Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.
Breach Law Changes
Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors to consider whether personal information had been acquired. New York was among the majority of states whose breach law focused on acquisition of personal data (including Social Security Number, driver’s license number, or credit card number and security code).
As of October 23, 2019, much of that will change:
- New York will no longer be a purely “acquisition” state but will be “access or acquisition” of personal information in order to constitute a breach requiring notice.
- New York retains its very broad definition of “personal information” (“any information concerning a natural person, which, because of name . . . or other identifier, can be used to identify such natural person”), but the definition of “private information” (data elements) will expand to add two new categories (emphasis added):
- Account number, credit card number, debit card number, along with “personal information”—but no longer requiring security code if the number could be used to access the individual’s financial account without additional identifying information. This change is consistent with the New York Attorney General’s position since 2017, which found that many popular websites permitted purchases to be made with credit cards without requiring security codes.
- Biometric information that is used to authenticate or ascertain the individual identity.
- “Private information” is also separately defined to mean user name or e-mail address in combination with the password or security question and answer—without any need for “personal information.”
- New York will exclude from “private information” any encrypted data elements or “combination of personal information plus data elements”—as long as the encryption key has not been acquired by the unauthorized person.
- Although New York has left unchanged its examples to determine if information has been acquired, it has added one for “access” that we will reformat a bit to make sure you see the full impact:
In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was: (1) viewed; (2) communicated with; (3) used; or (4) altered
by a person without valid authorization or by an unauthorized person.
- New York no longer requires that the person or business conduct business in New York state, but rather requires only that the person or business simply own or license computerized data that includes private information of a New York resident.
- New York will permit persons or businesses to use a “risk of harm” analysis and determine not to provide notice, with some unique twists that are slightly reformatted to emphasize their potential full impact (emphasis added):
If the person or business reasonably determines such exposure will not likely result in: (1) misuse of such information; (2) financial harm to the affected persons; or (3) emotional harm in the case of unknown disclose of online credentials [user name or e-mail address in combination with the password or security question and answer].
Once that determination is made, the person or business must document it in writing and maintain it for five years. If the incident affects over 500 New York residents, then the person or business must provide the written determination to the state attorney general within 10 days after the determination.
- New York will expressly recognize that notices under HIPAA, Gramm-Leach-Bliley, and the New York Department of Financial Services’ cybersecurity regulations as well as notices provided under “other data security rules and regulations of, and statutes administered by” any federal or New York agency, will suffice for this statute, and will not require a second notice. With respect to HIPAA only, the law now also provides that, if a covered entity must provide notice to the U.S. Department of Health and Human Services (HHS) but not under this New York law, the covered entity must provide a copy of the notice to HHS to the New York Attorney General within five business days of providing the notice to HH
- The consumer notice will now be required to include phone numbers and websites of state and federal agencies that “provide information regarding security breach response and identity theft prevention and protection information.
- New York amended its requirements relating to substitute notice. Although New York retains unchanged the requirements for “conspicuous posting” on the company’s website, and notification to major statewide media, a business will need to provide notice via e-mail if the business has an e-mail address for the affected individual unless the breached information includes the e-mail address plus the password/security question and answer. In that case, the business must instead offer “clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or from an online location which the person or business knows the consumer customarily uses to access the online account.”
- Although New York still does not have a private right of action under this section, the amendment at least doubled the fines the Attorney General may seek for violations, from $10 to $20 for each instance of failed notification, up to a total of $250,000 (from $100,000). The time to bring an action also increased from two years to three, commencing with the earlier of the date the Attorney General learned of the breach or notice was provided.
Data Security Protections
As of March 1, 2020, New York will start requiring reasonable security requirements for any person or business that owns or licenses computerized data that includes “private information” of a New York resident. (N.Y. Gen. Bus. Law § 899-bb).
For most companies, the new law requires that the person or business “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data.” New York does not place specific requirements on these persons or companies, but instead provides examples of the elements of a data security program. For example, for administrative safeguards, the law lists safeguards “such as”:
(1) Designates one or more employees to coordinate the security program;
(2) Identifies reasonably foreseeable internal and external risks;
(3) Assesses the sufficiency of safeguards in place to control the identified risks;
(4) Trains and manages employees in the security program practices and procedures;
(5) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(6) Adjusts the security program in light of business changes or new circumstances.
If these appear familiar, it is because they are a slightly revised version of the FTC’s Safeguards Rule requirements (16 CFR § 314.4). New York’s new law contains similar examples of technical and physical safeguards.
As with the amended breach law, this new law also states that compliance with the data security requirements of HIPAA, Gramm-Leach-Bliley or New York Department of Financial Services cybersecurity regulations, or other similar agency requirements, will meet this statute. In addition, the law states that, for “small businesses,” compliance means “reasonable administrative, technical and physical safeguards” that are “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.“ The law defines a “small business” as a person or business that meets one of three criteria:
(i) Fewer than 50 employees
(iii) Less than $3 million gross annual revenues in each of the last three fiscal years; or
(iii) Less than $5 million in year-end total assets.
The new requirements can be enforced by the Attorney General and the law specifically states that there is no private right of action. This result differs from the California Consumer Privacy Act, which provides its only private right of action for a data breach caused by a business’s failure to implement reasonable data security to protect the information breached. Cal. Civ. § 1798.150..