NY State Senate Bill 2025-S7269

Current Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Apr 07, 2025	referred to internet and technology

2025-S7269 (ACTIVE) - Details

Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Add §390-f, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2017-2018: S9179
2019-2020: S3973
2021-2022: S3830
2023-2024: S1926

2025-S7269 (ACTIVE) - Summary

Requires manufacturers of connected devices to equip such devices with reasonable security features.

2025-S7269 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S7269

SPONSOR: GRIFFO
 
TITLE OF BILL:

An act to amend the general business law, in relation to the security of
connected devices

 
PURPOSE:

The bill would require a manufacturer of a connected device to equip it
with reasonable security features that are appropriate to ensure the
protection of the information that is contained within it to prevent its
unauthorized access, destruction. use. modification or disclosure.

 
SUMMARY OF PROVISIONS:

Section 1 amends the general business law by adding a new section 390-f,
defining the following terms: authentication; connected device; manufac-
turer; security feature; unauthorized access, destruction, use, modifi-
cation, or disclosure.

Additionally, the section details that the manufacturer of a connected
device is responsible for equipping said device with a reasonable secu-
rity feature or features.

Section 2 marks the effective date.

 
JUSTIFICATION:

The 21st century (and the Internet) has given rise to a host of devices
which provide convenience to all people who use them for any purpose,
such as obtaining information, making purchases, streaming media
content, communicating with one another, amongst a plethora of other
uses. However, the connectivity that our society now experiences has
also given rise to different forms of criminal activity and privacy
invasion that can be extremely detrimental to a significant number of
people with a minimum amount of effort. This bill aims to add a layer of
protection for the users of connected devices by compelling the manufac-
turers to equip these devices with reasonable security measures to
prevent the sensitive information they contain from being compromised by
those wishing to harm others.

 
LEGISLATIVE HISTORY:

2023-24-S.1926 - Internet and Technology Committee/A.322-Consumer
Affairs and Protection Committee.

2021-22- S. 3830-Internet Technology Committee/A. 322-Consumer Affairs
and Protection Committee.

2019-20 - S. 3973 - Internet Technology Committee.

2018 - S. 9179 - Rules Committee.

 
FISCAL IMPLICATIONS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect on the first of January next succeeding the
date on which it shall have become a law.

2025-S7269 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   7269
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                               April 7, 2025
                                ___________
 
 Introduced  by  Sen.  GRIFFO -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in relation to the security of
   connected devices
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new section
 390-f to read as follows:
   §  390-F.  SECURITY  OF CONNECTED DEVICES. 1. FOR THE PURPOSES OF THIS
 SECTION, THE FOLLOWING TERMS HAVE THE FOLLOWING MEANINGS:
   (A) "AUTHENTICATION" MEANS A METHOD OF VERIFYING THE  AUTHORITY  OF  A
 USER, PROCESS, OR DEVICE TO ACCESS RESOURCES IN AN INFORMATION SYSTEM.
   (B) "CONNECTED DEVICE" MEANS ANY DEVICE, OR OTHER PHYSICAL OBJECT THAT
 IS  CAPABLE  OF  CONNECTING TO THE INTERNET, DIRECTLY OR INDIRECTLY, AND
 THAT IS ASSIGNED AN INTERNET PROTOCOL ADDRESS OR BLUETOOTH ADDRESS.
   (C) "MANUFACTURER" MEANS THE PERSON  WHO  MANUFACTURES,  OR  CONTRACTS
 WITH  ANOTHER  PERSON  TO  MANUFACTURE ON THE PERSON'S BEHALF, CONNECTED
 DEVICES THAT ARE SOLD OR OFFERED FOR SALE IN THE STATE. FOR THE PURPOSES
 OF THIS SECTION, A CONTRACT WITH ANOTHER PERSON TO  MANUFACTURE  ON  THE
 PERSON'S BEHALF DOES NOT INCLUDE A CONTRACT ONLY TO PURCHASE A CONNECTED
 DEVICE, OR ONLY TO PURCHASE AND BRAND A CONNECTED DEVICE.
   (D) "SECURITY FEATURE" MEANS A FEATURE OF A DEVICE DESIGNED TO PROVIDE
 SECURITY FOR THAT DEVICE.
   (E)  "UNAUTHORIZED  ACCESS, DESTRUCTION, USE, MODIFICATION, OR DISCLO-
 SURE" MEANS ACCESS, DESTRUCTION, USE, MODIFICATION, OR  DISCLOSURE  THAT
 IS NOT AUTHORIZED BY THE CONSUMER.
   2.  (A)  A  MANUFACTURER OF A CONNECTED DEVICE SHALL EQUIP SUCH DEVICE
 WITH A REASONABLE SECURITY FEATURE OR  FEATURES  THAT  ARE  ALL  OF  THE
 FOLLOWING:
   (1) APPROPRIATE TO THE NATURE AND FUNCTION OF THE DEVICE.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD11568-01-5
 S. 7269                             2

 
   (2)  APPROPRIATE TO THE INFORMATION IT MAY COLLECT, CONTAIN, OR TRANS-
 MIT; AND
   (3) DESIGNED TO PROTECT THE DEVICE AND ANY INFORMATION CONTAINED THER-
 EIN FROM UNAUTHORIZED ACCESS, DESTRUCTION, USE, MODIFICATION, OR DISCLO-
 SURE.
   (B) SUBJECT TO ALL OF THE REQUIREMENTS OF PARAGRAPH (A) OF THIS SUBDI-
 VISION,  IF  A CONNECTED DEVICE IS EQUIPPED WITH A MEANS FOR AUTHENTICA-
 TION OUTSIDE A LOCAL AREA NETWORK, IT SHALL BE DEEMED A REASONABLE SECU-
 RITY  FEATURE  UNDER  SUCH  PARAGRAPH  IF  EITHER   OF   THE   FOLLOWING
 REQUIREMENTS ARE MET:
   (1)  THE PREPROGRAMMED PASSWORD IS UNIQUE TO EACH DEVICE MANUFACTURED;
 OR
   (2) THE DEVICE CONTAINS A SECURITY FEATURE THAT  REQUIRES  A  USER  TO
 GENERATE  A  NEW MEANS OF AUTHENTICATION BEFORE ACCESS IS GRANTED TO THE
 DEVICE FOR THE FIRST TIME.
   3. (A) THIS SECTION SHALL NOT BE CONSTRUED TO IMPOSE ANY DUTY UPON THE
 MANUFACTURER OF A CONNECTED DEVICE RELATED TO  UNAFFILIATED  THIRD-PARTY
 SOFTWARE  OR  APPLICATIONS  THAT  A  USER  CHOOSES TO ADD TO A CONNECTED
 DEVICE.
   (B) THIS SECTION SHALL NOT BE CONSTRUED TO  IMPOSE  ANY  DUTY  UPON  A
 PROVIDER OF AN ELECTRONIC STORE, GATEWAY, MARKETPLACE, OR OTHER MEANS OF
 PURCHASING OR DOWNLOADING SOFTWARE OR APPLICATIONS, TO REVIEW OR ENFORCE
 COMPLIANCE WITH THIS SECTION.
   (C)  THIS  SECTION  SHALL NOT BE CONSTRUED TO IMPOSE ANY DUTY UPON THE
 MANUFACTURER OF A CONNECTED DEVICE TO PREVENT A USER  FROM  HAVING  FULL
 CONTROL  OVER  A  CONNECTED  DEVICE, INCLUDING THE ABILITY TO MODIFY THE
 SOFTWARE OR FIRMWARE RUNNING ON THE DEVICE AT THE USER'S DISCRETION.
   (D) THIS SECTION SHALL NOT APPLY TO ANY CONNECTED DEVICE THE FUNCTION-
 ALITY OF WHICH IS SUBJECT TO SECURITY REQUIREMENTS  UNDER  FEDERAL  LAW,
 REGULATIONS, OR GUIDANCE PROMULGATED BY A FEDERAL AGENCY PURSUANT TO ITS
 REGULATORY ENFORCEMENT AUTHORITY.
   (E)  THIS  SECTION  SHALL  NOT  BE  CONSTRUED TO PROVIDE A BASIS FOR A
 PRIVATE RIGHT OF ACTION.  THE ATTORNEY GENERAL SHALL HAVE THE  EXCLUSIVE
 AUTHORITY TO ENFORCE THIS SECTION.
   (F)  THE DUTIES AND OBLIGATIONS IMPOSED BY THIS SECTION ARE CUMULATIVE
 WITH ANY OTHER DUTIES OR OBLIGATIONS IMPOSED UNDER ANY  OTHER  LAW,  AND
 SHALL  NOT  BE  CONSTRUED  TO RELIEVE ANY PARTY FROM ANY DUTIES OR OBLI-
 GATIONS IMPOSED UNDER ANY OTHER LAW.
   (G) THIS SECTION SHALL NOT BE CONSTRUED TO LIMIT THE  AUTHORITY  OF  A
 LAW  ENFORCEMENT  AGENCY  TO  OBTAIN CONNECTED DEVICE INFORMATION FROM A
 MANUFACTURER AS AUTHORIZED BY LAW OR PURSUANT TO AN ORDER OF A COURT  OF
 COMPETENT JURISDICTION.
   (H)  A  COVERED  ENTITY,  PROVIDER OF HEALTH CARE, BUSINESS ASSOCIATE,
 HEALTH CARE SERVICE PLAN, CONTRACTOR,  EMPLOYER,  OR  ANY  OTHER  PERSON
 SUBJECT  TO  THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
 ACT OF 1996 (HIPAA) SHALL NOT BE SUBJECT TO THIS SECTION WITH RESPECT TO
 ANY ACTIVITY REGULATED BY SUCH ACT.
   § 2. This act shall take effect on the first of January next  succeed-
 ing the date on which it shall have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S7269

Sponsored By

Current Bill Status - In Senate Committee Internet And Technology Committee

Actions

2025-S7269 (ACTIVE) - Details

2025-S7269 (ACTIVE) - Summary

2025-S7269 (ACTIVE) - Sponsor Memo

2025-S7269 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2025-S7269

Senate Bill S7269

Share this bill

Sponsored By

Joseph A. Griffo

Current Bill Status - In Senate Committee Internet And Technology Committee

Actions

2025-S7269 (ACTIVE) - Details

2025-S7269 (ACTIVE) - Summary

2025-S7269 (ACTIVE) - Sponsor Memo

2025-S7269 (ACTIVE) - Bill Text download pdf

Comments