S T A T E O F N E W Y O R K
________________________________________________________________________
2212
2009-2010 Regular Sessions
I N A S S E M B L Y
January 15, 2009
___________
Introduced by M. of A. DINOWITZ, PHEFFER, GALEF, MILLMAN, CHRISTENSEN,
FIELDS, GREENE, BENEDETTO, CLARK, AUBRY, PAULIN, COLTON, GABRYSZAK,
JAFFEE -- Multi-Sponsored by -- M. of A. ALFANO, BARRA, BOYLAND, BRAD-
LEY, BRENNAN, BRODSKY, BURLING, CAHILL, COOK, CROUCH, CUSICK, CYMBROW-
ITZ, DelMONTE, DESTITO, DIAZ, EDDINGTON, ENGLEBRIGHT, ERRIGO, ESPAIL-
LAT, FARRELL, FINCH, GANTT, GIANARIS, GIGLIO, GLICK, GOTTFRIED,
GUNTHER, HEASTIE, HIKIND, HOOPER, HOYT, JACOBS, JOHN, KOON, LATIMER,
LAVINE, V. LOPEZ, LUPARDO, MAGEE, MAGNARELLI, MARKEY, MAYERSOHN, McDO-
NOUGH, McENENY, MILLER, MORELLE, OAKS, PEOPLES, PERALTA, PERRY, PRET-
LOW, QUINN, RAIA, REILLY, J. RIVERA, P. RIVERA, ROBINSON, SAYWARD,
SCARBOROUGH, SCHIMMINGER, SEMINERIO, THIELE, TOWNSEND, WALKER, WEISEN-
BERG, WRIGHT -- read once and referred to the Committee on Consumer
Affairs and Protection
AN ACT to amend the general business law, in relation to the dissem-
ination of confidential information by telephone corporations and
wireless phone services providers
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Legislative findings and declaration. The legislature here-
by finds that unauthorized third parties are able to obtain, procure,
purchase or sell a person's telephone or wireless phone records related
to any given period of time. Access to this information can sometimes be
useful to law enforcement personnel. Such information, however, can be
dangerous if the confidential information released is that of an under-
cover officer, other authorized law enforcement personnel or government
employee. Unauthorized release of call records also can be damaging to
commerce by revealing private business relationships. The unauthorized
release of the phone records of counselors, including clergy, physi-
cians, psychotherapists, financial consultants and non-profit organiza-
tions, can undermine these relationships of trust and in some instances
jeopardize the well being of these counselors and their clients. In
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD03143-01-9
A. 2212 2
addition, most private individuals expect that their phone call logs or
their information related to their telephone account is confidential and
will not be disseminated to unauthorized persons.
The legislature further finds that, despite the strong interest that
authorized personnel and private citizens have in protecting access to
this information, such information is sometimes obtained fraudulently or
without authorization, and subsequently sold or otherwise released for
commercial or other purposes. As a result, confidential phone records
that are obtained and released without authorization or otherwise have
had adverse consequences including: (1) the exposure of undercover law
enforcement personnel; (2) an increase in identity fraud crimes; (3) an
increase in intrusive and deceptive telephone, direct mail and internet
solicitations; (4) an invasion of privacy for individuals who have had
personal information revealed without their consent; (5) revealing
confidential business communications; (6) harmful to counselors and
their clients; (7) a disruption to telecommunications service providers
and their provision of service to their legitimate customers; and (8)
the dissemination of false and spurious information which has led to
denial or refusal of housing, employment, insurance and other services
and opportunities.
The legislature, therefore, finds and declares that it is in the
public's and state's interest to protect against the release of confi-
dential information and limit the release of confidential information
from telephone corporation and wireless service providers to instances
where such a release of information is requested by or authorized by the
telecommunications service customer and where release procedures have
been established and followed; or where a subpoena, search warrant or
court-ordered request for customer records is issued. Such limitations
and requisite penalties will meaningfully and substantially advance the
state's interests in protecting personal privacy in a manner that is
narrowly tailored to avoid adverse impact on other rights and needs of
telecommunication service consumers and the providers of such services.
S 2. The general business law is amended by adding a new article 32-A
to read as follows:
ARTICLE 32-A
PROTECTION OF TELEPHONE RECORDS
SECTION 676. DEFINITIONS.
676-A. PRIVACY OF CONFIDENTIAL INFORMATION.
676-B. NOTICE.
676-C. CIVIL ENFORCEMENT.
S 676. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL
HAVE THE FOLLOWING MEANINGS:
1. "TELEPHONE CORPORATION" SHALL HAVE THE SAME MEANING AS PROVIDED IN
SECTION TWO OF THE PUBLIC SERVICE LAW.
2. "WIRELESS PHONE SERVICE" MEANS ALL COMMERCIAL MOBILE SERVICES, AS
THAT TERM IS DEFINED IN SECTION 332(D) OF TITLE 47, UNITED STATES CODE,
AS AMENDED FROM TIME TO TIME, INCLUDING, BUT NOT LIMITED TO, ALL BROAD-
BAND PERSONAL COMMUNICATIONS SERVICES, WIRELESS RADIO TELEPHONE
SERVICES, SATELLITE PROVIDERS, GEOGRAPHIC AREA SPECIALIZED AND ENHANCED
SPECIALIZED MOBILE RADIO SERVICES, AND INCUMBENT-WIDE AREAS SPECIALIZED
MOBILE RADIO LICENSEES, WHICH OFFER REAL TIME, TWO-WAY VOICE OR DATA
SERVICE THAT IS INTERCONNECTED WITH THE PUBLIC SWITCHED TELEPHONE
NETWORK OR OTHERWISE PROVIDES ACCESS TO EMERGENCY COMMUNICATIONS
SERVICES, OR ANY OTHER TELEPHONE SERVICE.
3. "COVERED ENTITY" MEANS A TELEPHONE CORPORATION OR WIRELESS PHONE
SERVICE PROVIDER, AND INCLUDES ANY PROVIDER OF IP-ENABLED VOICE SERVICE.
A. 2212 3
4. "CONFIDENTIAL TELECOMMUNICATION RECORDS INFORMATION" OR "CONFIDEN-
TIAL INFORMATION" MEANS:
(A) INFORMATION THAT RELATES TO THE QUALITY, TECHNICAL CONFIGURATION,
TYPE, DESTINATION, LOCATION, AND AMOUNT OF USE OF A TELECOMMUNICATIONS
SERVICE SUBSCRIBED TO BY ANY CUSTOMER OF A COVERED ENTITY; AND
(B) INFORMATION CONTAINED IN CUSTOMERS' BILLING STATEMENTS PERTAINING
TO TELEPHONE EXCHANGE SERVICE OR TELEPHONE TOLL SERVICE RECEIVED BY A
CUSTOMER OF A COVERED ENTITY; PROVIDED, HOWEVER, CONFIDENTIAL TELECOMMU-
NICATION RECORDS INFORMATION SHALL NOT INCLUDE INFORMATION REGARDING A
CONSUMER'S PAYMENT HISTORY PURSUANT TO ARTICLE TWENTY-FIVE OF THIS CHAP-
TER.
5. "UNAFFILIATED THIRD PARTY" MEANS ANY ENTITY OR PERSON THAT IS NOT
AN AFFILIATE OF, OR RELATED BY COMMON OWNERSHIP OR AFFILIATED BY CORPO-
RATE CONTROL WITH THE COVERED ENTITY, BUT DOES NOT INCLUDE A JOINT
EMPLOYEE OF SUCH INSTITUTION.
6. "AFFILIATE" SHALL HAVE THE SAME MEANING AS PROVIDED IN SECTION NINE
HUNDRED TWELVE OF THE BUSINESS CORPORATION LAW.
7. "PERSON" MEANS ANY NATURAL PERSON AND ANY FIRM, ORGANIZATION, PART-
NERSHIP, ASSOCIATION, CORPORATION, NOT-FOR-PROFIT ORGANIZATION, OR OTHER
ENTITY.
8. "IP-ENABLED VOICE SERVICE" MEANS:
(A) THE SERVICE ENABLES REAL-TIME, TWO-WAY VOICE COMMUNICATIONS;
(B) THE SERVICE REQUIRES A BROADBAND CONNECTION FROM THE USERS'
LOCATION;
(C) THE SERVICE REQUIRES IP-COMPATIBLE END-USER EQUIPMENT; AND
(D) THE SERVICE OFFERING PERMITS USERS GENERALLY TO RECEIVE CALLS THAT
ORIGINATE ON THE PUBLIC SWITCHED TELEPHONE NETWORK (PSTN) AND TO TERMI-
NATE CALLS TO THE PSTN.
9. "CUSTOMER" MEANS, WITH RESPECT TO A COVERED ENTITY, ANY PERSON OR
AUTHORIZED REPRESENTATIVE OF A PERSON TO WHOM THE COVERED ENTITY
PROVIDES A PRODUCT OR SERVICE.
10. "PROCURE" MEANS TO OBTAIN CONFIDENTIAL TELECOMMUNICATION RECORDS
INFORMATION BY ANY MEANS, WHETHER ELECTRONICALLY, IN WRITING OR ORAL
FORM, WITH OR WITHOUT CONSIDERATION.
S 676-A. PRIVACY OF CONFIDENTIAL INFORMATION. 1. EXCEPT AS OTHERWISE
EXPRESSLY PROVIDED IN THIS ARTICLE, A COVERED ENTITY SHALL NOT DIRECTLY
OR THROUGH AN AFFILIATE DISCLOSE CONFIDENTIAL TELECOMMUNICATION RECORDS
INFORMATION TO AN UNAFFILIATED THIRD PARTY, UNLESS:
(A) THE COVERED ENTITY SHALL HAVE FIRST AFFIRMATIVELY OBTAINED VIA
VERIFIABLE MEANS INFORMED CONSENT FOR SUCH DISCLOSURE FROM THE PERSON
WHOSE CONFIDENTIAL TELECOMMUNICATION RECORDS INFORMATION IS SOUGHT, AND
SUCH CONSENT HAS NOT BEEN WITHDRAWN; THE COVERED ENTITY SHALL HAVE FIRST
RECEIVED FROM THE PERSON REQUESTING DISCLOSURE POSITIVE AND VERIFIABLE
IDENTIFICATION THAT SUCH PERSON IS AUTHORIZED PURSUANT TO THIS ARTICLE
TO RECEIVE SUCH CONFIDENTIAL INFORMATION IN ACCORD WITH THE PROCEDURES
ESTABLISHED BY THE COVERED ENTITY;
(B) THE COVERED ENTITY IS AUTHORIZED PURSUANT TO COURT ORDER OR
SUBPOENA TO RELEASE SUCH CONFIDENTIAL INFORMATION OR IS OTHERWISE
REQUIRED TO DO SO BY LAW;
(C) DISCLOSURE OF SUCH CONFIDENTIAL INFORMATION IS NECESSARY TO THE
RENDITION OF THE SERVICE OR TO THE PROTECTION OF THE RIGHTS OR PROPERTY
OF THE COVERED ENTITY, OR TO PROTECT THE CUSTOMER OF THOSE SERVICES FROM
FRAUDULENT, ABUSIVE, OR UNLAWFUL USE OF, OR SUBSCRIPTION TO, SUCH
SERVICES;
(D) DISCLOSURE OF SUCH CONFIDENTIAL INFORMATION IS MADE TO A LAW
ENFORCEMENT OR OTHER GOVERNMENTAL AGENCY UPON THE REASONABLE BELIEF THAT
A. 2212 4
EXIGENT CIRCUMSTANCES INVOLVING THE IMMEDIATE DANGER OF DEATH OR SERIOUS
PHYSICAL INJURY TO ANY PERSON EXISTS; OR
(E) DISCLOSURE OF SUCH CONFIDENTIAL INFORMATION IS MADE TO THE
NATIONAL CENTER OF MISSING AND EXPLOITED CHILDREN IN CONNECTION WITH A
REPORT SUBMITTED THERETO PURSUANT TO SECTION 227 OF THE FEDERAL "VICTIMS
OF CHILD ABUSE ACT OF 1990."
2. NO UNAFFILIATED THIRD PARTY WHO MAY BE IN RECEIPT OF CONFIDENTIAL
TELECOMMUNICATION RECORDS INFORMATION RETAINED BY A COVERED ENTITY OR
ANY OF ITS AFFILIATES SHALL RELEASE SUCH CONFIDENTIAL INFORMATION TO
ANOTHER PERSON, EXCEPT THAT SUCH CONFIDENTIAL INFORMATION MAY BE
DISCLOSED BY A LAW ENFORCEMENT AGENCY IN THE FURTHERANCE OF THE LAW
ENFORCEMENT PURPOSE.
S 676-B. NOTICE. 1. A COVERED ENTITY SHALL ABIDE BY A WRITTEN POLICY
REGARDING THE PRIVACY OF CUSTOMER INFORMATION IN ACCORDANCE WITH THIS
ARTICLE AND APPLICABLE FEDERAL AND STATE LAW AND WILL MAKE SUCH PRIVACY
POLICY AVAILABLE TO ITS CUSTOMERS, AND TO PROSPECTIVE CUSTOMERS PRIOR TO
THEIR ENTERING INTO AN AGREEMENT OR CONTRACT WITH A COVERED ENTITY,
EITHER BY POSTING SUCH PRIVACY POLICY CONSPICUOUSLY ON ITS WEBSITE OR BY
MAKING IT AVAILABLE THROUGH OTHER VERIFIABLE MEANS. SUCH PRIVACY POLICY
SHALL BE SET FORTH IN ACCORDANCE WITH THE PROVISIONS OF SECTION 5-702 OF
THE GENERAL OBLIGATIONS LAW.
2. THE WRITTEN PRIVACY POLICY REQUIRED PURSUANT TO SUBDIVISION ONE OF
THIS SECTION SHALL CLEARLY AND CONSPICUOUSLY STATE OR DESCRIBE:
(A) THE TYPES OF CONFIDENTIAL INFORMATION THAT THE COVERED ENTITY MAY
SEEK TO DISCLOSE;
(B) THE CIRCUMSTANCES UNDER WHICH DISCLOSURE MAY BE MADE;
(C) THE TYPES OF UNAFFILIATED THIRD PARTIES TO WHICH DISCLOSURE MAY BE
MADE; AND
(D) WHETHER AND HOW CUSTOMER CONSENT WILL BE OBTAINED, WHEN APPLICA-
BLE.
S 676-C. CIVIL ENFORCEMENT. 1. WHENEVER THERE SHALL BE A VIOLATION OF
THIS ARTICLE OR ANY RULES OR REGULATIONS PROMULGATED PURSUANT TO THIS
ARTICLE, AN APPLICATION MAY BE MADE BY THE ATTORNEY GENERAL IN THE NAME
OF THE PEOPLE OF THE STATE OF NEW YORK TO A COURT OR JUSTICE HAVING
JURISDICTION TO ISSUE AN INJUNCTION, AND UPON NOTICE TO THE DEFENDANT OF
NOT FEWER THAN FIVE DAYS, TO ENJOIN AND RESTRAIN THE CONTINUANCE OF SUCH
VIOLATIONS; AND IF IT SHALL APPEAR TO THE SATISFACTION OF THE COURT OR
JUSTICE, THAT THE DEFENDANT HAS, IN FACT, VIOLATED THIS ARTICLE AN
INJUNCTION MAY BE ISSUED BY SUCH COURT OR JUSTICE ENJOINING AND
RESTRAINING ANY FURTHER VIOLATION, WITHOUT REQUIRING PROOF THAT ANY
PERSON HAS IN FACT, BEEN INJURED OR DAMAGED THEREBY. IN ANY SUCH
PROCEEDING, THE COURT MAY MAKE ALLOWANCES TO THE ATTORNEY GENERAL AS
PROVIDED IN PARAGRAPH SIX OF SUBDIVISION (A) OF SECTION EIGHTY-THREE
HUNDRED THREE OF THE CIVIL PRACTICE LAW AND RULES, AND DIRECT RESTITU-
TION. WHENEVER THE COURT SHALL DETERMINE THAT A VIOLATION OF THIS ARTI-
CLE HAS OCCURRED, THE COURT MAY IMPOSE A CIVIL PENALTY OF NOT MORE THAN
ONE THOUSAND DOLLARS PER VIOLATION. IN CONNECTION WITH ANY SUCH PROPOSED
APPLICATION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE A
DETERMINATION OF THE RELEVANT FACTS AND TO ISSUE SUBPOENAS IN ACCORDANCE
WITH THE CIVIL PRACTICE LAW AND RULES. AN ACTION BROUGHT BY THE ATTORNEY
GENERAL MAY ALSO INCLUDE OTHER CAUSES OF ACTION.
2. THE REMEDIES, DUTIES, PROHIBITIONS AND PENALTIES PROVIDED IN THIS
ARTICLE ARE NOT EXCLUSIVE AND ARE IN ADDITION TO ALL OTHER CAUSES OF
ACTION, REMEDIES, AND PENALTIES PROVIDED BY LAW.
S 3. Every covered entity doing business in the state shall have in
place and enforce internal procedures designed to prevent the unauthor-
A. 2212 5
ized procurement, sale or release of confidential telecommunication
records information, including, but not limited to, procedures to ensure
the identity of a customer and procedures for authorizing consent for
the release of any such confidential information. No confidential
information shall be released except pursuant to these procedures. The
procedures required by this provision shall be available to the attorney
general upon written request.
S 4. This act shall take effect on the one hundred eightieth day after
it shall have become a law; provided however that effective immediately,
the addition, amendment and/or repeal of any rule or regulation neces-
sary for the implementation of this act on its effective date are
authorized and directed to be made and completed by the secretary of
state, in consultation with the attorney general and the public service
commission, on or before such effective date.