Updating New York’s Data Breach Notification Law. Today, virtually all U.S. states have a security breach notification law that is about 15 or so years old. Mandatory security notifications are generally required only after there are at least 5,000 impacted consumers. If a “privacy shield” bill passed in New York’s Senate on June 5, 2019 is enacted, New York’s cybersecurity breach notification law, enacted in 2005, would be amended to require notifications for much small security breaches, even on an individual basis, with broadened coverage.
NY Privacy SHIELD. Passed by the New York Senate on June 5, 2019, the New York SHIELD Act (Sen. 5575-A, 2019-2020 session, available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/a ), would amend and add sections to the New York General Business Law and the State Technology Law on data breach notification.
Expanded “Personal Information. The draft law would expand the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA. It would cover “personal information," defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” Privacy rights would apply to personal information that is “private” by reason of consisting of one or more key identifiers consisting of unencrypted data elements (or even encrypted data elements if accessed or acquired). Such key identifiers would include (1) social security numbers, (2) driver’s license or non-driver ID card, (3) financial account access information, (4) biometric information including facial recognition, voice recognition or other unique physical characteristic, (5) a user name or e-mail address with password or security question and answer for accessing an online account, and (6) unsecured protected health information under HIPAA.
Employers and Employees: What is a Data Breach? The draft SHIELD law would broaden the definition of a data breach to include unauthorized access to private information. This poses a major shift since it would make employers liable for the actions of their employees who lacked due authority to access personal information. And it would now include those practicing ransomware.
Extraterritorial Scope. Welcome to New York, virtually! Like the EU GDPR and California’s Consumer Privacy Act of 2018 (“CCPA”), the draft New York law would have extraterritorial effect. It would apply its notification requirement to any person or entity, regardless of their base of business, with the private information of a New York resident, not just to those that conduct business in New York State.
What is a Data Security Breach Event under NY SHIELD? The scope of breach notifications would depend on the number of affected New York residents and the severity of the risk. Data controllers and data processors suffering a breach of personal information would need to give such notification if the database was breached, or “is reasonably believed to have been, accessed or acquired by a person without valid authorization.”
Varying Thresholds for Security Breach Notifications. The New York SHIELD Act would apply to any person or business that owns or licenses computer data that includes private information. It would create data security and breach notification requirements tailored to the size of the business. Depending on the number of persons affected, different types of notifications would apply.
- 1 to 500 Individuals. The draft SHIELD would require disclosure of any security breach to each affected individual.
- 500+ Individuals.If the breach affects more than 500 New York residents, the data controller would need to deliver a written determination to the New York State Attorney General within 10 days after the determination. Further, the police, Office of Information Technology Services and Department of State would need to be notified and consulted on the form, timing and content of any breach notification to New York residents.
- 5,000 Individuals. Currently, New York has a security breach notification statute similar to those of all other states. In other states similar statutes do not all require notification to individuals unless a breach involves more than 5,000 individuals. As with other breach notification statutes, for breaches affecting more than five thousand New York residents, the notification would also be given to the “consumer reporting agencies” to exchange views on the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents.
How must a Notice of Data Breach be Delivered to New York Residents? Notices may be in writing, electronic or by telephone or, for big breaches when over 500,000 notifications must be sent or where notification would cost more than $250,000, a substitute notice online, on one’s website and by press release to major statewide media. Since this provision fits within the definition of computer fraud under the federal Computer Fraud and Abuse Act, the draft SHIELD law invites litigation against any employer that fails to define and enforce access rules for personal information.
Who is Liable for a Data Security Breach? Unlike many other privacy laws, the data controller or data processor suffering a data breach may be held legally liable for all consequential financial losses occurring after the failure to notify, as well as all costs (attorneys’ fees). Knowing and reckless violations may result in a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, up to $250,000. Action must be commenced within three years after either when notification was sent to affected individuals or when the Attorney General was notified, whichever comes first, but in no case later than 6 years after the date of discovery of the breach. No limitation applies for cases of concealment of a breach.
Exemptions for Good Faith. The draft law would provide protection from liability for certain entities that take steps to verify their safeguarding of private information.
Possible Trends.
- Administration of Privacy Laws in New York. The SHIELD act would designate the New York Department of State as a key agency for coordination of breach notification efforts. This agency also is responsible for registration of companies doing business in New York. Like the U.S. Department of Commerce, the New York Department of State could keep a public list (à la Mikado) of errant data managers.
- Trend towards More State Legislation? The New York SHIELD law signals a further tightening of U.S. state privacy laws, triggered by the EU GDPR adopted May 25, 2016 and effective May 25, 2018, and the California Consumer Privacy Protection Act of 2018, effective January 1, 2020. The New York cybersecurity breach notification law, enacted in 2005 and amended in 2013, would become effective 180 days after enactment. Other states (such as Nevada, with a pending bill) can be expected to follow the process.
- Continued Profiling of Customers (The One that Got Away: New York Privacy Act). The passage of the draft SHIELD Act reflects continuing state legislative turmoil between consumers and retail merchants, B2B and B2C service providers. The draft SHIELD law represents the abandonment, for now, of a much more drastic proposed law, the New York Privacy Act, which would have created a “fiduciary duty” for data custodians and covered virtually all elements of “personal information.” The withdrawn New York Privacy Act would have defeated e-commerce tools for profiling and anticipating e-consumer’s purchasing decisions. It would have imposed heavy obligations on all companies using or providing digital media, digital marketing, predictive marketing analytics and even robotic process automation that automatically profiles consumer data. And it would have instigated litigations by consumers claiming rights under vague and subjective definitions.
- Trends in Corporate Governance; Information Governance; Risk Management. This mild reinforcement of the data breach notification statute underscores the need for information governance at the Board of Directors level. To manage risks and ensure organizational resiliency, Boards should include knowledgeable persons aware of the business, technology, legal and brand impact of data privacy and cyber security across borders. And the Board needs the help of more technical and legally detailed personnel (or advisors) acting as Data Protection Officers (“DPO’s”) under the GDPR, Chief Privacy Officers (“CPO’s”), Chief Information Security Officers (“CISO’s”) under New York’s Department of Financial Services, or any other title that commands full authority and responsibilities.
