Assembly Bill A3830

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  3830

                       2013-2014 Regular Sessions

                          I N  A S S E M B L Y

                            January 29, 2013
                               ___________

Introduced  by  M. of A. PEOPLES-STOKES -- read once and referred to the
  Committee on Consumer Affairs and Protection

AN ACT to amend the general business law, in relation to destruction  of
  personal  information  stored on copiers, facsimile machines or multi-
  function devices

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The general business law is amended by adding a new section
349-e to read as follows:
  S  349-E.  DESTRUCTION  OF  PERSONAL  INFORMATION  STORED  ON COPIERS,
FACSIMILE MACHINES OR MULTIFUNCTION DEVICES. 1. FOR THE PURPOSES OF THIS
SECTION:
  (A) "DATA STORAGE DEVICE" MEANS ANY DEVICE THAT STORES INFORMATION  OR
DATA  FROM  ANY ELECTRONIC OR OPTICAL MEDIUM, INCLUDING, WITHOUT LIMITA-
TION, A COMPUTER, CELLULAR TELEPHONE, MAGNETIC TAPE, ELECTRONIC COMPUTER
DRIVE AND OPTICAL COMPUTER DRIVE, AND THE MEDIUM ITSELF.
  (B) "ENCRYPTION" MEANS THE PROTECTION OF DATA IN ELECTRONIC OR OPTICAL
FORM, IN STORAGE OR IN TRANSIT,  USING:  (I)  AN  ENCRYPTION  TECHNOLOGY
WHICH HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY, INCLUD-
ING,  WITHOUT  LIMITATION,  THE FEDERAL INFORMATION PROCESSING STANDARDS
ISSUED BY THE NATIONAL INSTITUTE OF STANDARDS  AND  TECHNOLOGY,  OR  ITS
SUCCESSOR  ORGANIZATION,  AND  WHICH RENDERS SUCH DATA INDECIPHERABLE IN
THE  ABSENCE  OF  ASSOCIATED  CRYPTOGRAPHIC  KEYS  NECESSARY  TO  ENABLE
DECRYPTION  OF SUCH DATA; AND (II) APPROPRIATE MANAGEMENT AND SAFEGUARDS
OF CRYPTOGRAPHIC KEYS TO PROTECT THE INTEGRITY OF THE  ENCRYPTION  USING
GUIDELINES PROMULGATED BY AN ESTABLISHED STANDARDS SETTING BODY, INCLUD-
ING,  WITHOUT  LIMITATION, THE NATIONAL INSTITUTE OF STANDARDS AND TECH-
NOLOGY OR ITS SUCCESSOR ORGANIZATION.
  (C) "MULTIFUNCTION DEVICE" MEANS A MACHINE THAT INCORPORATES THE FUNC-
TIONALLY OF MULTIPLE DEVICES, WHICH MAY INCLUDE A PRINTER, COPIER, SCAN-

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD07886-01-3

              

A. 3830                             2

NER, FACSIMILE MACHINE OR ELECTRONIC MAIL TERMINAL, TO PROVIDE  FOR  THE
CENTRALIZED MANAGEMENT, DISTRIBUTION OR PRODUCTION OF DOCUMENTS.
  2.  A BUSINESS ENTITY OR DATA COLLECTOR THAT OWNS OR POSSESSES A COPI-
ER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE WHICH USES  A  DATA  STORE
DEVICE  TO STORE, REPRODUCE, TRANSMIT OR RECEIVE DATA OR IMAGES THAT MAY
CONTAIN PERSONAL INFORMATION SHALL, BEFORE THE BUSINESS ENTITY  OR  DATA
COLLECTOR  RELINQUISHES  OWNERSHIP,  PHYSICAL  CUSTODY OR CONTROL OF THE
COPIER, FACSIMILE MACHINE OR MULTIFUNCTION  DEVICE  TO  ANOTHER  PERSON,
ENSURE THAT ANY PERSONAL INFORMATION WHICH IS STORED ON THE DATA STORAGE
DEVICE OF THE COPIER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE IS:
  (A) SECURED THROUGH THE USE OF ENCRYPTION; OR
  (B)  DESTROYED  THROUGH  THE USE OF A PHYSICAL OR TECHNOLOGICAL METHOD
THAT HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY,  INCLUD-
ING,  WITHOUT LIMITATION, A METHOD PRESCRIBED BY THE MOST RECENT VERSION
OF THE FEDERAL INFORMATION PROCESSING STANDARDS ISSUED BY  THE  NATIONAL
INSTITUTE OF STANDARDS AND TECHNOLOGY OR ITS SUCCESSOR ORGANIZATION.
  3.  IF A BUSINESS ENTITY OR DATA COLLECTOR USES OR POSSESSES A COPIER,
FACSIMILE MACHINE OR MULTIFUNCTION DEVICE  WHICH  USES  A  DATA  STORAGE
DEVICE  TO STORE, REPRODUCE, TRANSMIT OR RECEIVE DATA OR IMAGES THAT MAY
CONTAIN PERSONAL INFORMATION PURSUANT TO A  LEASE  AGREEMENT  OR  RENTAL
CONTRACT, THE OWNER OR LESSOR OF THE COPIER, FACSIMILE MACHINE OR MULTI-
FUNCTION  DEVICE  SHALL, AS SOON AS PRACTICABLE AFTER THE TERMINATION OR
CANCELLATION OF THE LEASE AGREEMENT OR RENTAL CONTRACT, OR UPON ASSUMING
PHYSICAL CUSTODY OR CONTROL OF THE COPIER, FACSIMILE MACHINE  OR  MULTI-
FUNCTION DEVICE, ENSURE THAT ANY PERSONAL INFORMATION WHICH IS STORED ON
THE  DATA  STORAGE DEVICE OF THE COPIER, FACSIMILE MACHINE OR MULTIFUNC-
TION DEVICE IS DESTROYED THROUGH THE USE OF A PHYSICAL OR  TECHNOLOGICAL
METHOD  THAT  HAS BEEN ADOPTED BY AN ESTABLISHED STANDARDS SETTING BODY,
INCLUDING, WITHOUT LIMITATION, A METHOD PRESCRIBED BY  THE  MOST  RECENT
VERSION  OF  THE  FEDERAL INFORMATION PROCESSING STANDARDS ISSUED BY THE
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OR ITS  SUCCESSOR  ORGAN-
IZATION.
  4. THE PROVISIONS OF SUBDIVISIONS TWO AND THREE OF THIS SECTION DO NOT
APPLY  TO  A  COPIER, FACSIMILE MACHINE OR MULTIFUNCTION DEVICE WHICH IS
USED OR CONFIGURED IN SUCH A WAY AS TO PREVENT THE STORAGE  OF  DATA  OR
IMAGES THAT MAY CONTAIN PERSONAL INFORMATION.
  S  2.   This act shall take effect on the ninetieth day after it shall
have become a law.