Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 15 - Department of Motor VehiclesChapter I - REGULATIONS OF THE COMMISSIONERSubchapter A - DRIVER LICENSING AND TRAINING
Part 10 - INTERNET PRE-LICENSING COURSE
Section 10.11 - Information Security Guidelines

N.Y. Comp. Codes R. & Regs. tit. 15 § 10.11

Download
PDF
Current through Register Vol. 46, No. 45, November 2, 2024
Section 10.11 - Information Security Guidelines
(a) Protection of student confidential information is of paramount importance to the Department. Sponsors must ensure client information is kept confidential and secure. This includes securing personal information, as defined by Article 12-D, along with purchase information (such as credit card information), identity information (such as motorist ID, personal information questions and answers), and records maintained to validate student and sponsor compliance with the requirements, including any client reported information on tests and surveys.
(b) Sponsors must comply with the New York State Personal Privacy Protection Law, the Driver Privacy Protection Act (DPPA), and any other state or federal privacy protection laws. In addition, sponsors must comply with NYS Information Security Breach and Notification Act, Sec 208, NYS Technology Law, and Sec. 899-aa NYS General Business Law.
(c) If there is any breach of security, the affected sponsor must notify the Department as soon as possible after the security breach, providing details of the incident(s) and what steps were taken to address the security breach in a timely manner.
(d) The Department will review each sponsor's security plan prior to course approval. After approval has been granted, the Department, the sponsor's monitor or a third-party under contract to the Department, reserves the right to audit the sponsor's internet information security practices, security of office sites, systems and test areas on a periodic basis, or when circumstances as determined by the Department warrant. The sponsor must not rely on the Department's approval of the security plan as an assurance that any or all aspects of the sponsor's internet pre-licensing course are in compliance with state and federal laws.
(e) Sponsors must maintain records for the internet pre-licensing course separately from any other course data, and sponsors must structure their data systems to differentiate between the courses. Course records and data, with the exception of biometric data, must be retained by the sponsor for a period of not less than five (5) years from the date the data was collected, or the date of course completion, whichever is later. Biometric data, facial recognition, key stroke analysis, voice print or fingerprints, must be retained by the sponsor for a minimum of five (5) business days, and no longer than thirty (30) calendar days from the date the data was collected, or the date of course completion, whichever is later.
(f) Sponsors that are approved by the Department to offer internet pre-licensing courses in languages other than English must be able to delineate between courses provided in various languages.

N.Y. Comp. Codes R. & Regs. Tit. 15 § 10.11

Adopted New York State Register June 17, 2020/Volume XLII, Issue 24, eff. 6/17/2020