Bill Text: NY S01926 | 2023-2024 | General Assembly | Introduced
Bill Title: Requires manufacturers of connected devices to equip such devices with reasonable security features.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced) 2024-01-03 - REFERRED TO INTERNET AND TECHNOLOGY [S01926 Detail]
Download: New_York-2023-S01926-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 1926 2023-2024 Regular Sessions IN SENATE January 17, 2023 ___________ Introduced by Sen. GRIFFO -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT to amend the general business law, in relation to the security of connected devices The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 390-e to read as follows: 3 § 390-e. Security of connected devices. 1. For the purposes of this 4 section, the following terms have the following meanings: 5 (a) "Authentication" means a method of verifying the authority of a 6 user, process, or device to access resources in an information system. 7 (b) "Connected device" means any device, or other physical object that 8 is capable of connecting to the internet, directly or indirectly, and 9 that is assigned an internet protocol address or bluetooth address. 10 (c) "Manufacturer" means the person who manufactures, or contracts 11 with another person to manufacture on the person's behalf, connected 12 devices that are sold or offered for sale in the state. For the purposes 13 of this section, a contract with another person to manufacture on the 14 person's behalf does not include a contract only to purchase a connected 15 device, or only to purchase and brand a connected device. 16 (d) "Security feature" means a feature of a device designed to provide 17 security for that device. 18 (e) "Unauthorized access, destruction, use, modification, or disclo- 19 sure" means access, destruction, use, modification, or disclosure that 20 is not authorized by the consumer. 21 2. (a) A manufacturer of a connected device shall equip such device 22 with a reasonable security feature or features that are all of the 23 following: 24 (1) Appropriate to the nature and function of the device. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD02079-02-3S. 1926 2 1 (2) Appropriate to the information it may collect, contain, or trans- 2 mit; and 3 (3) Designed to protect the device and any information contained ther- 4 ein from unauthorized access, destruction, use, modification, or disclo- 5 sure. 6 (b) Subject to all of the requirements of paragraph (a) of this subdi- 7 vision, if a connected device is equipped with a means for authentica- 8 tion outside a local area network, it shall be deemed a reasonable secu- 9 rity feature under such paragraph if either of the following 10 requirements are met: 11 (1) The preprogrammed password is unique to each device manufactured; 12 or 13 (2) The device contains a security feature that requires a user to 14 generate a new means of authentication before access is granted to the 15 device for the first time. 16 3. (a) This section shall not be construed to impose any duty upon the 17 manufacturer of a connected device related to unaffiliated third-party 18 software or applications that a user chooses to add to a connected 19 device. 20 (b) This section shall not be construed to impose any duty upon a 21 provider of an electronic store, gateway, marketplace, or other means of 22 purchasing or downloading software or applications, to review or enforce 23 compliance with this section. 24 (c) This section shall not be construed to impose any duty upon the 25 manufacturer of a connected device to prevent a user from having full 26 control over a connected device, including the ability to modify the 27 software or firmware running on the device at the user's discretion. 28 (d) This section shall not apply to any connected device the function- 29 ality of which is subject to security requirements under federal law, 30 regulations, or guidance promulgated by a federal agency pursuant to its 31 regulatory enforcement authority. 32 (e) This section shall not be construed to provide a basis for a 33 private right of action. The attorney general shall have the exclusive 34 authority to enforce this section. 35 (f) The duties and obligations imposed by this section are cumulative 36 with any other duties or obligations imposed under any other law, and 37 shall not be construed to relieve any party from any duties or obli- 38 gations imposed under any other law. 39 (g) This section shall not be construed to limit the authority of a 40 law enforcement agency to obtain connected device information from a 41 manufacturer as authorized by law or pursuant to an order of a court of 42 competent jurisdiction. 43 (h) A covered entity, provider of health care, business associate, 44 health care service plan, contractor, employer, or any other person 45 subject to the federal Health Insurance Portability and Accountability 46 Act of 1996 (HIPAA) shall not be subject to this section with respect to 47 any activity regulated by such act. 48 § 2. This act shall take effect on the first of January next succeed- 49 ing the date on which it shall have become a law.
