Enacts the "consumer protection against computer spyware act"; establishes a person or entity that is not an authorized user shall not cause computer software to be copied onto the computer of a consumer in this state and cause such software to do certain things; allows the attorney general to bring a civil action against any person violating the provisions of this act.
STATE OF NEW YORK
________________________________________________________________________
3230
2013-2014 Regular Sessions
IN SENATE
January 31, 2013
___________
Introduced by Sen. PARKER -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to enacting the
"consumer protection against computer spyware act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 28-F to read as follows:
3 ARTICLE 28-F
4 CONSUMER PROTECTION AGAINST COMPUTER SPYWARE
5 Section 491. Short title.
6 492. Definitions.
7 493. Consumer protection against computer spyware.
8 494. Enforcement.
9 § 491. Short title. This article shall be known and may be cited as
10 the "consumer protection against computer spyware act".
11 § 492. Definitions. For purposes of this article, the following terms
12 have the following meanings:
13 1. "Advertisement" means a communication, the primary purpose of which
14 is the commercial promotion of a commercial product or service, includ-
15 ing content on an Internet web site operated for a commercial purpose.
16 2. "Authorized user" with respect to a computer, means a person who
17 owns or is authorized by the owner or lessee to use the computer.
18 3. "Computer software" means a sequence of instructions written in any
19 programming language that is executed on a computer.
20 4. "Computer virus" means a computer program or other set of
21 instructions that is designed to degrade the performance of or disable a
22 computer or computer network and is designed to have the ability to
23 replicate itself on other computers or computer networks without the
24 authorization of the owners of those computers or computer networks.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06875-01-3
S. 3230 2
1 5. "Consumer" means an individual who resides in this state and who
2 uses the computer in question primarily for personal, family, or house-
3 hold purposes.
4 6. "Damage" means any significant impairment to the integrity or
5 availability of data, software, a system, or information.
6 7. "Execute" when used with respect to computer software, means the
7 performance of the functions or the carrying out of the instructions of
8 the computer software.
9 8. "Internet" means the global information system that is logically
10 linked together by a globally unique address space based on the Internet
11 Protocol (IP), or its subsequent extensions, and that is able to support
12 communications using the Transmission Control Protocol/Internet Protocol
13 (TCP/IP) suite, or its subsequent extensions, or other IP-compatible
14 protocols, and that provides, uses, or makes accessible, either publicly
15 or privately, high level services layered on the communications and
16 related infrastructure described in this subdivision.
17 9. "Person" means any individual, partnership, corporation, limited
18 liability company, or other organization, or any combination thereof.
19 10. "Personally identifiable information" means any of the following:
20 (a) First name or first initial in combination with last name;
21 (b) Credit or debit card numbers or other financial account numbers;
22 (c) A password or personal identification number required to access an
23 identified financial account;
24 (d) Social security number; or
25 (e) Any of the following information in a form that personally identi-
26 fies an authorized user:
27 (i) Account balances;
28 (ii) Overdraft history;
29 (iii) Payment history;
30 (iv) A history of web sites visited;
31 (v) Home address;
32 (vi) Work address; or
33 (vii) A record of a purchase or purchases.
34 § 493. Consumer protection against computer spyware. 1. A person or
35 entity that is not an authorized user shall not cause computer software
36 to be copied onto the computer of a consumer in this state and use the
37 software to do any of the following:
38 (a) Modify any of the following settings related to the computer's
39 access to, or use of, the Internet:
40 (i) The page that appears when an authorized user launches an Internet
41 browser or similar software program used to access and navigate the
42 Internet;
43 (ii) The default provider or web proxy the authorized user uses to
44 access or search the Internet; or
45 (iii) The authorized user's list of bookmarks used to access web
46 pages.
47 (b) Collect personally identifiable information that meets any of the
48 following criteria:
49 (i) It is collected through the use of a keystroke-logging function
50 that records keystrokes made by an authorized user who uses the computer
51 and transfers that information from the computer to another person;
52 (ii) It includes all or substantially all of the web sites visited by
53 an authorized user, other than web sites of the provider of the soft-
54 ware, if the computer software was installed in a manner designed to
55 conceal from all authorized users of the computer the fact that the
56 software is being installed; or
S. 3230 3
1 (iii) It is a data element described in paragraph (b), (c) or (d) or
2 subparagraph (i) or (ii) of paragraph (e) of subdivision ten of section
3 four hundred ninety-two of this article, that is extracted from the
4 consumer's computer hard drive for a purpose wholly unrelated to any of
5 the purposes of the software or service described to an authorized user.
6 (c) Prevent, without the authorization of an authorized user, an
7 authorized user's reasonable efforts to block the installation of, or to
8 disable, software, by causing software that the authorized user has
9 properly removed or disabled to automatically reinstall or reactivate on
10 the computer without the authorization of an authorized user.
11 (d) Represent that software will be uninstalled or disabled by an
12 authorized user's action, with knowledge that the software will not be
13 so uninstalled or disabled.
14 (e) Remove, disable, or render inoperative security, antispyware, or
15 antivirus software installed on the computer.
16 2. A person or entity that is not an authorized user shall not cause
17 computer software to be copied onto the computer of a consumer in this
18 state and use the software to do any of the following:
19 (a) Take control of the consumer's computer by doing any of the
20 following:
21 (i) Transmitting or relaying commercial electronic mail or a computer
22 virus from the consumer's computer, where the transmission or relaying
23 is initiated by a person other than the authorized user and without the
24 authorization of an authorized user; or
25 (ii) Opening multiple, sequential, stand-alone advertisements in the
26 consumer's Internet browser without the authorization of an authorized
27 user and with knowledge that a reasonable computer user cannot close the
28 advertisements without turning off the computer or closing the consum-
29 er's Internet browser.
30 (b) Modify any of the following settings related to the computer's
31 access to, or use of, the Internet:
32 (i) An authorized user's security or other settings that protect
33 information about the authorized user for the purpose of stealing
34 personal information of an authorized user; or
35 (ii) The security settings of the computer for the purpose of causing
36 damage to one or more computers.
37 (c) Prevent, without the authorization of an authorized user, an
38 authorized user's reasonable efforts to block the installation of, or to
39 disable, software, by doing any of the following:
40 (i) Presenting the authorized user with an option to decline installa-
41 tion of software with knowledge that, when the option is selected by
42 the authorized user, the installation nevertheless proceeds; or
43 (ii) Falsely representing that software has been disabled.
44 3. (a) A person or entity, who is not an authorized user shall not do
45 any of the following with regard to the computer of a consumer in this
46 state:
47 (i) Induce an authorized user to install a software component onto the
48 computer by representing that installing software is necessary for secu-
49 rity or privacy reasons or in order to open, view, or play a particular
50 type of content; or
51 (ii) Cause the copying and execution on the computer of a computer
52 software component with the intent of causing an authorized user to use
53 the component in a way that violates any other provision of this
54 section.
55 (b) Nothing in this section shall apply to any monitoring of, or
56 interaction with, a subscriber's Internet or other network connection or
S. 3230 4
1 service, or a protected computer, by a telecommunications carrier, cable
2 operator, computer hardware or software provider, or provider of infor-
3 mation service or interactive computer service for network or computer
4 security purposes, diagnostics, technical support, repair, authorized
5 updates of software or system firmware, authorized remote system manage-
6 ment, or detection or prevention of the unauthorized use of or fraudu-
7 lent or other illegal activities in connection with a network, service,
8 or computer software, including scanning for and removing software
9 prescribed under this article.
10 (c) Any provision of a contract or an agreement entered into by a
11 consumer that deceives a consumer and that purports or may be construed
12 to authorize, divert, or require anything that would constitute a
13 violation of any of the provisions of this section is hereby declared to
14 be void as against public policy and shall not be enforceable.
15 § 494. Enforcement. The attorney general may bring a civil action
16 against any person who violates this article to enforce the violation
17 and may recover any or all of the following:
18 1. a civil penalty of five hundred dollars per violation of this arti-
19 cle;
20 2. costs and a reasonable attorneys' fee; and
21 3. an order to enjoin the violation.
22 § 2. Severability. If any clause, sentence, paragraph, section or part
23 of this act shall be adjudged by any court of competent jurisdiction to
24 be invalid, such judgement shall not affect, impair or invalidate the
25 remainder thereof, but shall be confined in its operation to the clause,
26 sentence, paragraph, section or part thereof directly involved in the
27 controversy in which such judgement shall have been rendered.
28 § 3. This act shall take effect on the ninetieth day after it shall
29 have become a law.
