STATE OF NEW YORK
________________________________________________________________________
3973
2019-2020 Regular Sessions
IN SENATE
February 22, 2019
___________
Introduced by Sen. GRIFFO -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the general business law, in relation to the security of
connected devices
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 390-d to read as follows:
3 § 390-d. Security of connected devices. 1. For the purposes of this
4 section, the following terms have the following meanings:
5 (a) "Authentication" means a method of verifying the authority of a
6 user, process, or device to access resources in an information system.
7 (b) "Connected device" means any device, or other physical object that
8 is capable of connecting to the internet, directly or indirectly, and
9 that is assigned an internet protocol address or bluetooth address.
10 (c) "Manufacturer" means the person who manufactures, or contracts
11 with another person to manufacture on the person's behalf, connected
12 devices that are sold or offered for sale in the state. For the purposes
13 of this section, a contract with another person to manufacture on the
14 person's behalf does not include a contract only to purchase a connected
15 device, or only to purchase and brand a connected device.
16 (d) "Security feature" means a feature of a device designed to provide
17 security for that device.
18 (e) "Unauthorized access, destruction, use, modification, or disclo-
19 sure" means access, destruction, use, modification, or disclosure that
20 is not authorized by the consumer.
21 2. (a) A manufacturer of a connected device shall equip such device
22 with a reasonable security feature or features that are all of the
23 following:
24 (1) Appropriate to the nature and function of the device.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD01120-01-9
S. 3973 2
1 (2) Appropriate to the information it may collect, contain, or trans-
2 mit; and
3 (3) Designed to protect the device and any information contained ther-
4 ein from unauthorized access, destruction, use, modification, or disclo-
5 sure.
6 (b) Subject to all of the requirements of paragraph (a) of this subdi-
7 vision, if a connected device is equipped with a means for authentica-
8 tion outside a local area network, it shall be deemed a reasonable secu-
9 rity feature under such paragraph if either of the following
10 requirements are met:
11 (1) The preprogrammed password is unique to each device manufactured;
12 or
13 (2) The device contains a security feature that requires a user to
14 generate a new means of authentication before access is granted to the
15 device for the first time.
16 3. (a) This section shall not be construed to impose any duty upon the
17 manufacturer of a connected device related to unaffiliated third-party
18 software or applications that a user chooses to add to a connected
19 device.
20 (b) This section shall not be construed to impose any duty upon a
21 provider of an electronic store, gateway, marketplace, or other means of
22 purchasing or downloading software or applications, to review or enforce
23 compliance with this section.
24 (c) This section shall not be construed to impose any duty upon the
25 manufacturer of a connected device to prevent a user from having full
26 control over a connected device, including the ability to modify the
27 software or firmware running on the device at the user's discretion.
28 (d) This section shall not apply to any connected device the function-
29 ality of which is subject to security requirements under federal law,
30 regulations, or guidance promulgated by a federal agency pursuant to its
31 regulatory enforcement authority.
32 (e) This section shall not be construed to provide a basis for a
33 private right of action. The attorney general shall have the exclusive
34 authority to enforce this section.
35 (f) The duties and obligations imposed by this section are cumulative
36 with any other duties or obligations imposed under any other law, and
37 shall not be construed to relieve any party from any duties or obli-
38 gations imposed under any other law.
39 (g) This section shall not be construed to limit the authority of a
40 law enforcement agency to obtain connected device information from a
41 manufacturer as authorized by law or pursuant to an order of a court of
42 competent jurisdiction.
43 (h) A covered entity, provider of health care, business associate,
44 health care service plan, contractor, employer, or any other person
45 subject to the federal Health Insurance Portability and Accountability
46 Act of 1996 (HIPAA) shall not be subject to this section with respect to
47 any activity regulated by such act.
48 § 2. This act shall take effect on the first of January next succeed-
49 ing the date on which it shall have become a law.