Enacts the "computer spyware protection act"; prohibits the installation, transmission and use of computer software that collects personally identifiable information; authorizes the attorney general to bring a civil action against any person who violates any provision of this section; seeks damages ranging from one thousand dollars to one million dollars.
STATE OF NEW YORK
________________________________________________________________________
4490
2021-2022 Regular Sessions
IN ASSEMBLY
February 4, 2021
___________
Introduced by M. of A. RODRIGUEZ, ABINANTI, PEOPLES-STOKES -- read once
and referred to the Committee on Economic Development
AN ACT to amend the general business law, in relation to enacting the
"computer spyware protection act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and be cited as the "computer
2 spyware protection act".
3 § 2. It is the intent of the legislature to protect owners and opera-
4 tors of computers in this state from the use of spyware and malware that
5 is deceptively or surreptitiously installed on the owner's or the opera-
6 tor's computer.
7 § 3. The general business law is amended by adding a new section 399-k
8 to read as follows:
9 § 399-k. Computer spyware protection. 1. For the purposes of this
10 section the following terms shall have the following meanings:
11 (a) "Cause to be copied" means to distribute or transfer computer
12 software, or any component thereof. Such term shall not include provid-
13 ing:
14 (i) transmission, routing, provision of intermediate temporary stor-
15 age, or caching of software;
16 (ii) a storage or hosting medium, such as a compact disk, web site, or
17 computer server through which the software was distributed by a third
18 party; or
19 (iii) an information location tool, such as a directory, index, refer-
20 ence, pointer, or hypertext link, through which the user of the computer
21 located the software.
22 (b) "Computer software" means a sequence of instructions written in
23 any programming language that is executed on a computer. "Computer soft-
24 ware" does not include a data component of a web page that is not
25 executable independently of the web page.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03054-01-1
A. 4490 2
1 (c) "Computer virus" means a computer program or other set of
2 instructions that is designed to degrade the performance of or disable a
3 computer or computer network and is designed to have the ability to
4 replicate itself on other computers or computer networks without the
5 authorization of the owners of those computers or computer networks.
6 (d) "Damage" means any significant impairment to the integrity or
7 availability of data, software, a system, or information.
8 (e) "Execute", when used with respect to computer software, means the
9 performance of the functions or the carrying out of the instructions of
10 the computer software.
11 (f) "Intentionally deceptive" means any of the following:
12 (i) An intentionally and materially false or fraudulent statement.
13 (ii) A statement or description that intentionally omits or misrepre-
14 sents material information in order to deceive an owner or operator of a
15 computer.
16 (iii) An intentional and material failure to provide a notice to an
17 owner or operator regarding the installation or execution of computer
18 software for the purpose of deceiving the owner or operator.
19 (g) "Internet" means the global information system that is logically
20 linked together by a globally unique address space based on the Internet
21 protocol (IP), or its subsequent extensions, and that is able to support
22 communications using the transmission control protocol/Internet protocol
23 (TCP/IP) suite, or its subsequent extensions, or other IP-compatible
24 protocols, and that provides, uses, or makes accessible, either publicly
25 or privately, high-level services layered on the communications and
26 related infrastructure described in this paragraph.
27 (h) "Owner or operator" means the owner or lessee of a computer, or a
28 person using such computer with the owner or lessee's authorization, but
29 does not include a person who owned a computer prior to the first retail
30 sale of the computer.
31 (i) "Message" means a graphical or text communication presented to an
32 authorized user of a computer.
33 (j) "Person" means any individual, partnership, corporation, limited
34 liability company, or other organization, or any combination thereof.
35 (k) "Personally identifiable information" means any of the following
36 information if it allows the entity holding the information to identify
37 the owner or operator of a computer:
38 (i) the first name or first initial in combination with the last name;
39 (ii) a home or other physical address including street name;
40 (iii) personal identification code in conjunction with a password
41 required to access an identified account, other than a password,
42 personal identification number or other identification number transmit-
43 ted by an authorized user to the issuer of the account or its agent;
44 (iv) social security number, tax identification number, driver's
45 license number, passport number, or any other government-issued iden-
46 tification number; or
47 (v) account balance, overdraft history, or payment history that
48 personally identifies an owner or operator of a computer.
49 2. It is unlawful for a person who is not an owner or operator of a
50 computer to cause computer software to be copied on such computer know-
51 ingly or with conscious avoidance of actual knowledge or willfully, and
52 to use such software to do any of the following:
53 (a) Modify, through intentionally deceptive means, settings of a
54 computer that control any of the following:
A. 4490 3
1 (i) the web page that appears when an owner or operator launches an
2 Internet browser or similar computer software used to access and navi-
3 gate the Internet.
4 (ii) the default provider or web proxy that an owner or operator uses
5 to access or search the Internet.
6 (iii) an owner's or an operator's list of bookmarks used to access web
7 pages.
8 (b) Collect, through intentionally deceptive means, personally iden-
9 tifiable information through any of the following means:
10 (i) the use of a keystroke-logging function that records all or
11 substantially all keystrokes made by an owner or operator of a computer
12 and transfers that information from the computer to another person;
13 (ii) in a manner that correlates personally identifiable information
14 with data regarding all or substantially all of the web sites visited by
15 an owner or operator, other than web sites operated by the person
16 providing such software, if the computer software was installed in a
17 manner designed to conceal from all authorized users of the computer the
18 fact that the software is being installed; or
19 (iii) by extracting from the hard drive of an owner's or an operator's
20 computer, an owner's or an operator's social security number, tax iden-
21 tification number, driver's licence number, passport number, any other
22 government-issued identification number, account balances, or overdraft
23 history for a purpose unrelated to any of the purposes of this software
24 or service described to an authorized user.
25 (c) Prevent, through intentionally deceptive means, an owner's or an
26 operator's reasonable efforts to block the installation of or execution
27 of, or to disable computer software by causing computer software that
28 the owner or operator has properly removed or disabled to automatically
29 reinstall or reactivate on the computer without the authorization of an
30 authorized user.
31 (d) Intentionally misrepresent that computer software will be unin-
32 stalled or disabled by an owner's or an operator's action.
33 (e) Through intentionally deceptive means, remove, disable, or render
34 inoperative security, antispyware, or antivirus computer software
35 installed on an owner's or an operator's computer.
36 (f) Enable use of an owner's or an operator's computer to do any of
37 the following:
38 (i) Accessing or using a modem or Internet service for the purpose of
39 causing damage to an owner's or an operator's computer or causing an
40 owner or operator, or a third party affected by such conduct to incur
41 financial charges for a service that the owner or operator did not
42 authorize;
43 (ii) Opening multiple, sequential, stand-alone messages in an owner's
44 or an operator's computer without the authorization of an owner or oper-
45 ator and with knowledge that a reasonable computer user could not close
46 the messages without turning off the computer or closing the software
47 application in which the messages appear; provided that this paragraph
48 shall not apply to communications originated by the computer's operating
49 system, originated by a software application that the user chooses to
50 activate, originated by a service provider that the user chooses to use,
51 or presented for any of the purposes described in this subdivision; or
52 (iii) Transmitting or relaying commercial electronic mail or a comput-
53 er virus from the computer, where the transmission or relaying is initi-
54 ated by a person other than the authorized user and without the authori-
55 zation of an authorized user.
A. 4490 4
1 (g) Modify any of the following settings related to the computer's
2 access to, or use of, the Internet:
3 (i) Settings that protect information about an owner or operator for
4 the purpose of taking personally identifiable information of the owner
5 or operator;
6 (ii) Security settings for the purpose of causing damage to a comput-
7 er; or
8 (iii) Settings that protect the computer from the uses identified in
9 paragraph (f) of this subdivision.
10 (h) Prevent, without the authorization of an owner or operator, an
11 owner's or an operator's reasonable efforts to block the installation
12 of, or to disable, computer software by doing any of the following:
13 (i) Presenting the owner or operator with an option to decline instal-
14 lation of computer software with knowledge that, when the option is
15 selected by the authorized user, the installation nevertheless proceeds;
16 (ii) Falsely representing that computer software has been disabled;
17 (iii) Requiring in an intentionally deceptive manner the user to
18 access the Internet to remove the software with knowledge or reckless
19 disregard of the fact that the software frequently operates in a manner
20 that prevents the user from accessing the Internet;
21 (iv) Changing the name, location or other designation information of
22 the software for the purpose of preventing an authorized user from
23 locating the software to remove it;
24 (v) Using randomized or intentionally deceptive filenames, directory
25 folders, formats, or registry entries for the purpose of avoiding
26 detection and removal of the software by an authorized user;
27 (vi) Causing the installation of software in a particular computer
28 directory or computer memory for the purpose of evading authorized
29 users' attempts to remove the software from the computer; or
30 (vii) Requiring, without the authority of the owner of the computer,
31 that an authorized user obtain a special code or download software from
32 a third party to uninstall the software.
33 3. It is unlawful for a person who is not an owner or operator of a
34 computer to do any of the following with regard to the computer:
35 (a) Induce an owner or operator to install a computer software compo-
36 nent onto the owner's or the operator's computer by intentionally
37 misrepresenting that installing computer software is necessary for secu-
38 rity or privacy reasons or in order to open, view, or play a particular
39 type of content; or
40 (b) Using intentionally deceptive means to cause the execution of a
41 computer software component with the intent of causing the computer to
42 use such component in a manner that violates any other provision of this
43 chapter.
44 4. Subdivisions two and three of this section shall not apply to the
45 monitoring of, or interaction with, an owner's or an operator's Internet
46 or other network connection, service, or computer, by a telecommuni-
47 cations carrier, cable operator, computer hardware or software provider,
48 or provider of information service or interactive computer service for
49 network or computer security purposes, diagnostics, technical support,
50 maintenance, repair, network management, authorized updates of computer
51 software or system firmware, authorized remote system management, or
52 detection or prevention of the unauthorized use of or fraudulent or
53 other illegal activities in connection with a network, service, or
54 computer software, including scanning for and removing computer software
55 prescribed under this section.
A. 4490 5
1 5. (a) The attorney general, an Internet service provider or software
2 company that expends resources in good faith assisting authorized users
3 harmed by a violation of this section, or a trademark owner whose mark
4 is used to deceive authorized users in violation of this section, may
5 bring a civil action against a person who violates any provision of this
6 section to recover actual damages, liquidated damages of at least one
7 thousand dollars per violation of this section, not to exceed one
8 million dollars for a pattern or practice of such violations, attorney
9 fees, and costs.
10 (b) The court may increase a damage award to an amount equal to not
11 more than three times the amount otherwise recoverable under paragraph
12 (a) of this subdivision if the court determines that the defendant
13 committed the violation willfully and knowingly.
14 (c) The court may reduce liquidated damages recoverable under para-
15 graph (a) of this subdivision, to a minimum of one hundred dollars, not
16 to exceed one hundred thousand dollars for each violation if the court
17 finds that the defendant established and implemented practices and
18 procedures reasonably designed to prevent a violation of this section.
19 (d) In the case of a violation of this section that causes a telecom-
20 munications carrier or provider of voice over Internet protocol service
21 to incur costs for the origination, transport, or termination of a call
22 triggered using the modem or Internet-capable device of a customer of
23 such telecommunications carrier or provider as a result of such
24 violation, the telecommunications carrier may bring a civil action
25 against the violator to recover any or all of the following:
26 (i) the charges such carrier or provider is obligated to pay to anoth-
27 er carrier or to an information service provider as a result of the
28 violation, including but not limited to charges for the origination,
29 transport or termination of the call;
30 (ii) costs of handling customer inquiries or complaints with respect
31 to amounts billed for such calls;
32 (iii) costs and a reasonable attorney's fee; and
33 (iv) an order to enjoin the violation.
34 (e) For purposes of a civil action under paragraphs (a), (b) and (c)
35 of this subdivision any single action or conduct that violates more than
36 one subdivision of this section shall be considered multiple violations
37 based on the number of such subdivisions violated.
38 § 4. This act shall take effect on the ninetieth day after it shall
39 have become a law.
