Photo: deepadesigns/Shutterstock.comNew York Enacts New Breach Notification, Security Safeguard Requirements
New York state's data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.
July 25, 2019 at 12:10 PM
7 minute read
The original version of this story was published on New York Law Journal
New York state's data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.
Both bills were inspired in part by the data breach at Equifax in 2017, when the personal information of more than half the adult population in the U.S. was exposed in what's been considered one of the largest digital security events in history.
The first bill, called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, will broaden the definition of what's considered a data breach and set new requirements for when consumers should be notified.
The law, importantly, does not allow a private right of action, meaning individuals can't bring civil litigation against companies that don't take the legally prescribed steps to protect their data. Enforcement, instead, will be exclusively handled by the state Attorney General's Office.
New York Attorney General Letitia James was a driving force behind the bill's passage this year, nearly two years after it was first proposed.
“The SHIELD Act is now the law of the land and provides better protections for consumers' private information,” James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”
Companies will now have to notify consumers of a data breach when their information is accessed, even if it was just viewed during the event but not obtained. The previous standard only required that consumers be notified when their data was acquired by attackers.
The new law will also expand the notification requirements to companies outside New York, meaning that the statute will have a global reach. Any company, regardless of where they're based, will be required to notify New York consumers when their data has been accessed. The company does not have to have a physical space in New York to be subject to that mandate.
Notice requirements for the scope of information accessed through a data breach will also be changed. Consumers will now have to be notified if attackers access biometric information, like fingerprints, voice prints and other unique characteristics.
The law also mandates a notice to consumers when their email addresses and corresponding passwords, or security questions and answers, are accessed through a data breach. The same will be required when health information protected under HIPAA is accessed.
Consumers can be notified of a breach in the same ways that were previously acceptable under state law. Those include through a written notice, electronic notice, telephone call, posting on the company's website, notifying major statewide media outlets, and emailing a consumer, as long as that email address wasn't part of the data breach.
Notice to consumers will have to include contact information for the company, any telephone numbers or websites of relevant state and federal agencies that provide more information on data security, and a description of what information was accessed.
Companies that don't provide notice as required under the law may be faced with an enforcement action from the Attorney General's Office. The court may award damages to consumers whose data was accessed as the result of such an action. The Attorney General's Office can also seek a civil penalty of at least $5,000 or $20 per instance of failed notification.
Companies could face a civil penalty of up to $250,000 for failing to notify consumers. The previous cap was $150,000.
The Attorney General's Office will only be able to bring such an action within three years after a company's failure to notify a consumer is discovered, or when the company notified consumers but failed to meet the requirements of the law.
Consumers don't have to be notified if their data was exposed unintentionally to someone who's already authorized to access their private information, as long as it's not expected to be misused by that person or cause financial or emotional harm to the user, according to the bill.
Companies will still have to document such an event and keep records of it for five years. If such an incident involves the information of more than 500 residents in New York, the person or company will be required to provide a written determination to the state Attorney General's Office within 10 days of determining whether notification is necessary or not.
Those parts of the bill will take effect in 90 days, which lands in late October.
Companies will also be required to implement new security safeguards over the next eight months that comply with the new law. That part of the bill takes effect in March 2020.
The law prescribes that companies develop, implement and maintain “reasonable” safeguards to protect the security, confidentiality and integrity of private information, including the disposal of data. The “reasonable” standard was used in the law to consider the capacity of small businesses, which may not have the resources to set up expansive security safeguards.
Small businesses are defined in the law as companies with either fewer than 50 employees, less than $3 million in gross annual revenue for the last three fiscal years, or less than $5 million in total year-end assets.
Companies that exceed that standard will have to develop a more robust data security program. There are several requirements for such a program, outlined broadly as administrative, technical and physical safeguards. At least one employee will have to coordinate the security program, for example, which includes assessing the risk of information storage and disposal.
The bill was what's called a “program bill” from the Attorney General's Office, which is when a statewide elected official refers a bill to the Legislature for consideration. It was sponsored by Assemblyman Michael DenDekker, D-Queens, and State Sen. Kevin Thomas, D-Nassau. Both chair their respective chambers' committees on consumer protection.
The second bill is shorter, and relates to credit reporting agencies in particular. The law will require consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who've been affected by a security breach of that company's data.
Credit reporting agencies will be required to provide identity theft prevention services for life under the bill and will be prohibited from charging fees during security freezes on consumer credit reports.
That bill was sponsored by State Sen. Leroy Comrie, D-Queens, and Assemblyman Jeffrey Dinowitz, D-Bronx. It takes effect in two months, according to the legislation.
Cuomo, in a statement, said the legislation is another way for New York to add an extra layer of accountability when it comes to consumer data.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
After Vetoing AI Bill, Newsom Asks Ex-California Supreme Court Justice for Regulatory Ideas
4 minute read
Athena Bitcoin, Genesis Coin Face Potential Class Action Over 'Epidemic' Elder Fraud
4 minute read
'Bewitched by the Technology': $300K to Settle Faulty Facial Recognition
4 minute read
California DOJ Fines Robinhood $3.9M in First-Ever Crypto Enforcement Action
Trending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
