IDENTITY THEFT

LAWS OF NEW YORK, 2008
CHAPTER 279

AN ACT to amend the executive law, the general business law, the public officers law, the labor law, the penal law, and the criminal procedure law, in relation to identity theft; and to amend the penal law, in relation to establishing the crime of unlawful possession of a skimmer
device

Became a law July 7, 2008, with the approval of the Governor. Passed on
message of necessity pursuant to Article III, section 14 of the
Constitution by a majority vote, three-fifths being present.

EXPLANATION--Matter in italics is new; matter in brackets [ ] is old law
to be omitted.

The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:

Section 1. Paragraphs d and e of subdivision 2 of section 553 of the
executive law, paragraph d as added and paragraph e as relettered by
chapter 472 of the laws of 2007, paragraph e as added by chapter 691 of
the laws of 2003, are amended and a new paragraph f is added to read as
follows:
d. on behalf of the board and in conjunction with the office of the
airline consumer advocate, initiate, investigate, attempt to resolve
and, if necessary, refer to the attorney general any matters or
complaints received pursuant to article fourteen-A of the general busi-
ness law as provided in such article; [and]
e. on behalf of the board, initiate, investigate, attempt to resolve,
and if necessary refer to the attorney general any matters or complaints
received pursuant to article twenty-four-B of the general business law
as provided in such article[.]; and
f. on behalf of the board, establish a process by which victims of
identity theft will receive assistance and information to resolve
complaints. To implement the process the board shall have the authority
to:
(i) promulgate rules and regulations to administer the identity theft
prevention and mitigation program; and
(ii) act as a liaison between the victim and any state agency, public
authority, or any municipal department or agency, the division of state
police, and county or municipal police departments, and any non-govern-
mental entity, including but not limited to, consumer credit reporting
agencies, to facilitate the victim obtaining such assistance and data as
will enable the program to carry out its duties to help consumers
resolve the problems that have resulted from the identity theft. Trade
secrets and proprietary business information contained in the documents
or records that may be received by the board shall be exempt from
disclosure to the extent allowed by article six of the public officers
law.
§ 1-a. Section 380-k of the general business law, as added by chapter
867 of the laws of 1977, is amended to read as follows:
§ 380-k. Compliance procedures. Every consumer or reporting agency
shall maintain reasonable procedures designed to avoid violations of
sections three hundred eighty-b [and], three hundred eighty-j and three
hundred eighty-t of this article and to limit the furnishing of consumer
reports to the purposes listed under said section three hundred eight-
y-b. These procedures shall require all prospective users of the infor-
mation to identify themselves, certify the purposes for which the infor-
mation is sought, and certify that the information will be used for no
other purpose. Every consumer reporting agency shall make a reasonable
effort to verify the identity of a new prospective user and the uses
certified by such prospective user prior to furnishing such user a
consumer report. No consumer reporting agency may furnish a consumer
report to any person if it has reasonable grounds for believing that the
consumer report will not be used for a purpose listed in section three
hundred eighty-b of this article.
§ 1-b. Section 380-m of the general business law, as added by chapter
867 of the laws of 1977, is amended to read as follows:
§ 380-m. Civil liability for negligent noncompliance. Any consumer
reporting agency or user of information who or which is negligent in
failing to comply with any requirement imposed under this article, other
than a violation of section three hundred eighty-t of this article, with
respect to any consumer is liable to that consumer in an amount equal to
the sum of:
(a) Any actual damages sustained by the consumer as a result of the
failure;
(b) In the case of any successful action to enforce any liability
under this section, the costs of the action together with reasonable
attorney's fees as determined by the court.
§ 2. Section 380-t of the general business law, as added by chapter 63
of the laws of 2006, is amended to read as follows:
§ 380-t. Security freeze. (a) A consumer may request that a security
freeze be placed on his or her consumer credit report by sending a
request in writing [by certified mail or by overnight mail] with confir-
mation of delivery requested or via telephone, secure electronic means,
or other methods developed by the consumer credit reporting agency to a
consumer credit reporting agency at an address, telephone number or
secure website designated by [the consumer credit reporting] such agency
to receive such requests. Consumer credit reporting agencies shall have
a secure website and a separately dedicated toll-free number to offer
information, to process requests and deliver the services provided for
under this section.
(b) A consumer credit reporting agency that receives from a consumer a
[written] request in accordance with subdivision (a) of this section
shall, provided such [written] request is accompanied by proper iden-
tification and payment of any applicable fee, [place a security freeze
on the consumer credit report of or relating to such consumer no later
than five business days after receiving such written request, provided,
however, that for written requests received on or after January first,
two thousand eight, such consumer credit reporting agency shall] place a
security freeze on the consumer credit report of or relating to such
consumer no later than four business days after receiving such [written]
request, provided further, however, that for [written] requests received
on or after January first, two thousand nine, such consumer credit
reporting agency shall place a security freeze on the consumer credit
report of or relating to such consumer no later than three business days
after receiving such [written] request and for requests received on or
after January first, two thousand ten, such consumer credit reporting
agency shall place a security freeze on the consumer credit report of or
relating to such consumer no later than one business day after receiving
such request. Nothing in this subdivision shall be construed to prevent
a consumer credit reporting agency from advising a third party that a
security freeze is in effect with respect to the consumer credit report
of or relating to such consumer.
(c) The consumer credit reporting agency shall send a written confir-
mation of the placement of a security freeze to the consumer within
[ten] five business days of placing such freeze. Upon placing the secu-
rity freeze on the consumer credit report of or relating to such consum-
er, the consumer credit reporting agency shall provide the consumer with
a unique personal identification number or password, or other device
[to] which shall only be used by the consumer when providing authori-
zation for the release of his or her consumer credit report for a
specific party or specific period of time. The unique personal identifi-
cation number or password, or other device to be used by the consumer
shall not be a social security number or a sequential portion thereof.
Any use of the unique personal identification number or password or
other device other than provided for in this section is prohibited.
(d) If the consumer wishes to allow his or her consumer credit report
to be accessed for a specific party or a specific period of time while a
freeze is in place, he or she shall contact the consumer credit report-
ing agency via [certified] mail[, overnight mail,] with confirmation of
delivery, telephone, secure electronic means or other method developed
by such consumer credit reporting agency pursuant to subdivision (f) of
this section using a point of contact designated by such consumer credit
reporting agency, request that the freeze be temporarily lifted, and
provide the following:
(1) proper identification;
(2) the unique personal identification number or password provided by
the consumer credit reporting agency pursuant to subdivision (c) of this
section;
(3) the proper information regarding the party to which the consumer
credit report should be available or the time period for which the
consumer credit report shall be available to users of such report; and
(4) payment of any applicable fee.
(e) (1) A consumer credit reporting agency that receives a request
from a consumer to temporarily lift a freeze on a consumer credit report
pursuant to subdivision (d) of this section, shall comply with the
request: (i) no later than three business days after receiving such
request[.]; (ii) as of September first, two thousand nine, a consumer
credit reporting agency that receives a request via the use of a tele-
phone or secure electronic method provided by the agency, pursuant to
subdivision (d) of this section, shall release a consumer's credit
report as requested by the consumer within fifteen minutes after the
request is received by the consumer credit reporting agency.
(2) A consumer credit reporting agency is not required to temporarily
lift a security freeze within the time provided in subparagraph (ii) of
paragraph one of this subdivision if:
(i) the consumer fails to meet the requirements of subdivision (b) of
this section; or
(ii) the consumer credit reporting agency's ability to temporarily
lift the security freeze within fifteen minutes is prevented by:
(A) an act of God, including fire, earthquakes, hurricanes, storms, or
similar natural disaster or phenomena;
(B) unauthorized or illegal acts by a third party, including terror-
ism, sabotage, riot, vandalism, labor strikes or disputes disrupting
operations, or similar occurrence;
(C) operational interruption, including electrical failure, unantic-
ipated delay in equipment or replacement part delivery, computer hard-
ware or software failures inhibiting response time, or similar
disruption;
(D) governmental action, including emergency orders or regulations,
judicial or law enforcement action, or similar directives;
(E) regularly scheduled maintenance, during other than normal business
hours, of, or updates to, the consumer reporting agency's systems; or
(F) commercially reasonable maintenance of, or repair to, the consumer
reporting agency's systems that is unexpected or unscheduled.
(f) A consumer credit reporting agency may develop procedures involv-
ing other secure methods of communication, including the use of the
internet, or other electronic media to receive and process a request
from a consumer to temporarily lift a freeze on a consumer credit report
pursuant to subdivision (d) of this section in an expedited manner.
(g) The consumer protection board shall monitor the state of technolo-
gy relating to the means available to process requests for the lifting
or removal of a security freeze, and shall report to the legislature
when it is determined that the technology to process requests for the
lifting or removal of a security freeze in a shorter period of time than
that set forth in subdivision (e) of this section is available.
(h) A consumer credit reporting agency shall remove or temporarily
lift a freeze placed on the consumer credit report of or relating to a
consumer only in the following cases:
(1) upon consumer request, pursuant to subdivision (d) or (k) of this
section; or
(2) if the consumer credit report of or relating to such consumer was
frozen due to a material misrepresentation of fact by the consumer. If a
consumer credit reporting agency intends to remove a freeze upon a
consumer credit report pursuant to this paragraph, the consumer credit
reporting agency shall notify the consumer in writing, by first class
mail, within three business days prior to removing the freeze on such
consumer credit report.
(i) If a third party requests access to a consumer credit report on
which a security freeze is in effect, and this request is in connection
with an application for credit or any other use, and the consumer does
not allow his or her consumer credit report to be accessed for that
period of time, the third party may treat the application as incomplete.
(j) If a consumer requests a security freeze, the consumer credit
reporting agency shall disclose the process of placing and temporarily
lifting a freeze, and the process for allowing access to information
from such consumer credit report for a specific party or a period of
time while the freeze is in place.
(k) (1) A security freeze shall remain in place until the consumer
requests, using a point of contact designated by the consumer credit
reporting agency, that the security freeze be removed and provides the
following:
(i) proper identification;
(ii) the unique personal identification number or password or similar
device provided by the consumer credit reporting agency pursuant to
subdivision (c) of this section; and
(iii) a fee, if applicable.
(2) A consumer credit reporting agency shall remove a security freeze
within three business days of receiving a request for removal from the
consumer pursuant to paragraph one of this subdivision.
(l) A consumer credit reporting agency shall require proper identifi-
cation of the person making a request to place or remove a security
freeze.
(m) The provisions of this section do not apply to the use of a
consumer credit report by any of the following:
(1) a person or entity, or a subsidiary, affiliate, or agent of that
person or entity, or an assignee of a financial obligation owing by the
consumer to that person or entity, or a prospective assignee of a finan-
cial obligation owing by the consumer to that person or entity in
conjunction with the proposed purchase of the financial obligation, with
which the consumer has or had prior to assignment an account or
contract, including a demand deposit account, or to whom the consumer
issued a negotiable instrument, for the purposes of reviewing the
account or collecting the financial obligation owing for the account,
contract, or negotiable instrument. For purposes of this paragraph,
"reviewing the account" includes activities related to account mainte-
nance, monitoring, credit line increases, and account upgrades and
enhancements;
(2) a subsidiary, affiliate, agent, assignee, or prospective assignee
of a person to whom access has been granted for purposes of facilitating
the extension of credit or other permissible use;
(3) any state or local agency, law enforcement agency, court, private
collection agency, or person acting pursuant to a court order, warrant,
or subpoena;
(4) a child support agency acting pursuant to title iv-d of the social
security act (42 U.S.C. et seq.);
(5) the state or its political subdivisions or its agents or assigns
acting to investigate fraud or acting to investigate or collect delin-
quent taxes or unpaid court orders or to fulfill any of its other statu-
tory responsibilities provided such responsibilities are consistent with
a permissible purpose under 15 U.S.C. section 1681b;
(6) the use of credit information for the purposes of prescreening as
provided for by the federal fair credit reporting act;
(7) any person or entity administering a credit file monitoring
subscription or similar service to which the consumer has subscribed; or
(8) any person or entity for the purpose of providing a consumer with
a copy of his or her consumer credit report or score upon the request of
such consumer.
(n) (1) No consumer credit reporting agency shall charge a fee to a
victim of identity theft who [has submitted] submits a copy of a signed
federal trade commission ID theft victim's affidavit, or a [valid
police] report of ID theft from a law enforcement agency to such consum-
er credit reporting agency.
(2) No consumer credit reporting agency shall charge a fee to a
consumer requesting the placement of a security freeze when such consum-
er has not previously requested the placement of a security freeze from
such consumer credit reporting agency. Except as provided for in para-
graph one of this subdivision, a consumer credit reporting agency may
charge a consumer a fee not to exceed five dollars for the placement of
a second or subsequent freeze or for the removal of a freeze or the
temporary lift of a freeze for a specific party or period of time or for
the issuance of a replacement personal identification number or password
when the consumer fails to retain the personal identification number or
password provided to such consumer by such consumer credit reporting
agency pursuant to subdivision (c) of this section.
(o) If a security freeze is in place, a consumer credit reporting
agency shall not change any of the following official information in a
consumer credit report without sending a written confirmation of the
change to the consumer within thirty days of the change being posted to
the file of or relating to such consumer: name, date of birth, social
security number, and address. Written confirmation is not required for
technical modifications of the official information of or relating to
such consumer, including name and street abbreviations, complete spell-
ings, or transposition of numbers or letters. In the case of an address
change, the written confirmation shall be sent to both the new address
and to the former address.
(p) The following entities are not required to place a security freeze
on a consumer credit report:
(1) a consumer credit reporting agency that acts only as a reseller of
credit information by assembling and merging information contained in
the data base of another consumer credit reporting agency or multiple
consumer credit reporting agencies, and does not maintain a permanent
data base of credit information from which new consumer credit reports
are produced. However, a consumer credit reporting agency acting as a
reseller shall honor any security freeze placed on a consumer credit
report by another consumer credit reporting agency;
(2) a check services or fraud prevention services company, which
issues reports on incidents of fraud or authorizations for the purpose
of approving or processing negotiable instruments, electronic funds
transfers, or similar methods of payments; or
(3) a deposit account information service company, which issues
reports regarding account closures due to fraud, substantial overdrafts,
ATM abuse, or similar negative information regarding a consumer, to
inquiring banks or other financial institutions for use only in review-
ing a consumer request for a deposit account at the inquiring bank or
financial institution.
(q) (1) Any time a consumer credit reporting agency is required to
send a summary of rights required under 15 U.S.C. section 1681g, to a
consumer residing in this state the following notice shall be included
with such summary of rights:
"NEW YORK CONSUMERS HAVE THE RIGHT TO OBTAIN A SECURITY FREEZE.
YOU HAVE A RIGHT TO PLACE A "SECURITY FREEZE" ON YOUR CREDIT REPORT,
WHICH WILL PROHIBIT A CONSUMER CREDIT REPORTING AGENCY FROM RELEASING
INFORMATION IN YOUR CREDIT REPORT WITHOUT YOUR EXPRESS AUTHORIZATION. A
SECURITY FREEZE MUST BE REQUESTED IN WRITING [BY CERTIFIED OR OVERNIGHT
MAIL] DELIVERY CONFIRMATION REQUESTED OR VIA TELEPHONE, SECURE ELECTRON-
IC MEANS, OR OTHER METHODS DEVELOPED BY THE CONSUMER CREDIT REPORTING
AGENCY. THE SECURITY FREEZE IS DESIGNED TO PREVENT CREDIT, LOANS, AND
SERVICES FROM BEING APPROVED IN YOUR NAME WITHOUT YOUR CONSENT. HOWEVER,
YOU SHOULD BE AWARE THAT USING A SECURITY FREEZE TO TAKE CONTROL OVER
WHO GETS ACCESS TO THE PERSONAL AND FINANCIAL INFORMATION IN YOUR CREDIT
REPORT MAY DELAY, INTERFERE WITH, OR PROHIBIT THE TIMELY APPROVAL OF ANY
SUBSEQUENT REQUEST OR APPLICATION YOU MAKE REGARDING A NEW LOAN, CREDIT,
MORTGAGE, GOVERNMENT SERVICES OR PAYMENTS, INSURANCE, RENTAL HOUSING,
EMPLOYMENT, INVESTMENT, LICENSE, CELLULAR PHONE, UTILITIES, DIGITAL
SIGNATURE, INTERNET CREDIT CARD TRANSACTION, OR OTHER SERVICES, INCLUD-
ING AN EXTENSION OF CREDIT AT POINT OF SALE. WHEN YOU PLACE A SECURITY
FREEZE ON YOUR CREDIT REPORT, YOU WILL BE PROVIDED A PERSONAL IDENTIFI-
CATION NUMBER OR PASSWORD TO USE IF YOU CHOOSE TO REMOVE THE FREEZE ON
YOUR CREDIT REPORT OR AUTHORIZE THE RELEASE OF YOUR CREDIT REPORT TO A
SPECIFIC PARTY OR FOR A PERIOD OF TIME AFTER THE FREEZE IS IN PLACE. TO
PROVIDE THAT AUTHORIZATION YOU MUST CONTACT THE CONSUMER CREDIT REPORT-
ING AGENCY AND PROVIDE ALL OF THE FOLLOWING:
(1) THE PERSONAL IDENTIFICATION NUMBER OR PASSWORD;
(2) PROPER IDENTIFICATION TO VERIFY YOUR IDENTITY;
(3) THE PROPER INFORMATION REGARDING THE PARTY OR PARTIES WHO ARE TO
RECEIVE THE CREDIT REPORT OR THE PERIOD OF TIME FOR WHICH THE REPORT
SHALL BE AVAILABLE TO USERS OF THE CREDIT REPORT; AND
(4) PAYMENT OF ANY APPLICABLE FEE.
A CONSUMER CREDIT REPORTING AGENCY MUST AUTHORIZE THE RELEASE OF YOUR
CREDIT REPORT NO LATER THAN THREE BUSINESS DAYS AFTER RECEIVING THE
ABOVE INFORMATION. EFFECTIVE SEPTEMBER FIRST, TWO THOUSAND NINE, A
CONSUMER CREDIT REPORTING AGENCY THAT RECEIVES A REQUEST VIA TELEPHONE
OR SECURE ELECTRONIC METHOD SHALL RELEASE A CONSUMER'S CREDIT REPORT
WITHIN FIFTEEN MINUTES WHEN THE REQUEST IS RECEIVED.
A SECURITY FREEZE DOES NOT APPLY TO CIRCUMSTANCES IN WHICH YOU HAVE AN
EXISTING ACCOUNT RELATIONSHIP AND A COPY OF YOUR REPORT IS REQUESTED BY
YOUR EXISTING CREDITOR OR ITS AGENTS OR AFFILIATES FOR CERTAIN TYPES OF
ACCOUNT REVIEW, COLLECTION, FRAUD CONTROL OR SIMILAR ACTIVITIES.
IF YOU ARE ACTIVELY SEEKING CREDIT, YOU SHOULD UNDERSTAND THAT THE
PROCEDURES INVOLVED IN LIFTING A SECURITY FREEZE MAY SLOW YOUR APPLICA-
TION FOR CREDIT. YOU SHOULD PLAN AHEAD AND LIFT A FREEZE, EITHER
COMPLETELY IF YOU ARE SHOPPING AROUND, OR SPECIFICALLY FOR A CERTAIN
CREDITOR, BEFORE APPLYING FOR NEW CREDIT. WHEN SEEKING CREDIT OR PURSU-
ING ANOTHER TRANSACTION REQUIRING ACCESS TO YOUR CREDIT REPORT, IT IS
NOT NECESSARY TO RELINQUISH YOUR PIN OR PASSWORD TO THE CREDITOR OR
BUSINESS; YOU CAN CONTACT THE CONSUMER CREDIT REPORTING AGENCY DIRECTLY.
IF YOU CHOOSE TO GIVE OUT YOUR PIN OR PASSWORD TO THE CREDITOR OR BUSI-
NESS, IT IS RECOMMENDED THAT YOU OBTAIN A NEW PIN OR PASSWORD FROM THE
CONSUMER CREDIT REPORTING AGENCY."
(2) If a consumer requests information about a security freeze, such
consumer shall be provided with the notice set forth in paragraph one of
this subdivision and with any other information necessary to place,
temporarily lift or permanently lift a security freeze, including but
not limited to the address, telephone number or point of contact at
which the consumer credit reporting agency receives such requests.
(r) When a consumer credit reporting agency erroneously releases a
consumer credit report subject to a security freeze or any information
contained in such consumer credit report, the consumer credit reporting
agency shall send written notification to the affected consumer within
[five] three business days following discovery or notification of such
erroneous release. Such notification shall also inform the consumer of
the nature of the information released and identify and provide contact
information for the recipient of such information or consumer credit
report.
(s) Whenever there shall be a violation of this section, application
may be made by the attorney general in the name of the people of the
state of New York to a court or justice having jurisdiction by a special
proceeding to issue an injunction, and upon notice to the defendant of
not less than five days, to enjoin and restrain the continuance of such
violations; and if it shall appear to the satisfaction of the court or
justice that the defendant has, in fact, violated this section, an
injunction may be issued by such court or justice, enjoining and
restraining any further violation, without requiring proof that any
person has, in fact, been injured or damaged thereby. In any such
proceeding, the court may make allowances to the attorney general as
provided in paragraph six of subdivision (a) of section eighty-three
hundred three of the civil practice law and rules, and direct restitu-
tion. Whenever the court shall determine that a violation of this
section has occurred, the court may impose a civil penalty of not more
than five thousand dollars for each violation. In connection with any
such proposed application, the attorney general is authorized to take
proof and make a determination of the relevant facts and to issue
subpoenas in accordance with the civil practice law and rules.
§ 3. The public officers law is amended by adding a new section 96-a
to read as follows:
§ 96-a. Prohibited conduct. 1. Beginning on January first, two thou-
sand ten the state and its political subdivisions shall not do any of
the following, unless required by law:
(a) Intentionally communicate to the general public or otherwise make
available to the general public in any manner an individual's social
security account number. This paragraph shall not apply to any individ-
ual intentionally communicating to the general public or otherwise
making available to the general public his or her social security
account number.
(b) Print an individual's social security account number on any card
or tag required for the individual to access products, services or bene-
fits provided by the state and its political subdivisions.
(c) Require an individual to transmit his or her social security
account number over the internet, unless the connection is secure or the
social security account number is encrypted.
(d) Require an individual to use his or her social security account
number to access an internet web site, unless a password or unique
personal identification number or other authentication device is also
required to access the internet website.
(e) Include an individual's social security account number, except the
last four digits thereof, on any materials that are mailed to the indi-
vidual, or in any electronic mail that is copied to third parties,
unless state or federal law requires the social security account number
to be on the document to be mailed. Notwithstanding this paragraph,
social security account numbers may be included in applications and
forms sent by mail, including documents sent as part of an application
or enrollment process, or to establish, amend or terminate an account,
contract or policy, or to confirm the accuracy of the social security
account number. A social security account number that is permitted to be
mailed under this section may not be printed, in whole or in part, on a
postcard or other mailer not requiring an envelope, or visible on the
envelope or without the envelope having been opened.
(f) Encode or embed a social security number in or on a card or docu-
ment, including, but not limited to, using a bar code, chip, magnetic
strip, or other technology, in place of removing the social security
number as required by this section.
(g) Nothing in this section shall prohibit a county clerk or court
from making available a document publicly recorded or filed prior to the
effective date of this section, provided that if any individual requests
redaction of a social security number from a publicly recorded document
available to the public online, such number shall be promptly redacted
by the county clerk. Nothing in this section shall limit disclosure of
criminal history record information currently permitted.
2. As used in this section "social security account number" shall
include the nine digit account number issued by the federal social secu-
rity administration and any number derived therefrom. Such term shall
not include any number that has been encrypted.
3. This section does not prevent the collection, use or release of a
social security account number as required by state or federal law, or
the use of a social security account number for internal verification,
fraud investigation or administrative purposes.
§ 4. Subdivision 2 of section 399-dd of the general business law, as
added by chapter 676 of the laws of 2006, is amended by adding a new
paragraph (f) to read as follows:
(f) Encode or embed a social security number in or on a card or docu-
ment, including, but not limited to, using a bar code, chip, magnetic
strip, or other technology, in place of removing the social security
number as required by this section.
§ 5. Subdivision 6 of section 399-dd of the general business law, as
added by chapter 676 of the laws of 2006, is renumbered subdivision 7
and a new subdivision 6 is added to read as follows:
6. No person may file any document available for public inspection
with any state agency, political subdivision, or in any court of this
state that contains a social security account number of any other
person, unless such other person is a dependent child, or has consented
to such filing, except as required by federal or state law or regu-
lation, or by court rule.
§ 6. The labor law is amended by adding a new section 203-d to read as
follows:
§ 203-d. Employee personal identifying information. 1. An employer
shall not unless otherwise required by law:
(a) Publicly post or display an employee's social security number;
(b) Visibly print a social security number on any identification badge
or card, including any time card;
(c) Place a social security number in files with unrestricted access;
or
(d) Communicate an employee's personal identifying information to the
general public. For purposes of this section, "personal identifying
information" shall include social security number, home address or tele-
phone number, personal electronic mail address, Internet identification
name or password, parent's surname prior to marriage, or drivers'
license number.
2. A social security number shall not be used as an identification
number for purposes of any occupational licensing.
3. The commissioner may impose a civil penalty of up to five hundred
dollars on any employer for any knowing violation of this section. It
shall be presumptive evidence that a violation of this section was know-
ing if the employer has not put in place any policies or procedures to
safeguard against such violation, including procedures to notify rele-
vant employees of these provisions.
§ 7. Subdivision 1 of section 60.27 of the penal law, as amended by
chapter 619 of the laws of 2002, is amended to read as follows:
1. In addition to any of the dispositions authorized by this article,
the court shall consider restitution or reparation to the victim of the
crime and may require restitution or reparation as part of the sentence
imposed upon a person convicted of an offense, and after providing the
district attorney with an opportunity to be heard in accordance with the
provisions of this subdivision, require the defendant to make restitu-
tion of the fruits of his or her offense or reparation for the actual
out-of-pocket loss caused thereby and, in the case of a violation of
section 190.78, 190.79, 190.80, 190.82 or 190.83 of this chapter, any
costs or losses incurred due to any adverse action taken against the
victim. The district attorney shall where appropriate, advise the court
at or before the time of sentencing that the victim seeks restitution or
reparation, the extent of injury or economic loss or damage of the
victim, and the amount of restitution or reparation sought by the victim
in accordance with his or her responsibilities under subdivision two of
section 390.50 of the criminal procedure law and article twenty-three of
the executive law. The court shall hear and consider the information
presented by the district attorney in this regard. In that event, or
when the victim impact statement reports that the victim seeks restitu-
tion or reparation, the court shall require, unless the interests of
justice dictate otherwise, in addition to any of the dispositions
authorized by this article that the defendant make restitution of the
fruits of the offense and reparation for the actual out-of-pocket loss
and, in the case of a violation of section 190.78, 190.79, 190.80,
190.82 or 190.83 of this chapter, any costs or losses incurred due to
any adverse action, caused thereby to the victim. In the event that
restitution or reparation are not ordered, the court shall clearly state
its reasons on the record. Adverse action as used in this subdivision
shall mean and include actual loss incurred by the victim, including an
amount equal to the value of the time reasonably spent by the victim
attempting to remediate the harm incurred by the victim from the
offense, and the consequential financial losses from such action.
§ 8. Subdivision 1 of section 190.77 of the penal law, as added by
chapter 619 of the laws of 2002, is amended to read as follows:
1. For the purposes of sections 190.78, 190.79 [and], 190.80 and
190.85 of this article "personal identifying information" means a
person's name, address, telephone number, date of birth, driver's
license number, social security number, place of employment, mother's
maiden name, financial services account number or code, savings account
number or code, checking account number or code, brokerage account
number or code, credit card account number or code, debit card number or
code, automated teller machine number or code, taxpayer identification
number, computer system password, signature or copy of a signature,
electronic signature, unique biometric data that is a fingerprint, voice
print, retinal image or iris image of another person, telephone calling
card number, mobile identification number or code, electronic serial
number or personal identification number, or any other name, number,
code or information that may be used alone or in conjunction with other
such information to assume the identity of another person.
§ 9. The penal law is amended by adding a new section 190.85 to read
as follows:
§ 190.85 Unlawful possession of a skimmer device in the second degree.
1. A person is guilty of unlawful possession of a skimmer device in
the second degree when he or she possesses a skimmer device with the
intent that such device be used in furtherance of the commission of the
crime of identity theft or unlawful possession of personal identifica-
tion information as defined in this article.
2. For purposes of this article, "skimmer device" means a device
designed or adapted to obtain personal identifying information from a
credit card, debit card, public benefit card, access card or device, or
other card or device that contains personal identifying information.
Unlawful possession of a skimmer device in the second degree is a
class A misdemeanor.
§ 10. The penal law is amended by adding a new section 190.86 to read
as follows:
§ 190.86 Unlawful possession of a skimmer device in the first degree.
A person is guilty of unlawful possession of a skimmer device in the
first degree when he or she commits the crime of unlawful possession of
a skimmer device in the second degree and he or she has been previously
convicted within the last five years of identity theft in the third
degree as defined in section 190.78, identity theft in the second degree
as defined in section 190.79, identity theft in the first degree as
defined in section 190.80, unlawful possession of personal identifica-
tion information in the third degree as defined in section 190.81,
unlawful possession of personal identification information in the second
degree as defined in section 190.82, unlawful possession of personal
identification information in the first degree as defined in section
190.83, unlawful possession of a skimmer device in the second degree as
defined in section 190.85, unlawful possession of a skimmer device in
the first degree as defined in this section, grand larceny in the fourth
degree as defined in section 155.30, grand larceny in the third degree
as defined in section 155.35, grand larceny in the second degree as
defined in section 155.40 or grand larceny in the first degree as
defined in section 155.42 of this chapter.
Unlawful possession of a skimmer device in the first degree is a class
E felony.
§ 11. Subdivision 4 of section 190.79 of the penal law, as added by
chapter 619 of the laws of 2002, is amended to read as follows:
4. commits the crime of identity theft in the third degree as defined
in section 190.78 of this article and has been previously convicted
within the last five years of identity theft in the third degree as
defined in section 190.78, identity theft in the second degree as
defined in this section, identity theft in the first degree as defined
in section 190.80, unlawful possession of personal identification infor-
mation in the third degree as defined in section 190.81, unlawful
possession of personal identification information in the second degree
as defined in section 190.82, unlawful possession of personal identifi-
cation information in the first degree as defined in section 190.83,
unlawful possession of a skimmer device in the second degree as defined
in section 190.85, unlawful possession of a skimmer device in the first
degree as defined in section 190.86, grand larceny in the fourth degree
as defined in section 155.30, grand larceny in the third degree as
defined in section 155.35, grand larceny in the second degree as defined
in section 155.40 or grand larceny in the first degree as defined in
section 155.42 of this chapter.
§ 12. Subdivision 4 of section 190.80 of the penal law, as added by
chapter 619 of the laws of 2002, is amended to read as follows:
4. commits the crime of identity theft in the second degree as defined
in section 190.79 of this article and has been previously convicted
within the last five years of identity theft in the third degree as
defined in section 190.78, identity theft in the second degree as
defined in section 190.79, identity theft in the first degree as defined
in this section, unlawful possession of personal identification informa-
tion in the third degree as defined in section 190.81, unlawful
possession of personal identification information in the second degree
as defined in section 190.82, unlawful possession of personal identifi-
cation information in the first degree as defined in section 190.83,
unlawful possession of a skimmer device in the second degree as defined
in section 190.85, unlawful possession of a skimmer device in the first
degree as defined in section 190.86, grand larceny in the fourth degree
as defined in section 155.30, grand larceny in the third degree as
defined in section 155.35, grand larceny in the second degree as defined
in section 155.40 or grand larceny in the first degree as defined in
section 155.42 of this chapter.
§ 13. Subdivision 2 of section 190.83 of the penal law, as added by
chapter 619 of the laws of 2002, is amended to read as follows:
2. he or she has been previously convicted within the last five years
of identity theft in the third degree as defined in section 190.78,
identity theft in the second degree as defined in section 190.79, iden-
tity theft in the first degree as defined in section 190.80, unlawful
possession of personal identification information in the third degree as
defined in section 190.81, unlawful possession of personal identifica-
tion information in the second degree as defined in section 190.82,
unlawful possession of personal identification information in the first
degree as defined in this section, unlawful possession of a skimmer
device in the second degree as defined in section 190.85, unlawful
possession of a skimmer device in the first degree as defined in section
190.86, grand larceny in the fourth degree as defined in section 155.30,
grand larceny in the third degree as defined in section 155.35, grand
larceny in the second degree as defined in section 155.40 or grand
larceny in the first degree as defined in section 155.42 of this chap-
ter.
§ 14. Section 190.30 of the criminal procedure law is amended by
adding a new subdivision 8 to read as follows:
8. (a) A business record may be received in such grand jury
proceedings as evidence of the following facts and similar facts stated
therein:
(i) a person's use of, subscription to and charges and payments for
communication equipment and services including but not limited to equip-
ment or services provided by telephone companies and internet service
providers, but not including recorded conversations or images communi-
cated thereby; and
(ii) financial transactions, and a person's ownership or possessory
interest in any account, at a bank, insurance company, brokerage,
exchange or banking organization as defined in section two of the bank-
ing law.
(b) Any business record offered for consideration by a grand jury
pursuant to paragraph (a) of this subdivision must be accompanied by a
written statement, under oath, that (i) contains a list or description
of the records it accompanies, (ii) attests in substance that the person
making the statement is a duly authorized custodian of the records or
other employee or agent of the business who is familiar with such
records, and (iii) attests in substance that such records were made in
the regular course of business and that it was the regular course of
such business to make such records at the time of the recorded act,
transaction, occurrence or event, or within a reasonable time thereaft-
er. Such written statement may also include a statement identifying the
name and job description of the person making the statement, specifying
the matters set forth in subparagraph (ii) of this paragraph and attest-
ing that the business has made a diligent search and does not possess a
particular record or records addressing a matter set forth in paragraph
(a) of this subdivision, and such statement may be received at grand
jury proceedings as evidence of the fact that the business does not
possess such record or records. When records of a business are accompa-
nied by more than one sworn written statement of its employees or
agents, such statements may be considered together in determining the
admissibility of the records under this subdivision. For the purpose of
this subdivision, the term "business records" does not include any
records prepared by law enforcement agencies or prepared by any entity
in anticipation of litigation.
(c) Any business record offered to a grand jury pursuant to paragraph
(a) of this subdivision that includes material beyond that described in
such paragraph (a) shall be redacted to exclude such additional materi-
al, or received subject to a limiting instruction that the grand jury
shall not consider such additional material in support of any criminal
charge.
(d) No such records shall be admitted when an adversarial examination
of such a records custodian or other employee of such business who was
familiar with such records has been previously ordered pursuant to
subdivision eight of section 180.60 of this chapter, unless a transcript
of such examination is admitted.
(e) Nothing in this subdivision shall affect the admissibility of
business records in the grand jury on any basis other than that set
forth in this subdivision.
§ 14-a. Subdivision 3 of section 210.30 of the criminal procedure law,
as amended by chapter 209 of the laws of 1990, is amended to read as
follows:
3. Unless good cause exists to deny the motion to inspect the grand
jury minutes, the court must grant the motion. It must then proceed to
examine the minutes and to determine the motion to dismiss or reduce the
indictment. If the court, after examining the minutes, finds that
release of the minutes, or certain portions thereof, to the parties is
necessary to assist the court in making its determination on the motion,
it may release the minutes or such portions thereof to the parties.
Provided, however, such release shall be limited to that grand jury
testimony which is relevant to a determination of whether the evidence
before the grand jury was legally sufficient to support a charge or
charges contained in such indictment. Prior to such release the district
attorney shall be given an opportunity to present argument to the court
that the release of the minutes, or any portion thereof, would not be in
the public interest. For purposes of this section, the minutes shall
include any materials submitted to the grand jury pursuant to subdivi-
sion eight of section 190.30 of this chapter.
§ 15. Severability. If any clause, sentence, paragraph, section or
part of this act shall be adjudged by any court of competent jurisdic-
tion to be invalid, such judgment shall not affect, impair or invalidate
the remainder thereof, but shall be confined in its operation to the
clause, sentence, paragraph, section or part thereof directly involved
in the controversy in which such judgment shall have been rendered.
§ 16. This act shall take effect on the one hundred eightieth day
after it shall have become a law; provided that section three of this
act shall take effect January 1, 2010; provided, however, that sections
eight, nine, ten, eleven, twelve and thirteen of this act shall take
effect on the first of November next succeeding the date on which it
shall have become law; and provided, further, that section fourteen of
this act shall take effect on the thirtieth day after it shall have
become a law; provided, further, however, that the amendments to para-
graphs d and e of subdivision 2 of section 553 of the executive law made
by section one of this act shall not affect the repeal of such para-
graphs and shall be deemed repealed therewith; provided, further that
paragraph f of subdivision 2 of section 553 of the executive law as
added by section one of this act shall survive the expiration and rever-
sion of such subdivision as provided in section 3 of chapter 691 of the
laws of 2003, as amended.

The Legislature of the STATE OF NEW YORK ss:
Pursuant to the authority vested in us by section 70-b of the Public
Officers Law, we hereby jointly certify that this slip copy of this
session law was printed under our direction and, in accordance with such
section, is entitled to be read into evidence.


JOSEPH L. BRUNO
Temporary President of the Senate
SHELDON SILVER
Speaker of the Assembly