There is a newer version of the New York Consolidated Laws
2022
2021
2020
2019
2018
Other previous versions
View our newest version here

2013 New York Consolidated Laws
GBS - General Business
Article 26 - (390 - 399-ZZZ) MISCELLANEOUS
399-H - Disposal of records containing personal identifying information.


NY Gen Bus L § 399-H (2012) What's This?
 
    §   399-h.   Disposal   of  records  containing  personal  identifying
  information. 1. Definitions. For  the  purposes  of  this  section,  the
  following words shall have the following meanings:
    a. "Dispose" means to throw out or away or to get rid of and shall not
  include a sale of a record or the transfer of a record for value;
    b.  "Record"  means  any  information  kept,  held, filed, produced or
  reproduced by, with or for a person or business entity, in any  physical
  form  whatsoever  including,  but  not  limited to, reports, statements,
  examinations,  memoranda,  opinions,  folders,  files,  books,  manuals,
  pamphlets,  forms,  papers,  designs,  drawings,  maps, photos, letters,
  microfilms, or computer tapes or discs;
    c. "Personal information" shall  mean  any  information  concerning  a
  natural  person  which, because of name, number, personal mark, or other
  identifier, can be used to identify such natural person;
    d. "Personal identifying information" shall mean personal  information
  consisting of any information in combination with any one or more of the
  following  data  elements,  when  either the personal information or the
  data element is not encrypted, or encrypted with an encryption key  that
  is  included in the same record as the encrypted personal information or
  data element:
    (i) social security number;
    (ii) driver's license number or non-driver identification card number;
  or
    (iii) mother's maiden name, financial services account number or code,
  savings account number or code, checking account number or  code,  debit
  card number or code, automated teller machine number or code, electronic
  serial number or personal identification number;
    e. "Personal identification number" means any number or code which may
  be used alone or in conjunction with any other information to assume the
  identity  of  another  person or access financial resources or credit of
  another person.
    2. Disposal of records containing personal identifying information. No
  person, business, firm, partnership, association,  or  corporation,  not
  including  the  state  or its political subdivisions, shall dispose of a
  record containing personal identifying information  unless  the  person,
  business,  firm,  partnership,  association,  or  corporation,  or other
  person under contract with the business, firm, partnership, association,
  or corporation does any of the following:
    a. shreds the record before the disposal of the record; or
    b. destroys the personal  identifying  information  contained  in  the
  record; or
    c.  modifies  the  record to make the personal identifying information
  unreadable; or
    d. takes actions consistent with commonly accepted industry  practices
  that it reasonably believes will ensure that no unauthorized person will
  have  access  to  the  personal identifying information contained in the
  record.
    Provided, however, that an individual person shall not be required  to
  comply with this subdivision unless he or she is conducting business for
  profit.
    3. Penalties; disposal and use. Whenever there shall be a violation of
  this  section, an application may be made by the attorney general in the
  name of the people of the state of New York to a court or justice having
  jurisdiction to issue an injunction, and upon notice to the defendant of
  not less than five days, to enjoin and restrain the continuance of  such
  violations;  and  if it shall appear to the satisfaction of the court or
  justice, that the defendant has,  in  fact,  violated  this  section  an
  injunction  may  be  issued  by  such  court  or  justice  enjoining and


  restraining any further violation,  without  requiring  proof  that  any
  person  has,  in fact, been injured or damaged thereby. Whenever a court
  shall determine that a violation of subdivision two of this section  has
  occurred,  the  court  may  impose a civil penalty of not more than five
  thousand dollars. Acts arising out of the same  incident  or  occurrence
  shall  constitute a single violation. It shall be an affirmative defense
  to a violation of subdivision two of this section if  the  business  can
  show  that  it  used due diligence in its attempt to properly dispose of
  such records.

Disclaimer: These codes may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.