§ 19-546 Information security and use of personal information.
AC § 19-546
a. All entities licensed by the commission, or authorized by the commission to provide services regulated by the commission, that collect or maintain passenger personal information or passenger geolocation information shall file with the commission an information security and use of personal information policy. Any policy filed pursuant to this section must include, at a minimum, the following provisions: (i) a statement of internal access policies relating to passenger and driver personal information for employees, contractors, and third party access, if applicable; (ii) a statement that, except to the extent necessary to provide credit, debit, and prepaid card services and services for any application that provides for electronic payment, personal information will only be collected and used with such passenger's affirmative express consent and that such personal information will not be used, shared, or disclosed, except for lawful purposes; (iii) procedures for notifying the commission and affected parties of any breach of the security of the system, pursuant to section 899-aa of the general business law; (iv) a statement that any credit, debit, or prepaid card information collected by the entity or a credit, debit, or prepaid card services provider is processed by the entity or such provider in compliance with applicable payment card industry standards; (v) a statement of the entity's policies regarding the use of passenger geolocation information, which must include, at a minimum, a prohibition on the use, monitoring, or disclosure of trip information, including the date, time, pick-up location, drop-off location, and real-time vehicle location and any retained vehicle location records, without such passenger's affirmative express consent; and (vi) and other provisions related to the protection of passenger or driver information that the commission may require by rule. b. Any entity that files an information security and use of personal information policy pursuant to subdivision a of this section shall comply with the terms of such policy. c. Any entity that has been found to have violated subdivisions a or b of this section shall be subject to a civil penalty of $1,000 for each offense. d. Every recipient of a license obtained pursuant to this chapter who is required to make a notification pursuant to subdivision 2 or 3 of section 899-aa of the general business law shall promptly submit a copy of such notification to the commission. Such notice shall be made without delaying notice to any individual whose private information was, or is reasonably believed to have been, acquired by an unauthorized person. (L.L. 2016/043, 4/21/2016, eff. 8/19/2016; Am. L.L. 2021/151, 12/11/2021, eff. 4/10/2022)
