New York Enacts New Data Security Requirements to Protect Consumer Information
New York state's data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.
July 25, 2019 at 12:10 PM
7 minute read
New York state's data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.
Both bills were inspired in part by the data breach at Equifax in 2017, when the personal information of more than half the adult population in the U.S. was exposed in what's been considered one of the largest digital security events in history.
The first bill, called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, will broaden the definition of what's considered a data breach and set new requirements for when consumers should be notified.
The law, importantly, does not allow a private right of action, meaning individuals can't bring civil litigation against companies that don't take the legally prescribed steps to protect their data. Enforcement, instead, will be exclusively handled by the state Attorney General's Office.
New York Attorney General Letitia James was a driving force behind the bill's passage this year, nearly two years after it was first proposed.
“The SHIELD Act is now the law of the land and provides better protections for consumers' private information,” James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”
Companies will now have to notify consumers of a data breach when their information is accessed, even if it was just viewed during the event but not obtained. The previous standard only required that consumers be notified when their data was acquired by attackers.
The new law will also expand the notification requirements to companies outside New York, meaning that the statute will have a global reach. Any company, regardless of where they're based, will be required to notify New York consumers when their data has been accessed. The company does not have to have a physical space in New York to be subject to that mandate.
Notice requirements for the scope of information accessed through a data breach will also be changed. Consumers will now have to be notified if attackers access biometric information, like fingerprints, voice prints and other unique characteristics.
The law also mandates a notice to consumers when their email addresses and corresponding passwords, or security questions and answers, are accessed through a data breach. The same will be required when health information protected under HIPAA is accessed.
Consumers can be notified of a breach in the same ways that were previously acceptable under state law. Those include through a written notice, electronic notice, telephone call, posting on the company's website, notifying major statewide media outlets, and emailing a consumer, as long as that email address wasn't part of the data breach.
Notice to consumers will have to include contact information for the company, any telephone numbers or websites of relevant state and federal agencies that provide more information on data security, and a description of what information was accessed.
Companies that don't provide notice as required under the law may be faced with an enforcement action from the Attorney General's Office. The court may award damages to consumers whose data was accessed as the result of such an action. The Attorney General's Office can also seek a civil penalty of at least $5,000 or $20 per instance of failed notification.
Companies could face a civil penalty of up to $250,000 for failing to notify consumers. The previous cap was $150,000.
The Attorney General's Office will only be able to bring such an action within three years after a company's failure to notify a consumer is discovered, or when the company notified consumers but failed to meet the requirements of the law.
Consumers don't have to be notified if their data was exposed unintentionally to someone who's already authorized to access their private information, as long as it's not expected to be misused by that person or cause financial or emotional harm to the user, according to the bill.
Companies will still have to document such an event and keep records of it for five years. If such an incident involves the information of more than 500 residents in New York, the person or company will be required to provide a written determination to the state Attorney General's Office within 10 days of determining whether notification is necessary or not.
Those parts of the bill will take effect in 90 days, which lands in late October.
Companies will also be required to implement new security safeguards over the next eight months that comply with the new law. That part of the bill takes effect in March 2020.
The law prescribes that companies develop, implement and maintain “reasonable” safeguards to protect the security, confidentiality and integrity of private information, including the disposal of data. The “reasonable” standard was used in the law to consider the capacity of small businesses, which may not have the resources to set up expansive security safeguards.
Small businesses are defined in the law as companies with either fewer than 50 employees, less than $3 million in gross annual revenue for the last three fiscal years, or less than $5 million in total year-end assets.
Companies that exceed that standard will have to develop a more robust data security program. There are several requirements for such a program, outlined broadly as administrative, technical and physical safeguards. At least one employee will have to coordinate the security program, for example, which includes assessing the risk of information storage and disposal.
The bill was what's called a “program bill” from the Attorney General's Office, which is when a statewide elected official refers a bill to the Legislature for consideration. It was sponsored by Assemblyman Michael DenDekker, D-Queens, and State Sen. Kevin Thomas, D-Nassau. Both chair their respective chambers' committees on consumer protection.
The second bill is shorter, and relates to credit reporting agencies in particular. The law will require consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who've been affected by a security breach of that company's data.
Credit reporting agencies will be required to provide identity theft prevention services for five years under the bill and will be prohibited from charging fees during security freezes on consumer credit reports.
That bill was sponsored by State Sen. Leroy Comrie, D-Queens, and Assemblyman Jeffrey Dinowitz, D-Bronx. It takes effect in two months, according to the legislation.
Cuomo, in a statement, said the legislation is another way for New York to add an extra layer of accountability when it comes to consumer data.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
READ MORE:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCourt System Names New Administrative Judges for New York City Courts in Leadership Shakeup
3 minute readRetired Judge Susan Cacace Elected Westchester DA in Win for Democrats
In Eric Adams Case and Other Corruption Matters, Prosecutors Seem Bent on Pushing Boundaries of Their Already Awesome Power
5 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.