Legislation
SECTION 399-H
Disposal of records containing personal identifying information
General Business (GBS) CHAPTER 20, ARTICLE 26
§ 399-h. Disposal of records containing personal identifying
information. 1. Definitions. For the purposes of this section, the
following words shall have the following meanings:
a. "Dispose" means to throw out or away or to get rid of and shall not
include a sale of a record or the transfer of a record for value;
b. "Record" means any information kept, held, filed, produced or
reproduced by, with or for a person or business entity, in any physical
form whatsoever including, but not limited to, reports, statements,
examinations, memoranda, opinions, folders, files, books, manuals,
pamphlets, forms, papers, designs, drawings, maps, photos, letters,
microfilms, or computer tapes or discs;
c. "Personal information" shall mean any information concerning a
natural person which, because of name, number, personal mark, or other
identifier, can be used to identify such natural person;
d. "Personal identifying information" shall mean personal information
consisting of any information in combination with any one or more of the
following data elements, when either the personal information or the
data element is not encrypted, or encrypted with an encryption key that
is included in the same record as the encrypted personal information or
data element:
(i) social security number;
(ii) driver's license number or non-driver identification card number;
or
(iii) mother's maiden name, financial services account number or code,
savings account number or code, checking account number or code, debit
card number or code, automated teller machine number or code, electronic
serial number or personal identification number;
e. "Personal identification number" means any number or code which may
be used alone or in conjunction with any other information to assume the
identity of another person or access financial resources or credit of
another person.
2. Disposal of records containing personal identifying information. No
person, business, firm, partnership, association, or corporation, not
including the state or its political subdivisions, shall dispose of a
record containing personal identifying information unless the person,
business, firm, partnership, association, or corporation, or other
person under contract with the business, firm, partnership, association,
or corporation does any of the following:
a. shreds the record before the disposal of the record; or
b. destroys the personal identifying information contained in the
record; or
c. modifies the record to make the personal identifying information
unreadable; or
d. takes actions consistent with commonly accepted industry practices
that it reasonably believes will ensure that no unauthorized person will
have access to the personal identifying information contained in the
record.
Provided, however, that an individual person shall not be required to
comply with this subdivision unless he or she is conducting business for
profit.
3. Penalties; disposal and use. Whenever there shall be a violation of
this section, an application may be made by the attorney general in the
name of the people of the state of New York to a court or justice having
jurisdiction to issue an injunction, and upon notice to the defendant of
not less than five days, to enjoin and restrain the continuance of such
violations; and if it shall appear to the satisfaction of the court or
justice, that the defendant has, in fact, violated this section an
injunction may be issued by such court or justice enjoining and
restraining any further violation, without requiring proof that any
person has, in fact, been injured or damaged thereby. Whenever a court
shall determine that a violation of subdivision two of this section has
occurred, the court may impose a civil penalty of not more than five
thousand dollars. Acts arising out of the same incident or occurrence
shall constitute a single violation. It shall be an affirmative defense
to a violation of subdivision two of this section if the business can
show that it used due diligence in its attempt to properly dispose of
such records.
information. 1. Definitions. For the purposes of this section, the
following words shall have the following meanings:
a. "Dispose" means to throw out or away or to get rid of and shall not
include a sale of a record or the transfer of a record for value;
b. "Record" means any information kept, held, filed, produced or
reproduced by, with or for a person or business entity, in any physical
form whatsoever including, but not limited to, reports, statements,
examinations, memoranda, opinions, folders, files, books, manuals,
pamphlets, forms, papers, designs, drawings, maps, photos, letters,
microfilms, or computer tapes or discs;
c. "Personal information" shall mean any information concerning a
natural person which, because of name, number, personal mark, or other
identifier, can be used to identify such natural person;
d. "Personal identifying information" shall mean personal information
consisting of any information in combination with any one or more of the
following data elements, when either the personal information or the
data element is not encrypted, or encrypted with an encryption key that
is included in the same record as the encrypted personal information or
data element:
(i) social security number;
(ii) driver's license number or non-driver identification card number;
or
(iii) mother's maiden name, financial services account number or code,
savings account number or code, checking account number or code, debit
card number or code, automated teller machine number or code, electronic
serial number or personal identification number;
e. "Personal identification number" means any number or code which may
be used alone or in conjunction with any other information to assume the
identity of another person or access financial resources or credit of
another person.
2. Disposal of records containing personal identifying information. No
person, business, firm, partnership, association, or corporation, not
including the state or its political subdivisions, shall dispose of a
record containing personal identifying information unless the person,
business, firm, partnership, association, or corporation, or other
person under contract with the business, firm, partnership, association,
or corporation does any of the following:
a. shreds the record before the disposal of the record; or
b. destroys the personal identifying information contained in the
record; or
c. modifies the record to make the personal identifying information
unreadable; or
d. takes actions consistent with commonly accepted industry practices
that it reasonably believes will ensure that no unauthorized person will
have access to the personal identifying information contained in the
record.
Provided, however, that an individual person shall not be required to
comply with this subdivision unless he or she is conducting business for
profit.
3. Penalties; disposal and use. Whenever there shall be a violation of
this section, an application may be made by the attorney general in the
name of the people of the state of New York to a court or justice having
jurisdiction to issue an injunction, and upon notice to the defendant of
not less than five days, to enjoin and restrain the continuance of such
violations; and if it shall appear to the satisfaction of the court or
justice, that the defendant has, in fact, violated this section an
injunction may be issued by such court or justice enjoining and
restraining any further violation, without requiring proof that any
person has, in fact, been injured or damaged thereby. Whenever a court
shall determine that a violation of subdivision two of this section has
occurred, the court may impose a civil penalty of not more than five
thousand dollars. Acts arising out of the same incident or occurrence
shall constitute a single violation. It shall be an affirmative defense
to a violation of subdivision two of this section if the business can
show that it used due diligence in its attempt to properly dispose of
such records.