§ 399-h. Disposal of records containing personal identifying\ninformation.
1.Definitions. For the purposes of this section, the\nfollowing words shall have the following meanings:\n a. "Dispose" means to throw out or away or to get rid of and shall not\ninclude a sale of a record or the transfer of a record for value;\n b. "Record" means any information kept, held, filed, produced or\nreproduced by, with or for a person or business entity, in any physical\nform whatsoever including, but not limited to, reports, statements,\nexaminations, memoranda, opinions, folders, files, books, manuals,\npamphlets, forms, papers, designs, drawings, maps, photos, letters,\nmicrofilms, or computer tapes or discs;\n c. "Personal information" shall mean any information concerning a\nnatural person whi
Free access — add to your briefcase to read the full text and ask questions with AI
§ 399-h. Disposal of records containing personal identifying\ninformation. 1. Definitions. For the purposes of this section, the\nfollowing words shall have the following meanings:\n a. "Dispose" means to throw out or away or to get rid of and shall not\ninclude a sale of a record or the transfer of a record for value;\n b. "Record" means any information kept, held, filed, produced or\nreproduced by, with or for a person or business entity, in any physical\nform whatsoever including, but not limited to, reports, statements,\nexaminations, memoranda, opinions, folders, files, books, manuals,\npamphlets, forms, papers, designs, drawings, maps, photos, letters,\nmicrofilms, or computer tapes or discs;\n c. "Personal information" shall mean any information concerning a\nnatural person which, because of name, number, personal mark, or other\nidentifier, can be used to identify such natural person;\n d. "Personal identifying information" shall mean personal information\nconsisting of any information in combination with any one or more of the\nfollowing data elements, when either the personal information or the\ndata element is not encrypted, or encrypted with an encryption key that\nis included in the same record as the encrypted personal information or\ndata element:\n (i) social security number;\n (ii) driver's license number or non-driver identification card number;\nor\n (iii) mother's maiden name, financial services account number or code,\nsavings account number or code, checking account number or code, debit\ncard number or code, automated teller machine number or code, electronic\nserial number or personal identification number;\n e. "Personal identification number" means any number or code which may\nbe used alone or in conjunction with any other information to assume the\nidentity of another person or access financial resources or credit of\nanother person.\n 2. Disposal of records containing personal identifying information. No\nperson, business, firm, partnership, association, or corporation, not\nincluding the state or its political subdivisions, shall dispose of a\nrecord containing personal identifying information unless the person,\nbusiness, firm, partnership, association, or corporation, or other\nperson under contract with the business, firm, partnership, association,\nor corporation does any of the following:\n a. shreds the record before the disposal of the record; or\n b. destroys the personal identifying information contained in the\nrecord; or\n c. modifies the record to make the personal identifying information\nunreadable; or\n d. takes actions consistent with commonly accepted industry practices\nthat it reasonably believes will ensure that no unauthorized person will\nhave access to the personal identifying information contained in the\nrecord.\n Provided, however, that an individual person shall not be required to\ncomply with this subdivision unless he or she is conducting business for\nprofit.\n 3. Penalties; disposal and use. Whenever there shall be a violation of\nthis section, an application may be made by the attorney general in the\nname of the people of the state of New York to a court or justice having\njurisdiction to issue an injunction, and upon notice to the defendant of\nnot less than five days, to enjoin and restrain the continuance of such\nviolations; and if it shall appear to the satisfaction of the court or\njustice, that the defendant has, in fact, violated this section an\ninjunction may be issued by such court or justice enjoining and\nrestraining any further violation, without requiring proof that any\nperson has, in fact, been injured or damaged thereby. Whenever a court\nshall determine that a violation of subdivision two of this section has\noccurred, the court may impose a civil penalty of not more than five\nthousand dollars. Acts arising out of the same incident or occurrence\nshall constitute a single violation. It shall be an affirmative defense\nto a violation of subdivision two of this section if the business can\nshow that it used due diligence in its attempt to properly dispose of\nsuch records.\n