) "CRITICAL SECURITY VULNERABILITY" MEANS A  SECURITY  VULNERABILITY
 THAT HAS A SIGNIFICANT RISK OF RESULTING IN AN UNAUTHORIZED ACCESS TO AN
 AREA SECURED BY A SMART ACCESS SYSTEM.
   (E)  "REFERENCE  DATA"  MEANS INFORMATION AGAINST WHICH AUTHENTICATION
 DATA IS VERIFIED AT A POINT OF AUTHENTICATION BY A SMART  ACCESS  SYSTEM
 IN  ORDER TO GRANT A USER ENTRY TO A MULTIPLE DWELLING, DWELLING UNIT OF
 SUCH BUILDING, OR COMMON AREA OF SUCH BUILDING.
 S. 2078--B                          7
 
   (F) "SECURITY BREACH" MEANS ANY INCIDENT THAT RESULTS IN  UNAUTHORIZED
 ACCESS OF DATA, APPLICATIONS, SERVICES, NETWORKS OR DEVICES BY BYPASSING
 UNDERLYING SECURITY MECHANISMS. A "SECURITY BREACH" OCCURS WHEN AN INDI-
 VIDUAL  OR  AN APPLICATION ILLEGITIMATELY ENTERS A PRIVATE, CONFIDENTIAL
 OR UNAUTHORIZED LOGICAL INFORMATION TECHNOLOGY PERIMETER.
   (G)  "SMART  ACCESS  SYSTEM"  MEANS ANY SYSTEM THAT USES ELECTRONIC OR
 COMPUTERIZED TECHNOLOGY, A RADIO FREQUENCY IDENTIFICATION CARD, A MOBILE
 PHONE  APPLICATION,  BIOMETRIC  IDENTIFIER  INFORMATION,  OR  ANY  OTHER
 DIGITAL  TECHNOLOGY  IN  ORDER  TO  GRANT ACCESS TO A MULTIPLE DWELLING,
 COMMON AREAS IN SUCH MULTIPLE DWELLING, OR  TO  AN  INDIVIDUAL  DWELLING
 UNIT IN SUCH MULTIPLE DWELLING.
   (H) "THIRD PARTY" MEANS AN ENTITY THAT INSTALLS, OPERATES OR OTHERWISE
 DIRECTLY  SUPPORTS A SMART ACCESS SYSTEM, AND HAS ONGOING ACCESS TO USER
 DATA, EXCLUDING ANY ENTITY THAT SOLELY HOSTS SUCH DATA.
   (I) "USER" MEANS A TENANT OR LAWFUL OCCUPANT OF A  MULTIPLE  DWELLING,
 AND  ANY PERSON A TENANT OR LAWFUL OCCUPANT HAS REQUESTED, IN WRITING OR
 THROUGH A MOBILE APPLICATION, BE GRANTED ACCESS TO SUCH TENANT OR LAWFUL
 OCCUPANT'S DWELLING UNIT AND SUCH BUILDING'S SMART ACCESS SYSTEM.
   2. ENTRY. (A) WHERE AN OWNER INSTALLS OR  PLANS  TO  INSTALL  A  SMART
 ACCESS  SYSTEM ON ANY ENTRANCE FROM THE STREET, PASSAGEWAY, COURT, YARD,
 CELLAR, OR OTHER COMMON AREA OF A MULTIPLE DWELLING, SUCH  SYSTEM  SHALL
 NOT  RELY  SOLELY  ON A WEB-BASED APPLICATION TO FACILITATE ENTRANCE BUT
 SHALL ALSO INCLUDE A KEY FOB, KEY CARD,  DIGITAL  KEY  OR  PASSCODE  FOR
 TENANT USE.
   (B) OWNERS MAY PROVIDE VARIOUS METHODS OF ENTRY INTO INDIVIDUAL APART-
 MENTS  INCLUDING A MECHANICAL KEY OR A SMART ACCESS SYSTEM OF A KEY FOB,
 KEY CARD OR DIGITAL KEY, PROVIDED, HOWEVER THAT SUCH SMART ACCESS SYSTEM
 SHALL NOT RELY SOLELY ON A WEB-BASED APPLICATION.
   (C) NOTWITHSTANDING PARAGRAPH (A) OR (B) OF THIS  SUBDIVISION,  OWNERS
 SHALL  PROVIDE  A  NON-ELECTRONIC  MEANS OF ENTRY WHERE REQUESTED BY THE
 TENANT OR LAWFUL OCCUPANT DUE TO A RELIGIOUS PREFERENCE.
   (D) ALL LAWFUL TENANTS AND LAWFUL OCCUPANTS SHALL BE PROVIDED  WITH  A
 KEY,  KEY  FOB,  DIGITAL  KEY OR KEY CARD AT NO COST TO SUCH TENANTS AND
 LAWFUL OCCUPANTS. THE TERM "LAWFUL  OCCUPANTS"  SHALL  INCLUDE  CHILDREN
 UNDER  THE  AGE  OF EIGHTEEN WHO SHALL BE ISSUED A KEY, KEY FOB, DIGITAL
 KEYS OR KEY CARD IF A PARENT OR GUARDIAN REQUESTS SUCH CHILD BE PROVIDED
 WITH ONE. TENANTS AND LAWFUL OCCUPANTS MAY ALSO RECEIVE UP TO FOUR ADDI-
 TIONAL KEYS, KEY FOBS, DIGITAL KEYS OR KEY  CARDS  AT  NO  COST  TO  THE
 TENANT  OR  LAWFUL  OCCUPANT  FOR EMPLOYEES OR GUESTS. THE TERM "GUESTS"
 SHALL INCLUDE FAMILY MEMBERS AND FRIENDS WHO CAN REASONABLY BE  EXPECTED
 TO  VISIT  ON A REGULAR BASIS OR VISIT AS NEEDED TO CARE FOR THE TENANT,
 LAWFUL OCCUPANT, OR THE DWELLING UNIT IF THE TENANT OR  LAWFUL  OCCUPANT
 IS  AWAY.  EMPLOYEES,  INCLUDING CONTRACTORS, PROFESSIONAL CAREGIVERS OR
 OTHER SERVICES PROVIDERS, MAY HAVE AN EXPIRATION DATE  PLACED  ON  THEIR
 KEY,  KEY  CARD,  DIGITAL KEY OR KEY FOB, WHICH MAY BE EXTENDED UPON THE
 TENANT OR LAWFUL OCCUPANT'S REQUEST. TENANTS  OR  LAWFUL  OCCUPANTS  MAY
 REQUEST  A  NEW  OR REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY CARD AT
 ANY TIME THROUGHOUT THE COURSE OF THE TENANCY. THE OWNER OR THEIR  AGENT
 SHALL  PROVIDE  THE  FIRST  REPLACEMENT KEY, KEY FOB, DIGITAL KEY OR KEY
 CARD TO THE TENANT OR LAWFUL OCCUPANT FREE OF CHARGE. THE COST OF SECOND
 AND SUBSEQUENT REPLACEMENT CARDS SHALL NOT BE MORE THAN WHAT  THE  OWNER
 PAID FOR THE REPLACEMENT UP TO AND NOT EXCEEDING TWENTY-FIVE DOLLARS.
   (E)  THE  OWNER  SHALL NOT SET LIMITS ON THE NUMBER OF KEYS, KEY FOBS,
 DIGITAL KEYS OR KEY CARDS A TENANT OR LAWFUL OCCUPANT MAY REQUEST.
   (F) ANY DOOR THAT HAS A SMART ACCESS SYSTEM SHALL HAVE BACKUP POWER OR
 AN ALTERNATIVE MEANS OF ENTRY TO ENSURE THAT THE ENTRY SYSTEM  CONTINUES
 S. 2078--B                          8

 TO  OPERATE  DURING  A  POWER  OUTAGE.  AN  OWNER, OR THEIR AGENT, SHALL
 ROUTINELY INSPECT THE BACKUP POWER AND SHALL REPLACE ACCORDING TO SYSTEM
 SPECIFICATIONS. OWNERS OR THEIR AGENTS SHALL PROVIDE TENANTS AND  LAWFUL
 OCCUPANTS  WITH  INFORMATION ABOUT WHOM TO CONTACT IN THE EVENT THAT THE
 TENANT, LAWFUL OCCUPANT OR THE TENANT'S OR LAWFUL  OCCUPANT'S  CHILDREN,
 GUESTS OR EMPLOYEES BECOME LOCKED OUT.
   3.  NOTICE. OWNERS OR THEIR AGENTS SHALL PROVIDE NOTICE TO A TENANT OR
 LAWFUL OCCUPANT AT THE TIME THE TENANT  OR  LAWFUL  OCCUPANT  SIGNS  THE
 LEASE,  OR  WHEN THE SMART ACCESS SYSTEM IS INSTALLED, OF THE PROVISIONS
 OF SUBDIVISION TWO OF THIS SECTION.
   4. DATA COLLECTION. (A) IF A SMART ACCESS SYSTEM IS UTILIZED  TO  GAIN
 ENTRANCE TO A MULTIPLE DWELLING, THE ONLY REFERENCE, AUTHENTICATION, AND
 ACCOUNT INFORMATION GATHERED BY ANY SMART ACCESS SYSTEM SHALL BE LIMITED
 TO  ACCOUNT INFORMATION NECESSARY TO ENABLE THE USE OF SUCH SMART ACCESS
 SYSTEM, OR REFERENCE DATA, INCLUDING  THE  USER'S  NAME,  DWELLING  UNIT
 NUMBER AND OTHER DOORS OR COMMON AREAS TO WHICH THE USER HAS ACCESS, THE
 PREFERRED  METHOD  OF CONTACT FOR SUCH USER, INFORMATION USED TO GRANT A
 USER ENTRY OR TO ACCESS ANY ONLINE TOOLS USED TO  MANAGE  USER  ACCOUNTS
 RELATED  TO  SUCH  BUILDING, LEASE INFORMATION INCLUDING MOVE-IN AND, IF
 AVAILABLE MOVE-OUT DATES, AND AUTHENTICATION DATA SUCH AS TIME AND METH-
 OD OF ACCESS FOR SECURITY PURPOSES AND A PHOTOGRAPH OF ACCESS EVENTS FOR
 SECURITY PURPOSES. FOR SMART ACCESS SYSTEMS THAT RELY ON THE  COLLECTION
 OF BIOMETRIC DATA AND WHICH HAVE ALREADY BEEN INSTALLED AT THE TIME THIS
 SECTION SHALL HAVE BECOME A LAW, BIOMETRIC IDENTIFIER INFORMATION MAY BE
 COLLECTED  PURSUANT  TO  THIS  SECTION IN ORDER TO REGISTER A USER FOR A
 SMART ACCESS SYSTEM. NO NEW  SMART  ACCESS  SYSTEMS  THAT  RELY  ON  THE
 COLLECTION  OF  BIOMETRIC  DATA SHALL BE INSTALLED IN MULTIPLE DWELLINGS
 FOR THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION.
   (I) THE OWNER OF THE MULTIPLE DWELLING SHALL COLLECT ONLY THE  MINIMUM
 DATA  REQUIRED  BY  THE  TECHNOLOGY  USED  IN THE SMART ACCESS SYSTEM TO
 EFFECTUATE SUCH ENTRANCE AND PROTECT THE PRIVACY AND  SECURITY  OF  SUCH
 USERS.
   (II)  THE  OWNER OR AGENT OF THE OWNER SHALL NOT REQUEST OR RETAIN, IN
 ANY FORM, THE SOCIAL SECURITY NUMBER OF ANY TENANT OR LAWFUL OCCUPANT AS
 A CONDITION OF USE OF THE SMART ACCESS SYSTEM.
   (III) THE OWNER, AGENT OF THE OWNER, OR THE VENDOR OF A  SMART  ACCESS
 SYSTEM  ON BEHALF OF THE OWNER MAY RECORD EACH TIME A KEY FOB, KEY CARD,
 DIGITAL KEY OR PASSCODE IS USED TO ENTER THE  BUILDING,  BUT  SHALL  NOT
 RECORD ANY DEPARTURES.
   (IV) A COPY OF SUCH DATA MAY BE RETAINED FOR REFERENCE AT THE POINT OF
 AUTHENTICATION BY THE SMART ACCESS SYSTEM.  SUCH REFERENCE DATA SHALL BE
 RETAINED ONLY FOR TENANTS OR LAWFUL OCCUPANTS OR THOSE AUTHORIZED BY THE
 TENANT, LAWFUL OCCUPANT, OR OWNER OF THE MULTIPLE DWELLING.
   (V)  THE  OWNER  OF  THE  MULTIPLE  DWELLING  OR ANY THIRD PARTY SHALL
 DESTROY OR ANONYMIZE AUTHENTICATION DATA COLLECTED FROM OR GENERATED  BY
 SUCH  SMART  ACCESS  SYSTEM WITHIN A REASONABLE TIME, BUT NOT LATER THAN
 NINETY DAYS AFTER THE DATE COLLECTED.
   (VI) REFERENCE DATA FOR A USER SHALL BE DESTROYED OR ANONYMIZED WITHIN
 NINETY DAYS OF (1) THE TENANT OR LAWFUL  OCCUPANT  PERMANENTLY  VACATING
 THE DWELLING, OR (2) A REQUEST BY THE TENANT OR LAWFUL OCCUPANT TO WITH-
 DRAW  AUTHORIZATION  FOR  THOSE  PREVIOUSLY  AUTHORIZED BY THE TENANT OR
 LAWFUL OCCUPANT.
   (B) (I) AN ENTITY SHALL NOT CAPTURE BIOMETRIC  IDENTIFIER  INFORMATION
 OF  AN  INDIVIDUAL  TO  GAIN  ENTRANCE TO A MULTIPLE DWELLING UNLESS THE
 PERSON IS A TENANT OR LAWFUL OCCUPANT OR  A  PERSON  AUTHORIZED  BY  THE
 TENANT  OR  LAWFUL OCCUPANT, AND INFORMS THE INDIVIDUAL BEFORE CAPTURING
 S. 2078--B                          9
 
 THE BIOMETRIC IDENTIFIER INFORMATION; AND RECEIVES THEIR EXPRESS CONSENT
 TO CAPTURE THE BIOMETRIC IDENTIFIER INFORMATION.
   (II)  ANY ENTITY THAT POSSESSES BIOMETRIC IDENTIFIER INFORMATION OF AN
 INDIVIDUAL THAT IS CAPTURED TO GAIN ENTRANCE TO A MULTIPLE DWELLING:
   (1) SHALL NOT SELL, LEASE OR OTHERWISE DISCLOSE THE BIOMETRIC  IDENTI-
 FIER  INFORMATION  TO  ANOTHER  PERSON UNLESS PURSUANT TO ANY LAW, GRAND
 JURY SUBPOENA OR COURT ORDERED WARRANT, SUBPOENA,  OR  OTHER  AUTHORIZED
 COURT ORDERED PROCESS.
   (2)  SHALL  STORE,  TRANSMIT AND PROTECT FROM DISCLOSURE THE BIOMETRIC
 IDENTIFIER INFORMATION USING REASONABLE CARE AND IN A MANNER THAT IS THE
 SAME AS OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE  PERSON  STORES,
 TRANSMITS  AND  PROTECTS  CONFIDENTIAL INFORMATION THE PERSON POSSESSES;
 AND
   (3) SHALL  DESTROY  THE  BIOMETRIC  IDENTIFIER  INFORMATION  WITHIN  A
 REASONABLE  TIME,  BUT  NOT  LATER THAN FORTY-EIGHT HOURS AFTER THE DATE
 COLLECTED, EXCEPT FOR REFERENCE DATA. IF ANY PROHIBITED  INFORMATION  IS
 COLLECTED, SUCH AS THE LIKENESS OF A MINOR OR A NON-TENANT, THE INFORMA-
 TION SHALL BE DESTROYED IMMEDIATELY.
   (C)  THE  OWNER OF THE MULTIPLE DWELLING, OR THE MANAGING AGENT, SHALL
 DEVELOP AND PROVIDE TO TENANTS AND LAWFUL OCCUPANTS  WRITTEN  PROCEDURES
 WHICH  DESCRIBE THE PROCESS USED TO ADD PERSONS AUTHORIZED BY THE TENANT
 OR LAWFUL OCCUPANT TO THE SMART ACCESS SYSTEM ON A TEMPORARY  OR  PERMA-
 NENT  BASIS, SUCH AS VISITORS, CHILDREN, THEIR EMPLOYEES, AND CAREGIVERS
 TO SUCH BUILDING.
   (I) THE PROCEDURES SHALL CLEARLY ESTABLISH THE OWNER'S RETENTION SCHE-
 DULE AND GUIDELINES FOR PERMANENTLY DESTROYING OR ANONYMIZING  THE  DATA
 COLLECTED.
   (II)  THE PROCEDURES SHALL NOT LIMIT TIME OR PLACE OF ENTRANCE BY SUCH
 PEOPLE AUTHORIZED BY THE TENANT OR LAWFUL OCCUPANT EXCEPT  AS  REQUESTED
 BY THE TENANT OR LAWFUL OCCUPANT.
   5.  PROHIBITIONS.  (A) NO FORM OF LOCATION TRACKING, INCLUDING BUT NOT
 LIMITED TO SATELLITE LOCATION BASED SERVICES, SHALL BE INCLUDED  IN  ANY
 EQUIPMENT,  KEY, OR SOFTWARE PROVIDED TO USERS AS PART OF A SMART ACCESS
 SYSTEM.
   (B) IT SHALL BE PROHIBITED TO COLLECT THROUGH A  SMART  ACCESS  SYSTEM
 THE LIKENESS OF A MINOR OCCUPANT, INFORMATION ON THE RELATIONSHIP STATUS
 OF  TENANTS  OR  LAWFUL  OCCUPANTS  AND  THEIR GUESTS, OR TO USE A SMART
 ACCESS SYSTEM TO COLLECT OR TRACK INFORMATION ABOUT  THE  FREQUENCY  AND
 TIME  OF  USE  OF  SUCH  SYSTEM BY A TENANT OR LAWFUL OCCUPANT AND THEIR
 GUESTS TO HARASS OR EVICT A TENANT OR LAWFUL OCCUPANT OR FOR  ANY  OTHER
 PURPOSE  NOT  EXPRESSLY  RELATED  TO  THE  OPERATION OF THE SMART ACCESS
 SYSTEM.
   (C) INFORMATION THAT IS ACQUIRED VIA THE USE OF A SMART ACCESS  SYSTEM
 SHALL  NOT  BE  USED  FOR ANY PURPOSES OTHER THAN GRANTING ACCESS TO AND
 MONITORING BUILDING ENTRANCES AND SHALL NOT BE  USED  AS  THE  BASIS  OR
 SUPPORT  FOR AN ACTION TO EVICT A LESSEE, TENANT, OR LAWFUL OCCUPANT, OR
 AN ADMINISTRATIVE HEARING SEEKING A CHANGE IN REGULATORY COVERAGE FOR AN
 INDIVIDUAL OR UNIT. HOWEVER, A TENANT OR LAWFUL OCCUPANT  MAY  AUTHORIZE
 THEIR  INFORMATION TO BE USED BY A THIRD PARTY, BUT SUCH A REQUEST SHALL
 CLEARLY STATE WHO WILL HAVE ACCESS TO SUCH INFORMATION, FOR WHAT PURPOSE
 IT WILL BE USED, AND THE  PRIVACY  POLICIES  WHICH  WILL  PROTECT  THEIR
 INFORMATION.  UNDER  NO  CIRCUMSTANCES  SHALL  A  LEASE  OR A RENEWAL BE
 CONTINGENT UPON AUTHORIZING SUCH  USE.  SMART  ACCESS  SYSTEMS  MAY  USE
 THIRD-PARTY  SERVICES  TO  THE  EXTENT  REQUIRED TO MAINTAIN AND OPERATE
 SYSTEM INFRASTRUCTURE, INCLUDING CLOUD-BASED HOSTING  AND  STORAGE.  THE
 PROVIDER  OR PROVIDERS OF THIRD-PARTY INFRASTRUCTURE SERVICES SHALL MEET
 S. 2078--B                         10
 
 OR EXCEED THE PRIVACY PROTECTIONS SET FORTH IN THIS SECTION AND SHALL BE
 SUBJECT TO THE SAME LIABILITY FOR BREACH OF ANY OF THE  REQUIREMENTS  OF
 THIS SECTION.
   (D)  INFORMATION AND DATA COLLECTED SHALL NOT BE MADE AVAILABLE TO ANY
 THIRD PARTY, UNLESS AUTHORIZED AS DESCRIBED IN  PARAGRAPH  (C)  OF  THIS
 SUBDIVISION, INCLUDING BUT NOT LIMITED TO LAW ENFORCEMENT, EXCEPT UPON A
 GRAND  JURY  SUBPOENA  OR  A  COURT  ORDERED WARRANT, SUBPOENA, OR OTHER
 AUTHORIZED COURT ORDERED PROCESS.
   6. STORAGE OF INFORMATION. ANY INFORMATION OR DATA COLLECTED SHALL  BE
 STORED IN A SECURE MANNER TO PREVENT UNAUTHORIZED ACCESS BY BOTH EMPLOY-
 EES  AND  CONTRACTORS  AND  THOSE  UNAFFILIATED  WITH THE OWNER OR THEIR
 AGENTS, EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION. FUTURE OR CONTINU-
 ING TENANCY SHALL NOT BE CONDITIONED UPON CONSENTING TO  THE  USE  OF  A
 SMART ACCESS SYSTEM.
   7.  SOFTWARE ISSUES. WHENEVER A COMPANY THAT PRODUCES, MAKES AVAILABLE
 OR INSTALLS SMART ACCESS SYSTEMS DISCOVERS A SECURITY BREACH OR CRITICAL
 SECURITY VULNERABILITY IN THEIR  SOFTWARE,  SUCH  COMPANY  SHALL  NOTIFY
 CUSTOMERS  OF  SUCH  VULNERABILITY WITHIN A REASONABLE TIME OF DISCOVERY
 BUT NO LATER THAN TWENTY-FOUR HOURS AFTER DISCOVERY AND SHALL MAKE SOFT-
 WARE UPDATES AVAILABLE AND TAKE ANY OTHER ACTION AS MAY BE NECESSARY  TO
 REPAIR  THE  VULNERABILITY WITHIN A REASONABLE TIME, BUT NOT LONGER THAN
 THIRTY DAYS AFTER DISCOVERY. SMART  ACCESS  SYSTEMS  AND  VENDORS  SHALL
 IMPLEMENT  AND  MAINTAIN  REASONABLE  SECURITY  PROCEDURES AND PRACTICES
 APPROPRIATE TO THE NATURE OF THE INFORMATION  COLLECTED.  IN  THE  EVENT
 THAT  A SECURITY BREACH OR CRITICAL SECURITY VULNERABILITY THAT PERTAINS
 TO THE EMBEDDED SOFTWARE OR FIRMWARE ON  THE  SMART  ACCESS  SYSTEMS  IS
 DISCOVERED, SMART ACCESS SYSTEMS AND THEIR VENDORS SHALL:
   (A)  BE  ABLE TO CREATE UPDATES TO THE FIRMWARE TO CORRECT THE VULNER-
 ABILITIES;
   (B) CONTRACTUALLY COMMIT TO CUSTOMERS THAT THE SMART ACCESS SYSTEM  OR
 VENDOR WILL CREATE UPDATES TO THE EMBEDDED SOFTWARE OR FIRMWARE TO REME-
 DY THE VULNERABILITIES; AND
   (C)  MAKE SUCH SECURITY-RELATED SOFTWARE OR FIRMWARE UPDATES AVAILABLE
 FOR FREE TO CUSTOMERS FOR THE  DURATION  OF  THE  CONTRACT  BETWEEN  THE
 BUILDING AND SMART ACCESS SYSTEMS.
   8.  WAIVER  OF  RIGHTS; VOID. ANY AGREEMENT BY A LESSEE OR TENANT OF A
 DWELLING WAIVING OR MODIFYING THEIR RIGHTS AS SET FORTH IN THIS  SECTION
 SHALL BE VOID AS CONTRARY TO PUBLIC POLICY.
   9.  PENALTIES. (A) A PERSON WHO VIOLATES THIS SECTION SHALL BE SUBJECT
 TO A CIVIL PENALTY OF NOT MORE  THAN  FIVE  THOUSAND  DOLLARS  FOR  EACH
 VIOLATION.    THE  ATTORNEY  GENERAL  MAY BRING AN ACTION TO RECOVER THE
 CIVIL PENALTY. AN INDIVIDUAL INJURED BY A VIOLATION OF THIS SECTION  MAY
 BRING  AN  ACTION  TO RECOVER DAMAGES. A COURT MAY ALSO AWARD ATTORNEYS'
 FEES TO A PREVAILING PLAINTIFF.
   (B) WHERE AN OWNER OR THEIR AGENT USES A SMART ACCESS SYSTEM TO HARASS
 OR OTHERWISE DEPRIVE A TENANT OR LAWFUL OCCUPANT OF ANY RIGHTS AVAILABLE
 UNDER LAW, SUCH OWNER OR AGENT SHALL BE SUBJECT TO A  CIVIL  PENALTY  OF
 NOT MORE THAN TEN THOUSAND DOLLARS FOR EACH VIOLATION.
   (C)  FOR  PURPOSES  OF THIS SUBDIVISION, EACH DAY THE VIOLATION OCCURS
 SHALL BE CONSIDERED A SEPARATE VIOLATION.
   10. RENT REGULATED DWELLINGS. INSTALLATION OF A  SMART  ACCESS  SYSTEM
 PURSUANT  TO  THIS SECTION IN A DWELLING SUBJECT TO THE EMERGENCY TENANT
 PROTECTION ACT OF NINETEEN HUNDRED SEVENTY-FOUR, THE  EMERGENCY  HOUSING
 RENT  CONTROL  LAW, THE LOCAL EMERGENCY HOUSING RENT CONTROL ACT, OR THE
 RENT STABILIZATION LAW OF NINETEEN HUNDRED SIXTY-NINE SHALL CONSTITUTE A
 MODIFICATION OF SERVICES REQUIRING THE OWNER OF SUCH DWELLING  OR  THEIR
 S. 2078--B                         11
 
 AGENT  TO  APPLY  TO  THE  DIVISION OF HOUSING AND COMMUNITY RENEWAL FOR
 APPROVAL BEFORE PERFORMING SUCH INSTALLATION.  SUCH  INSTALLATION  SHALL
 NOT QUALIFY AS A BASIS FOR RENT REDUCTION.
   11.  EXEMPTIONS.  (A) NOTHING HEREIN SHALL APPLY TO MULTIPLE DWELLINGS
 OWNED OR MANAGED BY AN ENTITY SUBJECT TO 42 U.S.C. § 1437  ET  SEQ.,  OR
 ANY  OF ITS SUBSIDIARIES, OR MULTIPLE DWELLINGS THAT ARE PRIMARILY OCCU-
 PIED BY TRANSIENT OCCUPANTS FOR A PERIOD OF LESS THAN THIRTY DAYS.
   (B) NOTHING IN THIS SECTION SHALL LIMIT THE AUTHORITY OF THE  DIVISION
 OF  HOUSING  AND  COMMUNITY  RENEWAL  TO  IMPOSE ADDITIONAL REQUIREMENTS
 REGARDING SMART ACCESS SYSTEMS INSTALLED IN MULTIPLE DWELLINGS FOR WHICH
 THE DIVISION IS REQUIRED TO APPROVE SUBSTITUTIONS  OR  MODIFICATIONS  OF
 SERVICES.
   § 3. Severability. If any provision of this act, or any application of
 any  provision of this act, is held to be invalid, that shall not affect
 the  validity or effectiveness of any other provision of this act, or of
 any other application of any provision of this act, which can  be  given
 effect  without  that  provision  or  application;  and to that end, the
 provisions and applications of this act are severable.
   § 4. This act shall take effect on the one hundred eightieth day after
 it shall have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S2078B

Share this bill

Sponsored By

Brian Kavanagh

Current Bill Status - In Assembly Committee

Bill Amendments

co-Sponsors

Liz Krueger

2023-S2078 - Details

2023-S2078 - Summary

2023-S2078 - Sponsor Memo

2023-S2078 - Bill Text download pdf

co-Sponsors

Liz Krueger

2023-S2078A - Details

2023-S2078A - Summary

2023-S2078A - Sponsor Memo

2023-S2078A - Bill Text download pdf

co-Sponsors

Liz Krueger

2023-S2078B (ACTIVE) - Details

2023-S2078B (ACTIVE) - Summary

2023-S2078B (ACTIVE) - Sponsor Memo

2023-S2078B (ACTIVE) - Bill Text download pdf

Comments