Section 399-H. Disposal of records containing personal identifying information
Latest version.
-
1. Definitions. For the purposes of this section, the following words shall have the following meanings: a. "Dispose" means to throw out or away or to get rid of and shall not include a sale of a record or the transfer of a record for value; b. "Record" means any information kept, held, filed, produced or reproduced by, with or for a person or business entity, in any physical form whatsoever including, but not limited to, reports, statements, examinations, memoranda, opinions, folders, files, books, manuals, pamphlets, forms, papers, designs, drawings, maps, photos, letters, microfilms, or computer tapes or discs; c. "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person; d. "Personal identifying information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element: (i) social security number; (ii) driver's license number or non-driver identification card number; or (iii) mother's maiden name, financial services account number or code, savings account number or code, checking account number or code, debit card number or code, automated teller machine number or code, electronic serial number or personal identification number; e. "Personal identification number" means any number or code which may be used alone or in conjunction with any other information to assume the identity of another person or access financial resources or credit of another person. 2. Disposal of records containing personal identifying information. No person, business, firm, partnership, association, or corporation, not including the state or its political subdivisions, shall dispose of a record containing personal identifying information unless the person, business, firm, partnership, association, or corporation, or other person under contract with the business, firm, partnership, association, or corporation does any of the following: a. shreds the record before the disposal of the record; or b. destroys the personal identifying information contained in the record; or c. modifies the record to make the personal identifying information unreadable; or d. takes actions consistent with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access to the personal identifying information contained in the record. Provided, however, that an individual person shall not be required to comply with this subdivision unless he or she is conducting business for profit. 3. Penalties; disposal and use. Whenever there shall be a violation of this section, an application may be made by the attorney general in the name of the people of the state of New York to a court or justice having jurisdiction to issue an injunction, and upon notice to the defendant of not less than five days, to enjoin and restrain the continuance of such violations; and if it shall appear to the satisfaction of the court or justice, that the defendant has, in fact, violated this section an injunction may be issued by such court or justice enjoining and restraining any further violation, without requiring proof that any person has, in fact, been injured or damaged thereby. Whenever a court shall determine that a violation of subdivision two of this section has occurred, the court may impose a civil penalty of not more than five thousand dollars. Acts arising out of the same incident or occurrence shall constitute a single violation. It shall be an affirmative defense to a violation of subdivision two of this section if the business can show that it used due diligence in its attempt to properly dispose of such records.