Thursday, August 1, 2019

Implications of New York’s Expanded Data Privacy Protections (July 25, 2019)

If you operate or work in a business that collects personal data of New Yorkers, you could be subject to civil penalties for possible data security breaches or concealment.  This is a follow-up to my blog in June on this draft law, which was just passed.

On July 25, 2019, New York Governor Andrew Cuomo signed the SHIELD ACT (“Stop Hacks and Improve Electronic Data Security), expanding New York law on standards of care and liability for data breaches of “private information.”  The New York SHIELD Act represents a further compliance burden for all companies worldwide.  This follows a trend on data privacy laws with extraterritorial effect, like the General Data Protection Regulation (“GDPR, European Union, effective May 25, 2018) and California Consumer Privacy Act (“CCPA,” effective January 1, 2020).  The title captures the name of the Federal “Privacy Shield,” a program for voluntary compliance by U.S. companies with the GDPR.

The New York SHIELD Act also impacts HR departments, IT departments, supply chain management, service providers and strategic transactions such as strategic alliances, M&A and the sale or purchase of a business. 

Key Provisions.

Reportable Data Breaches.  The law expands a data breach.  In addition to unauthorized copying of protected information, the New York SHIELD Act adds “unauthorized access.”  This definition invites a comparison to the Federal Computer Fraud and Abuse Act, 18 U.S.C. 1830 (“CFAA”).  Both laws thus target both third-party attackers and rogue or negligent internal personnel who gain access to data that is outside the authorized scope of their employment. 

Private Information.  The new law extends protection (data breach notification) to additional classes of “private information”: (1) social security number, (2) driver’s license number or non-driver ID card number, (3) “account number, credit or debit card number, in combination with any security code or access code”, (4) such account number or debit or credit card number, alone, where access to financial information can be obtained without a security code, (5) biometric information (obtained from measuring an individual’s unique physical characteristics) such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data to identify an individual.

In addition, “private information” includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

If encrypted, private data is subject to protection if the encryption key is used to identify the individual.

When to Report Data Breach.  The breach must be reported when the private information of any resident of New York State is “accessed or acquired” by “any person without valid authorization.”  Reporting must be expedient yet show with due respect for law enforcement actions.  An exception to reporting is allowed for “inadvertent disclosure by persons authorized to access private information,” that the person or business “reasonably determines” is “not likely” to “result in misuse of such information or financial harm…or emotional harm.”  In such exceptions, an incident report must be prepared and maintained for 5 years.

Notification to Data Controller.  While not using GDPR wording, the New York law requires the data processor to notify the data controller or data owner.

Method of Notification.  Several possible notification methods are permitted, including mail, e-mail (“electronic notice”), and telephone, or substitute notice (in case notification would cost more than $250,000 including e-mail, website announcement and notifying “major statewide media.”

Enforcement; Civil Penalties. While there is no private enforcement, the state Attorney General can seek damages of up to $250,000.  The statute of limitations is two or three years from the date of the act (or discovery), but not more than six years.  Exceptionally, if the victimized business conceals the “breach,” there is no time limit for such enforcement.

Extraterritorial Jurisdiction.  Like GDPR and CCPA, the New York SHIELD Act now applies to anyone who has private information about a New York resident.  Thus, its scope applies to businesses worldwide that have no office, employees, warehouse or operations in New York. 

What’s Missing.  Unlike the GDPR, CCPA or Nevada’s new privacy law effective October 1, 2019, the New York privacy law expressly prohibits any private right of action by the data subjects whose private information is illegally accessed (Section 4).    And it does not focus on consumer consents but rather on the custody, processing and destruction of private data.  Also, the New York law does offer a hornet’s nest of litigation opportunities of shareholder derivative actions, breach of fiduciary duty and whistleblower litigation.

Impact on Business Stakeholders.

Management’s Liability.   As a matter of corporate governance, the board of directors (or managing members of an LLC) must take steps prudently to protect the business from foreseeable risks.  The New York law calls on all such managers to exercise their fiduciary duties to develop, monitor and update such plans for risk management, insurance, business continuity and loss prevention.

Human Resource Departments; Employee Handbooks.  By prohibiting unauthorized access to protected information, the New York SHIELD Act invites HR managers to revise their employee handbooks to underscore the duty not to access such information without due authorization, and to report accidental “accessing” of protected information.  In theory, your employee handbook already covers this scenario because you comply with federal law (CFAA).  Further, you now have a duty to train your personnel in compliance.

Unlike other data privacy laws, the New York law’s protections allow an employer to avoid having to report a breach that occurs in case an employee or agent of your business gains “good faith access to, or acquisition of,” personal private data, “provided that the private information is not used or subject to unauthorized disclosure.”  In determining whether unauthorized access has occurred, you may consider, “among other factors, indications that the information was viewed, communicated with, or altered by a person without valid authorization or by an unauthorized person.”

Information Technology Departments.   Like the GDPR (“adequate protection”), the New York law requires “reasonable security” measures.  This requires a program of designating a responsible coordinator, identifying reasonably foreseeable internal and external risks, assessing the reasonableness of safeguards, selecting capable service providers, destroying private data that is no longer needed and updating the program.   The legally mandatory policies and procedures are very detailed (Section 4) 

Small businesses get an easier standard of care if they employer fewer than 50 employee, earn less than $3 million per year for the preceding 3 years, or have less than $5 million in assets (Section 4)However, this lower standard of care invites professional advice because it still requires “reasonable administrative, technical and physical safeguards” taking into account the nature of the business and the degree of sensitivity of the private data. 

Impact on Strategic Transactions and Business Models.

Stock Purchase Agreements / M&A.  The GDPR and CCPA shed new light on the risks assumed by a purchaser of a business.  The New York law will invite greater due diligence and contingent price adjustments post-closing to identify and cover cybersecurity risks.  Transactional liability insurance (including “representation and warranty insurance”) will become more prevalent to respond to worries by both buyers and sellers.

Downstream: Flow-downs to Supply Chain Management; Strategic Business Alliances.  If you rely upon a third party to process private data, you should review your Master Services Agreement and update the service provider’s duties to ensure you can demonstrate your service providers comply.  Similarly, if your company shares any private data in a marketing services agreement for lead generation, social media, paid search, search engine optimization (“SEO”), you should identify what data they collect (for all data breach notification purposes), how they collect it (for GDPR purposes), how long they retain it and what plans exist for destruction of private personal data within the broadest definitions under GDPR, CCPA and the New York SHIELD Act.

Upstream: Flow-Ups to Enterprise Clients and Customers.  Similarly, your company can now be expected to respond to questionnaires and other audit techniques from your global enterprise clients worldwide, asking whether your company complies with the SHIELD ACT’s cybersecurity precautions and breach notification measures.  So the New York SHIELD Act (like GDPR and CCPA) will create a new compliance process for virtually all businesses worldwide that process any private personal data of New York residents, depending on the character of the data and the reasons for processing it.

Risk Management and Resiliency Plans; Cyber-Security Insurance.  If you don’t already have some cyber-security insurance coverage, you might find it reasonably priced, if you focus only on New York legal liability.   But if you add GDPR, CCPA and Nevada, your cyber insurance may be a prudent move  But you’ll probably have to demonstrate some sophistication, planning, supervision and related disciplines in the underwriting process, not only as to cyber risks, but also general risk management and business continuity planning.

New Business Models.  The expansion of jurisdictions adopting data protection and breach notification laws invites the creation of new business models not dependent on knowledge of the particular individual’s identity in plain text.  In adopting GDPR, the EU Commission invited business models that depersonalize personal data, such as by aggregation, encryption and pseudonymization.  For digital media agencies, they may find ways to guess a customer’s intent rather than know which customer is contacting them and studying the particular individual’s conduct.  Thus, anonymized search tools (currently available on certain browsers) and search engines (e.g. Apple) may become the norm.

Effective Dates.

All sections of the law are effective ninety days after signature (October 25, 2019), with Section 4 effective two hundred forty days after signature, March 21, 2020.

If you have not begun the data protection self-examination, it’s never too late to start.