Credit: Billion Photos/Shutterstock.comNew Data Privacy and Security Laws Will Impose Strict Mandates on Businesses
This article explores some of the heightened data security and privacy obligations imposed by bills being considered in the New Jersey legislature, and the New York SHIELD Act, which recently took effect.
November 25, 2019 at 10:00 AM
9 minute read
Heightened concerns for the privacy and security of personal information in 2019 prompted at least 25 state legislatures across the country to propose a variety of bills addressing the privacy of consumer data. In New Jersey and New York, legislators are acting to enhance businesses' privacy and security obligations, including the privacy practices and policies of commercial entities and commercial websites that collect, process, and store personal information of state residents. These enhanced obligations promote individual interests in privacy and security, but they also may have a dramatic effect on a company's ongoing compliance efforts and the resulting costs. Based on pending legislation in New Jersey and recently enacted legislation in New York, all affected businesses should implement, or review and reassess, their data privacy and security programs, as well as their breach prevention and response activities, in order to meet the requirements of today's ever-evolving compliance regimes.
Bills currently pending in the New Jersey Senate and Assembly would implement new requirements for companies doing business in New Jersey that collect or process the personal information of New Jersey residents. Although Senate Bill 2834 (with companion Assembly Bill 4902) and Senate Bill 3153 (with companion Assembly Bill 4640) have very similar compliance requirements, there are some substantive differences—perhaps most notably, whether an exemption will be allowed for certain businesses below a threshold of annual revenue or total number of people from whom personal information is collected. There has been considerable discussion since these bills were introduced about the scope, terms, and requirements of any legislation that may ultimately be enacted. At this juncture, it remains unclear what the final terms of any enacted statute will be, and it is likely that any legislation enacted will represent a blending of the requirements of both bills. To ensure that businesses are prepared for the legislation ultimately enacted, this article highlights some of the more restrictive provisions of the bills being considered to ensure transparency about what personal information a business collects, what that information is used for, and who that information is shared with.
In general, the proposed bills would require a company to provide a complete description of the personally identifiable information the company collects, the purpose of the collection, and the time parameters for storage of the data. In addition, with limited exceptions—e.g., to comply with legal requirements, prevent fraud, or protect the consumer—the company must identify the third parties to which it may disclose personal information, the purpose of such disclosure, and whether it profits from such disclosure. Companies would also have to provide consumers with the right to access their own personal information, and, within 30 days of each consumer's request, provide detailed information about the requesting party's personal information (including, for example, the identity and contact information of third parties that received the personal information), along with an actual copy of the processed data. Consumers would be able to opt out of certain disclosures and processing of their personal information, and the company would be prohibited from discriminating against or penalizing the consumer for opting out. Companies would also be required to develop and maintain information security programs that meet applicable industry standards or the requirements of any applicable federal law, but the current bills do not provide any specific measures that may be implemented to achieve compliance.
Both bills currently include an expansive definition of "personally identifiable information" that would extend far beyond the scope of "personal information" found in New Jersey's Identity Theft Prevention Act (ITPA). The ITPA sets forth the requirements for disclosure of a breach of security of "personal information," which is defined to include a name linked with a Social Security number, driver's license number, or certain financial account information. In May 2019, the ITPA was amended to add "user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." It is not clear whether unauthorized access to any data within an expanded scope of "personally identifiable information" under the pending bills would constitute a "breach" under the ITPA that triggers a company's obligation to notify affected consumers and law enforcement.
Notably, the current version of these bills, like many proposed bills in other states, would give consumers a private right of action under the state Consumer Fraud Act against companies that fail to comply. For obvious reasons, the private right of action is anathema for businesses across the country. In many jurisdictions, the alternative to an immediate right of action includes an extended "right to cure" before a private action (which S3153 includes) or enforcement solely by the state Attorney General.
In New York, the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") implements broad new data security requirements for all businesses that have the private information of New York residents, and also modifies the state's breach notification requirements. The SHIELD Act reaches beyond New York's own borders to compel even companies that do not do business in New York to take affirmative steps to protect the personal and private information of New York residents that companies may be collecting or storing.
First, the SHIELD Act expands the definition of "private information" that must be safeguarded to include any information that can be used to identify a person, in combination with a Social Security number, a driver's license number, a financial account number, or biometric information. Separate and apart from these "data elements," the definition of "private information" also now includes "a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account."
Second, the SHIELD Act expands the definition of what constitutes a breach to include mere access to private information, instead of the previous requirement of actual acquisition without authorization that compromised the private information. "Access" depends on whether someone without authorization (or without valid authorization) has viewed, communicated with, used, or altered the information. Companies must still provide notice of breaches to affected New York residents, but there is no additional requirement if notice is made under Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services (NY DFS) Cybersecurity Regulations, or other New York state data security regulations. The breach notification provisions in the SHIELD Act took effect on Oct. 23, 2019.
Third, and significantly for businesses that do not do business within the State of New York, the SHIELD Act now applies to any company that possesses the private information of even a single New York resident—even if the company does not conduct business in New York. All companies must now protect that data and report breaches to each impacted resident if they involve the resident's private information.
Fourth, the SHIELD Act creates an entirely new obligation for all companies that own the private information of even a single New York resident to "implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data." Entities that already comply with Gramm-Leach-Bliley, HIPAA, the NY DFS Cybersecurity Regulations, or other New York data security regulations will be deemed to be compliant with the SHIELD Act's data security requirements. For a company not otherwise deemed compliant, "reasonable safeguards" require implementing a "data security program" that includes administrative, technical, and physical safeguards to protect the private information. Unlike the New Jersey bills, the SHIELD Act lists specific measures that businesses can employ to achieve compliance, including, but not limited to, employee training; careful selection of service providers; risk identification and assessment; procedures to detect, prevent, and respond to attacks or intrusions; and disposal of private information no longer needed for business purposes.
While the obligations of the SHIELD Act are universal, it is important to note that a "small business"—defined as business with (1) fewer than 50 employees, (2) less than $3 million in gross annual revenue in each of the last three fiscal years, or (3) less than $5 million in year-end total assets—is given some leeway (there is no exemption) and will be deemed compliant if the business establishes a security program that "contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers." The SHIELD Act's data security requirements take effect March 21, 2020.
Finally, there is no private right of action under the SHIELD Act; the New York Attorney General alone is authorized to enforce these requirements.
Businesses should take affirmative and proactive steps now to ensure that they will be compliant with the heightened data security and privacy obligations imposed by the anticipated New Jersey law and the New York SHIELD Act. Although the New Jersey legislation has not yet been enacted, and its exact contours are undetermined, it is likely only a matter of time, so New Jersey businesses should begin now to focus on compliance. For any business that does not currently have a data security program, develop and implement one that is appropriate for the full scope of the company's operations. And for any business that has a data security program in place, now is the time to review and update that program, focusing on the nature and scope of the personal information it collects, what that information is used for, who that information is shared with, and additional measures to enhance the privacy and security of personal information of New Jersey and New York consumers.
John T. Wolak is Chair of the Gibbons P.C. Privacy & Data Security Team. Jason R. Halpin is an associate in the Gibbons Commercial & Criminal Litigation Department.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Appellate Div. Follows Fed Reasoning on Recusal for Legislator-Turned-Judge
4 minute read
Chiesa Shahinian Bolsters Corporate Practice With 5 From Newark Boutique
5 minute read
'A Mockery' of Deposition Rules: Walgreens Wins Sanctions Dispute Over Corporate Witness Allegedly Unfamiliar With Company
$113K Sanction Award to Law Firm at Stake: NJ Supreme Court Will Consider 'Unsettled Law' Frivolous Litigation Question
4 minute readLaw Firms Mentioned
Trending Stories
- 1Will Trump Be a Boost to Quinn Emanuel's Fortunes in China?
- 2Mayer Brown’s Hong Kong Split to Take Effect
- 3Simpson Thacher Launches in Luxembourg With Hires From A&O Shearman, Clifford Chance
- 4How Cybercriminals Exploit Law Firms’ Holiday Vulnerabilities
- 5Big Firms May See 'Uncomfortable Flashbacks' as Cost Pressure Grows
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
