Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 15 - Department of Motor VehiclesChapter I - REGULATIONS OF THE COMMISSIONERSubchapter J - Driver Rehabilitation Programs
Part 141 - Motor Vehicle Accident Prevention Course By Internet Or Other Technologies (alternate Delivery Methods)
Section 141.10 - Information security guidelines

N.Y. Comp. Codes R. & Regs. tit. 15 § 141.10

Download
PDF
Current through Register Vol. 46, No. 36, September 4, 2024
Section 141.10 - Information security guidelines
(a) Protection of student confidential information is of paramount importance to the department. Sponsors and their delivery agents where applicable, must ensure client information is kept confidential and secure. This includes securing purchase information (such as credit card), identity information (such as motorist ID, personal information questions and answers), and records maintained to validate student/sponsor compliance with the requirements, including any client reported information on tests and surveys.
(b) Sponsors and their delivery agents, where applicable, must comply with the Driver Privacy Protection Act (DPPA). Violations of the New York State Personal Privacy Protection Law and the Driver Privacy Protection Act (DPPA) may result in sponsor suspension and may result in Federal prosecution. In addition, sponsors and their delivery agents must also comply with NYS Information Security Breach and Notification Act, Sec. 208, NYS Technology Law, and Sec. 899-aa NYS General Business Law.
(c) If there is any breach of security, the affected sponsor and/or delivery agent must notify the department as soon as practical after the security breach, providing details of the incident(s) and what steps were taken to address the security breach in a timely manner.
(d) DMV information security officials will review each sponsor's security plan prior to course approval. After approval has been granted, the department, the sponsor's monitor or a third party under contract to DMV reserves the right to audit the sponsor's ADM information security practices, security of office sites, systems and test areas on a periodic basis, or when circumstances warrant.
(e) Sponsors shall maintain records for the ADM course separately from their classroom course data, or structure their data systems to differentiate between the courses. Course records and data, with the exception of biometric data, shall be retained by the sponsor for a period of not less than five years from the date of course completion. Biometric data shall be retained by the sponsor for a minimum of five business days, and no longer than 30 calendar days from the date of course completion.
(f) Sponsors that are approved to offer more than one ADM course must be able to delineate between the courses.

N.Y. Comp. Codes R. & Regs. Tit. 15 § 141.10