New York’s Breach Law Amendments and New Security Requirements

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.

Breach Law Changes

Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors to consider whether personal information had been acquired. New York was among the majority of states whose breach law focused on acquisition of personal data (including Social Security Number, driver’s license number, or credit card number and security code).

As of October 23, 2019, much of that will change:

  • New York will no longer be a purely “acquisition” state but will be “access or acquisition” of personal information in order to constitute a breach requiring notice.
  • New York retains its very broad definition of “personal information” (“any information concerning a natural person, which, because of name . . . or other identifier, can be used to identify such natural person”), but the definition of “private information” (data elements) will expand to add two new categories (emphasis added):
    • Account number, credit card number, debit card number, along with “personal information”—but no longer requiring security code if the number could be used to access the individual’s financial account without additional identifying information. This change is consistent with the New York Attorney General’s position since 2017, which found that many popular websites permitted purchases to be made with credit cards without requiring security codes.
    • Biometric information that is used to authenticate or ascertain the individual identity.
  • “Private information” is also separately defined to mean user name or e-mail address in combination with the password or security question and answer—without any need for “personal information.”
  • New York will exclude from “private information” any encrypted data elements or “combination of personal information plus data elements”—as long as the encryption key has not been acquired by the unauthorized person.
  • Although New York has left unchanged its examples to determine if information has been acquired, it has added one for “access” that we will reformat a bit to make sure you see the full impact:

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was: (1) viewed; (2) communicated with; (3) used; or (4) altered

by a person without valid authorization or by an unauthorized person.

  • New York no longer requires that the person or business conduct business in New York state, but rather requires only that the person or business simply own or license computerized data that includes private information of a New York resident.
  • New York will permit persons or businesses to use a “risk of harm” analysis and determine not to provide notice, with some unique twists that are slightly reformatted to emphasize their potential full impact (emphasis added):

If the person or business reasonably determines such exposure will not likely result in: (1) misuse of such information; (2) financial harm to the affected persons; or (3) emotional harm in the case of unknown disclose of online credentials [user name or e-mail address in combination with the password or security question and answer].

Once that determination is made, the person or business must document it in writing and maintain it for five years. If the incident affects over 500 New York residents, then the person or business must provide the written determination to the state attorney general within 10 days after the determination.

  • New York will expressly recognize that notices under HIPAA, Gramm-Leach-Bliley, and the New York Department of Financial Services’ cybersecurity regulations as well as notices provided under “other data security rules and regulations of, and statutes administered by” any federal or New York agency, will suffice for this statute, and will not require a second notice. With respect to HIPAA only, the law now also provides that, if a covered entity must provide notice to the U.S. Department of Health and Human Services (HHS) but not under this New York law, the covered entity must provide a copy of the notice to HHS to the New York Attorney General within five business days of providing the notice to HH
  • The consumer notice will now be required to include phone numbers and websites of state and federal agencies that “provide information regarding security breach response and identity theft prevention and protection information.
  • New York amended its requirements relating to substitute notice. Although New York retains unchanged the requirements for “conspicuous posting” on the company’s website, and notification to major statewide media, a business will need to provide notice via e-mail if the business has an e-mail address for the affected individual unless the breached information includes the e-mail address plus the password/security question and answer. In that case, the business must instead offer “clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or from an online location which the person or business knows the consumer customarily uses to access the online account.”
  • Although New York still does not have a private right of action under this section, the amendment at least doubled the fines the Attorney General may seek for violations, from $10 to $20 for each instance of failed notification, up to a total of $250,000 (from $100,000). The time to bring an action also increased from two years to three, commencing with the earlier of the date the Attorney General learned of the breach or notice was provided.

Data Security Protections

As of March 1, 2020, New York will start requiring reasonable security requirements for any person or business that owns or licenses computerized data that includes “private information” of a New York resident. (N.Y. Gen. Bus. Law § 899-bb).

For most companies, the new law requires that the person or business “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data.” New York does not place specific requirements on these persons or companies, but instead provides examples of the elements of a data security program. For example, for administrative safeguards, the law lists safeguards “such as”:

(1)        Designates one or more employees to coordinate the security program;

(2)        Identifies reasonably foreseeable internal and external risks;

(3)        Assesses the sufficiency of safeguards in place to control the identified risks;

(4)        Trains and manages employees in the security program practices and procedures;

(5)        Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

(6)        Adjusts the security program in light of business changes or new circumstances.

If these appear familiar, it is because they are a slightly revised version of the FTC’s Safeguards Rule requirements (16 CFR § 314.4). New York’s new law contains similar examples of technical and physical safeguards.

As with the amended breach law, this new law also states that compliance with the data security requirements of HIPAA, Gramm-Leach-Bliley or New York Department of Financial Services cybersecurity regulations, or other similar agency requirements, will meet this statute. In addition, the law states that, for “small businesses,” compliance means “reasonable administrative, technical and physical safeguards” that are “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.“ The law defines a “small business” as a person or business that meets one of three criteria:

(i)         Fewer than 50 employees

(iii)       Less than $3 million gross annual revenues in each of the last three fiscal years; or

(iii)       Less than $5 million in year-end total assets.

The new requirements can be enforced by the Attorney General and the law specifically states that there is no private right of action. This result differs from the California Consumer Privacy Act, which provides its only private right of action for a data breach caused by a business’s failure to implement reasonable data security to protect the information breached. Cal. Civ. § 1798.150..

 

Office of Privacy Commissioner Says It’s Status Quo on Consent Requirements for Data Processing Transfers

On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.

This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June 2019 announcement of a proposed shift in policy to treat transfers for processing as “disclosures” rather than “uses” of personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

What’s Old is New Again

In January 2009, the OPC issued Guidelines for processing personal data across borders setting out its interpretation that a “transfer” of personal information by an organization for processing is a “use” and not a “disclosure” of that personal information. The limit on the transfer was that the personal information could only be used for the purposes for which the information was originally collected. Therefore, when an organization transferred personal information to a third party for processing, additional consent for the transfer itself was not required. Processing was broadly interpreted to include any use of the information by the third party for a purpose for which the transferring organization can use it.

The OPC did expressly state in its guidelines that organizations would need to make it plain to individuals, ideally at the time of collection, that their information may be processed in a foreign country, and may be accessible to law enforcement and national security authorities of that jurisdiction. Notably, the guidelines stated that once informed individuals have chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred for processing purposes.

Organizations duly structured their consent practices and procedures to account for this interpretation of PIPEDA. As a result, the vast majority of organizations have not been obtaining separate consent to transfers for processing.

However, in April 2019, the OPC announced it was revisiting this position. Specifically, the OPC announced its view that transfers of personal information for processing, including cross-border transfers, are disclosures that require separate consent. This change in position followed the OPC’s April 2019 investigation findings on Equifax Inc. and Equifax Canada’s Co.’s compliance with PIPEDA in light of the 2017 breach of personal information. The OPC based its findings on the principle that individuals would expect to know whether and where their personal information may be transferred or disclosed to an organization outside of Canada.

Under the OPC’s revised interpretation, organizations would be required to inform individuals of any options available to them if they did not wish to have their personal information disclosed across borders. This would allow individuals to make an informed decision about whether to consent to the disclosure and therefore do business with the organization.

The OPC initially set out to consult with stakeholders on this revised position, but then took a step back in May 2019 when the Department of Innovation, Science and Economic Development (ISED) published its Digital Charter, which contemplates the amendment of PIPEDA. That step back was short-lived, however, as the OPC reissued its request for consultation in June.

Following receipt and consideration of submissions from 87 stakeholders, most of which were critical of the proposed shift, the OPC has now reverted to its original position – a “transfer” of personal information by an organization for processing was again a “use” and not a “disclosure” of that personal information. The OPC, recognizing that more than one interpretation of the requirement for consent was possible, determined it was pragmatic to maintain its previous position until PIPEDA itself is amended.

The OPC will now focus instead on its submissions to ISED for modernizing PIPEDA, including on how to most effectively protect individuals’ privacy rights in the context of transfers for processing. This suggests that while the debate is not over, its eventual resolution will be determined by Parliament.

Challenges associated with the OPC’s changes of position

The OPC’s guidelines, while important and useful tools to interpret PIPEDA, are not legal precedent and therefore may be more freely subject to change.

At the same time, organizations do establish their organizational processes based on the guidelines issued by the OPC, which allows organizations and consumers to have confidence that their processes are compliant with privacy law obligations. PIPEDA is, after all, intended to “support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances.”

Therefore, by maintaining the status quo in an effort to keep organizational confidence in their own processes while at the same time making it clear it is the OPC’s view that these processes are deficient, the OPC has in effect created temporary clarity that is tempered by a persistent sense of  uncertainty surrounding its de facto expectations and future intentions regarding transfers of personal information for processing.

What is clear from the OPC’s most recent announcement is that organizations should at the very least be transparent with individuals that their information may be processed in a foreign country and may be accessible to law enforcement and national security authorities of that jurisdiction. Best practices would be to advise individuals of details of the transfer at the time of getting consent.

Finally, with the loss or misuse of personal information by organizations being highlighted in news cycles, consumers are more aware of the handling of their personal information. Where consumers do not believe organizations met their expectations for transparency or security of their information, this could lead to reputational and legal risk to an organization. Organizations should be cognizant of their consumers’ expectations and the risks associated with the transfer of their personal information to other jurisdictions when designing consent and transfer processes. This is particularly so where significant privacy risks arise from the transfer of personal information across borders, such as the transfer of information of the exercise of legal activities by Canadian individuals where such activities are not legal in the other jurisdictions (cannabis use, for instance).

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and information” as an issue which should be addressed in arbitration rules. This clearly demonstrates that the users of arbitration are concerned about data security. While there are signs that the market is listening, users seem to think that arbitral institutions, counsel and tribunals could do more to address cybersecurity.

In our article published in the latest International Arbitration Report, we examine three areas of data protection and cyber security in arbitration:

  • The EU’s GDPR and how it bears on international arbitration;
  • Data breaches in arbitral proceedings and cyberattacks on institutions, and how institutions are responding; and
  • How hacked evidence might appear in arbitration, and how tribunals have dealt with this issue.

The full article is available here.

Deadline extended for compulsory registration on Data Controller registry

Norton Rose Fulbright - Data Protection Report blog

Obligations

We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Continue reading

CCPA: “Wait and see” is not the right approach

Data Protection Report - Norton Rose Fulbright

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.

Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.

Those statements are indeed accurate, as far as they go. However, they neglect the fact that most business cannot turn on a dime and do not have a robust grasp on the IT and business systems that collect and share personal information. Given that January 1, 2020 is almost upon us and July 2020 follows close behind, there simply will not be enough time once the amendments are passed and the guidance provided, to implement CCPA if you do not start now (or ideally, have started already). Continue reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the facts of each specific breach.

Implications for non-Turkish controllers

The obligation to register under TDPL applies to data controllers based outside of Turkey as well as Turkish controllers. Consequently, natural and legal persons who are currently processing personal data but who are based outside of Turkey, are still obliged to comply with the obligation to register. The registration process is different for Turkish and non-Turkish data controllers. Data controllers located outside of Turkey will need to appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The representative must complete the registration form available online, and submit it to the DPA. The representative will then appoint a contact person (irtibat kişisi) who must also be a Turkish citizen resident in Turkey (a natural person representative may appoint herself as the contact person). The contact person will submit the required information and complete registration with VERBİS.

Deadline for registration

The deadline for completing the registration process is fast approaching. Specifically, the following data controllers must complete their registration with VERBİS prior to the deadlines set out below:

  • Real and legal persons who have settled abroad (i.e. non-Turkish controllers) before 30 September 2019;
  • Workplaces that have over 50 employees yearly, or have financial balance sheet over TL 25,000,000 (approx. USD 4,500,000) before 30 September 2019;
  • Legal entities which have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data to register before 31 March 2020.

The CNIL publishes new guidelines on cookies and other similar technologies

US Supreme Court expands digital privacy rights in Carpenter v. United States

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.

Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who are working on implementing a CCPA program.  Click here for our previous coverage of AB 25 (employee exception), AB 846 (customer loyalty program), and AB 1564 (consumer request methods). Continue reading

LexBlog