1 Bender on Privacy and Data Protection § 24.07 (2020)
This statute
1 prohibits a for-profit enterprise from disposing
2 of a record containing personal identifying information (“pii”) unless it shreds the record, destroys the pii, modifies the record to render the pii unreadable, or acts consistently with “accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access” to the pii. Pii is defined as personal information
3 “consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is unencrypted …”:
4 SSN, driver’s license number (or non-driver ID card number), or mother’s maiden name, financial services account number or code, or electronic serial number or personal identification number.
5 The State Attorney General may bring suit to enjoin violations without the need to show injury, and the court may impose a civil penalty of up to $5,000. The use of due diligence to dispose of records properly constitutes an affirmative defense to an action under this statute. This last provision provides an incentive to prescribe adequate disposal procedures.
Footnotes — § 24.07:
1 N.Y. Gen. Bus. L, § 399-h, L. 2066, c. 65, eff. 4 Dec. 2006.
2 Interestingly, the statute excepts from the definition of “dispose” a sale or transfer for value.
3 “Personal information” in turn is defined as any information concerning a natural person that, “because of name, number, personal mark, or other identifier” can be used to identify that person.
4 Or encrypted with a key that is included in the same record as the encrypted personal information or data element.
5 A personal identification number is defined as any number or code that may be used, alone or with other information, to assume the identity of another, or to access the financial resources or credit of another.