HASSELL-THOMPSON, JOHNSON C, KRUEGER, PARKER, SAMPSON, THOMPSON
MLTSPNSR
Add Art 29-AAAA SS522 - 522-i, Gen Bus L
Makes provisions for privacy in banking, insurance, and other financial transactions, forbidding disclosure of personal information without prior consent granted by the customer to the financial institution; requires written notice of privacy policies and practices be given to customers; requires security and confidentiality safeguards; prohibits disclosure of account number or access code information; provides for enforcement by the attorney general and authorizes private actions.
STATE OF NEW YORK
________________________________________________________________________
4618
2009-2010 Regular Sessions
IN SENATE
April 24, 2009
___________
Introduced by Sens. ONORATO, HASSELL-THOMPSON, C. JOHNSON, KRUEGER,
PARKER, SAMPSON, THOMPSON -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to privacy in
banking, insurance, and other financial transactions
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 29-AAAA to read as follows:
3 ARTICLE 29-AAAA
4 PRIVACY IN FINANCIAL SERVICES
5 Section 522. Legislative purpose and findings.
6 522-a. Definitions.
7 522-b. Notice of privacy policies and practices.
8 522-c. Privacy of nonpublic personal information of customers.
9 522-d. Limitations.
10 522-e. Limits on sharing of account number information for
11 marketing purposes.
12 522-f. Record retention.
13 522-g. Enforcement by the attorney general.
14 522-h. Private right of action.
15 522-i. Severability.
16 § 522. Legislative purpose and findings. The legislature hereby finds
17 and declares that the right to privacy is a fundamental right that is
18 threatened by the routine transfer of individuals' private information,
19 which is occurring in today's computerized marketplace. Personal finan-
20 cial information, often assumed to be protected from disclosure, is
21 frequently sold or disclosed to third parties for commercial and other
22 purposes without the individual's consent.
23 The legislature further finds and declares that the unauthorized
24 disclosure of personal financial information by financial institutions
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03755-01-9
S. 4618 2
1 is of particular concern because it increases the likelihood of: identi-
2 ty fraud crimes; offensive and deceptive solicitations by telephone,
3 postal mail, and electronic mail; denial of services, including insur-
4 ance, employment, and housing based upon an individual's financial
5 status, information about which may not otherwise have been known; and
6 loss of confidence in financial institutions generally.
7 The legislature therefore finds and declares that it is in the public
8 and state's interest to prohibit the disclosure of an individual's
9 personal financial information without the express consent of that indi-
10 vidual before such information is disclosed.
11 § 522-a. Definitions. As used in this article, the following terms
12 shall have the following meanings:
13 (a) "Financial institution" shall mean:
14 (1) any financial holding company within the meaning of section 103 of
15 the federal Gramm-Leach-Bliley Act;
16 (2) any person or entity to which the banking law applies and any
17 bank, trust company, savings bank, savings and loan association, credit
18 union, mortgage broker, mortgage banker, licensed lender, and foreign
19 banking corporation incorporated, chartered, organized, or licensed
20 under the laws of this state, any other state, or the United States,
21 whether headquartered within or outside of this state;
22 (3) any insurance company or other entity authorized to do insurance
23 business in this state; and
24 (4) any broker or dealer registered under the securities exchange act
25 of nineteen hundred thirty-four, as amended.
26 (b) "Affiliate" shall mean any company that controls, is controlled
27 by, or is under common control with another company.
28 (c) "Customer" shall mean any individual who obtains from a financial
29 institution a product or service which is intended to be used primarily
30 for personal, family, or household purposes, and also means the legal
31 representative of that individual.
32 (d) "Company" shall mean any corporation, limited liability company,
33 limited liability partnership, business trust, general or limited part-
34 nership, association, or similar organization.
35 (e) "Control" of a company shall mean:
36 (1) ownership, control, or power to vote twenty-five percent or more
37 of the outstanding shares of any class of voting security of the compa-
38 ny, directly or indirectly, or acting through one or more other persons;
39 (2) control in any manner over the election of a majority of the
40 directors, trustees, or general partners (or individuals exercising
41 similar functions) of the company; or
42 (3) the power to exercise, directly or indirectly, a controlling
43 influence over the management or policies of the company.
44 (f) "Nonaffiliated third party" shall mean any entity or individual
45 that is not an affiliate of, or related by common ownership or affil-
46 iated by corporate control with, the financial institution, but does not
47 include a person employed jointly by a financial institution and any
48 company that is not such financial institution's affiliate.
49 (g) "Nonpublic personal information" shall mean non-medical personally
50 identifiable information:
51 (1) provided by a customer to a financial institution;
52 (2) resulting from any transaction with a customer or service
53 performed for the customer; or
54 (3) otherwise obtained directly or indirectly by the financial insti-
55 tution, other than publicly available information.
S. 4618 3
1 (h) "Publicly available information" shall mean information made
2 available to the general public that is obtained from:
3 (1) federal, state, and local government records;
4 (2) widely distributed media;
5 (3) disclosures to the general public that are required to be made by
6 federal, state, or local law.
7 § 522-b. Notice of privacy policies and practices. (a) A financial
8 institution must provide a clear and conspicuous written notice, enti-
9 tled "financial privacy notice", written in accordance with section
10 5-702 of the general obligations law, to any individual, upon request,
11 and to any individual with whom the financial institution establishes a
12 customer relationship at the time a customer relationship is estab-
13 lished, and at least annually thereafter. Such notice shall be given at
14 the time an account is opened; at the time a loan, mortgage, or credit
15 application is made, regardless of whether the loan, mortgage, or credit
16 is extended; at the time a loan, mortgage, or credit is granted; at the
17 time an application is made for insurance or investment services,
18 regardless of whether such insurance or investment services are
19 extended; at the time insurance or investment services are extended; or
20 at the time the individual enters into any other form of financial tran-
21 saction with the financial institution.
22 (b) The notice shall clearly and conspicuously state or describe:
23 (1) the specific types of nonpublic personal information that the
24 financial institution may disclose;
25 (2) the circumstances under which disclosure may or will be made;
26 (3) the specific types of nonaffiliated third parties to which disclo-
27 sure may or will be made;
28 (4) the probable uses that will be made of the information after it is
29 disclosed;
30 (5) that disclosure will be limited to the conditions set forth in the
31 notice;
32 (6) that the customer has the right to revoke the consent to disclo-
33 sure of such information at any time;
34 (7) that a new authorization will be sought from the customer prior to
35 the disclosure of any nonpublic personal information relating to a
36 customer other than under the condition set forth in the notice or
37 following revocation of the consent;
38 (8) whether or not the financial institution will receive compensation
39 for the disclosure;
40 (9) that a denial of approval will not adversely affect the customer's
41 financial relationship with the institution;
42 (10) an expiration date of no more than two years from the date of
43 execution of the form; and
44 (11) a space for the customer's signature and the date of execution of
45 the form.
46 § 522-c. Privacy of nonpublic personal information of customers. (a)
47 Except as otherwise expressly provided in this article, a financial
48 institution shall not directly or through an affiliate disclose nonpub-
49 lic personal information about a customer to a nonaffiliated third party
50 unless the financial institution has first given written notice comply-
51 ing with this article to the customer to whom the information relates,
52 and has obtained the signed and dated, written or electronic consent of
53 that customer for such disclosure, which consent is effective as of the
54 time of the disclosure. In addition, no disclosure of such information
55 shall be made after receipt by the financial institution of revocation
56 of any consent previously given, unless and until the customer executes
S. 4618 4
1 a new consent form. A financial institution shall not, directly or
2 through an affiliate, disclose nonpublic personal information relating
3 to an individual who applies for a loan, mortgage, credit, insurance,
4 investment service, or any other product or service offered by a finan-
5 cial institution, regardless of whether or not such individual purchases
6 such product or service, unless the financial institution has first
7 given written notice complying with this article to such individual and
8 has obtained such individual's signed and dated written or electronic
9 consent.
10 (b) No financial institution shall discriminate against any customer
11 on the basis of the customer's denial of consent to the disclosure of
12 his or her nonpublic personal information.
13 (c) Every financial institution shall establish appropriate safeguards
14 to ensure the security and confidentiality of records containing nonpub-
15 lic personal information and to protect against any anticipated threats
16 or hazards to their security or integrity that could result in signif-
17 icant harm, embarrassment, or inconvenience to any data subject about
18 whom information is maintained.
19 § 522-d. Limitations. (a) Notwithstanding the provisions of section
20 five hundred twenty-two-c of this article, a financial institution shall
21 not be prohibited from disclosing nonpublic personal information relat-
22 ing to a customer under the following circumstances:
23 (1) when specifically authorized by the customer;
24 (2) when necessary to maintain or service the customer's account with
25 the financial institution;
26 (3) to any person or organization providing professional services to
27 the financial institution, including, but not limited to, an accountant
28 engaged by the financial institution to prepare an independent audit, an
29 attorney performing a service on behalf of the financial institution, or
30 an agent or other person representing the financial institution in
31 collecting a debt or otherwise securing payment of a loan or advance;
32 (4) when the financial institution enters into a written contract with
33 a nonaffiliated third party to market the financial institution's
34 products or services;
35 (5) to protect the confidentiality or security of its records pertain-
36 ing to the customer, the service or product, or the transaction therein,
37 or to protect against or prevent actual or potential fraud, unauthorized
38 transactions, claims, or other liability;
39 (6) to provide information to applicable rating agencies of the finan-
40 cial institution and persons assessing the institution's compliance with
41 industry standards;
42 (7) when the financial institution is compelled to disclose the
43 contents of the information pursuant to lawful subpoena, summons,
44 warrant, or court order;
45 (8) when disclosure is required by federal or state law or regulation;
46 (9) to a credit-reporting agency, as defined by section six hundred
47 three of the federal fair credit reporting act, for inclusion in a
48 consumer report that may be released to a third party for a purpose
49 permissible under section six hundred four of such act;
50 (10) to government entities; or
51 (11) to the financial institution's bond or insurance companies when
52 the financial institution has information relative to a claim pursuant
53 to its bond or director's and officer's liability insurance policy or
54 other insurance coverage.
55 (b) Prior to release of nonpublic personal information relating to a
56 customer authorized by subdivision (a) of section five hundred twenty-
S. 4618 5
1 two-c of this article, or authorized by paragraphs two, three, four,
2 five, six, ten, or eleven of subdivision (a) of this section, the finan-
3 cial institution shall enter into a contractual agreement with any third
4 party receiving such nonpublic personal customer information prohibiting
5 such third party from disclosing such information and limiting the third
6 party's use of such information solely to the purposes for which the
7 information is disclosed or otherwise permitted by subdivision (a) of
8 this section.
9 § 522-e. Limits on sharing of account number information for marketing
10 purposes. A financial institution shall not, directly or through an
11 affiliate, disclose, other than to a consumer reporting agency, an
12 account number or similar form of access number or access code for a
13 credit account, deposit account, or transaction account of a customer to
14 any nonaffiliated third party for use in telemarketing, direct mail
15 marketing, or other marketing through electronic mail to the customer.
16 § 522-f. Record retention. (a) A financial institution shall maintain
17 records of financial privacy notification, as required in this article,
18 and retain copies of each customer's approval of disclosure of confiden-
19 tial customer information or withdrawal of such approval for at least
20 four years.
21 (b) A financial institution shall maintain records of all complaints
22 under this article, if any, and their disposition for at least seven
23 years.
24 § 522-g. Enforcement by the attorney general. In addition to any other
25 remedies provided, whenever there shall be a violation of this article,
26 application may be made by the attorney general in the name of the
27 people of the state of New York to a court or justice having jurisdic-
28 tion by a special proceeding to issue an injunction, and upon notice to
29 the defendant of not less than five days, to enjoin and restrain the
30 continuance of such violations; and if it shall appear to the satisfac-
31 tion of the court or justice that the defendant has, in fact, violated
32 this article, an injunction may be issued by such court or justice,
33 enjoining the restraining of any further violation, without requiring
34 proof that any person has, in fact, been injured or damaged thereby. In
35 any such proceedings, the court may make allowances to the attorney
36 general as provided in paragraph six of subdivision (a) of section
37 eighty-three hundred three of the civil practice law and rules, and
38 direct restitution. Whenever the court shall determine that a violation
39 of this article has occurred, the court may impose a civil penalty of
40 not more than one thousand dollars for each violation. In connection
41 with any such proposed application, the attorney general is authorized
42 to take proof and make a determination of the relevant facts and to
43 issue subpoenas in accordance with the civil practice law and rules.
44 § 522-h. Private right of action. In the event that an individual's
45 nonpublic personal information is disclosed by a financial institution
46 in violation of this article, such individual may bring an action for
47 recovery of damages. Judgment shall be entered in an amount not to
48 exceed three times the actual damages or five hundred dollars, whichever
49 is greater. The court may award reasonable attorney's fees to a prevail-
50 ing plaintiff.
51 § 522-i. Severability. If any clause, sentence, paragraph, section, or
52 part of this article shall be adjudged by any court of competent juris-
53 diction to be invalid, such judgment shall not affect, impair, or inval-
54 idate the remainder thereof, but shall be confined in its operation to
55 the clause, sentence, paragraph, section, or part thereof directly
S. 4618 6
1 involved in the controversy in which such judgment shall have been
2 rendered.
3 § 2. This act shall take effect on the first of November next succeed-
4 ing the date on which it shall have become a law.
