Cyber SecurityWe reported last summer on two new legislative enactments in New York putting new demands on how companies handle the personal data of New York residents: the Identity Theft Protection and Mitigation Services Act (ITPMS Act), and the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). Both were signed into law on July 25, 2019, and as described below, both have since then come gradually into full effect. This includes their most significant feature: as of March 21, 2020, “any business that owns or licenses computerized data which includes private information of a resident of New York” now faces the prospect of an enforcement action by the New York Attorney General’s (AG) Office for the assessment of penalties if the company fails to develop, implement and maintain “reasonable safeguards” for the protection of that information.

New York’s ITPMS and SHIELD Acts:

The ITPMS Act, which went into effect back on September 23, 2019, expanded the remedial relief to be offered by consumer credit reporting agencies (CRAs)[1] that have experienced a qualifying security breach involving the information of New York residents, where the information includes a Social Security number. Specifically, unless a reasonable determination is made that the breach is unlikely to result in harm to the consumer, the ITPMS requires CRAs to offer free identity theft prevention and (if applicable) identity theft mitigation services for a period of up to five years – more than any other state – as well as a credit freeze. Notably, the ITPMS Act also applies to qualifying breaches that occurred up to three years prior to the effective date of the Act.  NY Gen. Bus. L. §380-T(n)(3)(i).

The SHIELD Act, in a set of more generally applicable changes, markedly broadened NY’s data breach notification statute (NY Gen. Bus. L. §899).  Effective as of October 23, 2019, the SHIELD Act has:

  • expanded the definition of “private information” for purposes of the breach notification statute, to now also include three new categories of data:[2]
    • (i) any financial account numbers that, by themselves, enable access to an individual’s account;
    • (ii) biometric information, meaning “data generated by electronic measurements of an individual’s unique physical characteristics” (like a fingerprint, voice print, retina or iris image or the like);
    • (iii) usernames or e-mail addresses in combination with a password or security question and answer that would permit access to an online account; and
  • expanded the definition of a “breach of a security system” that can trigger a notification obligation, to now include incidents involving unauthorized access, even if there was no unauthorized acquisition of data. §899(aa)(1)(c);
  • expanded the range of companies subject to the breach notification statute, to now include not just persons or businesses that “conduct business” in New York but also any person or business that “owns or licenses computerized data containing private information of New York residents,” regardless of whether that person or business “conducts business” in New York. §899(aa)(2); and
  • increased the size of the civil penalty that the AG can seek if a company recklessly or knowingly fails to provide notice under the breach notification statute, to the greater of $5,000 or up to $20 dollars per instance of failed notification (increased from $10 per instance), up to a maximum of $250,000 (increased from a maximum of $150,000). §899(aa)(6).

Significantly, however, as of March 21, 2020, a second set of changes under the SHIELD Act has now also gone into effect that add an affirmative “[r]easonable security requirement” to the statutory regime in New York.  Specifically any company that owns or licenses computerized data that includes the “private information” of a resident of New York, the SHIELD Act now allows the AG to initiate an enforcement action for failure to develop, implement and maintain “reasonable safeguards” to protect the security, confidentiality and integrity of the information, “including, but not limited to, the disposal of data.” § 899(bb)(2).  For compliance, the SHIELD Act calls for the implementation of a “data security program” with “reasonable safeguards” of three types – administrative, technical and physical.  As an illustration of “reasonable administrative safeguards,” the statute refers to measures “such as”:

  • designating one or more employees to coordinate the data security program;
  • identifying reasonably foreseeable internal and external risks;
  • assessing the sufficiency of safeguards in place to control the identified risks;
  • training and managing of employees in the data security program practices and procedures;
  • selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and
  • adjusting the security program in light of business changes or new circumstances.
  • 899(bb)(2)(b)(A). As an illustration of “reasonable technical safeguards,” the statute refers to measures “such as”:
  • assessing risks in network and software design;
  • assessing risks in information processing, transmission and storage;
  • detecting, preventing and responding to attacks or system failures; and
  • regularly testing and monitoring the effectiveness of key controls, systems and procedures.
  • 899(bb)(2)(b)(B) As an illustration of “ reasonable physical safeguards,” the statute refers to measures “such as”:
  • assessing risks of information storage and disposal;
  • detecting, preventing and responding to intrusions;
  • protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
  • disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
  • 899(bb)(2)(b)(C). Obviously, many of these enumerated “safeguards” are fairly general, which may pose challenges both for the AG and for the companies targeted by such regulatory inquiry. By using “such as” to preface each list, moreover, the statute arguably makes the enumerated examples neither obligatory for purposes of establishing “reasonable” safeguards in each of these areas, nor sufficient to provide a safe harbor for companies that do in fact adopt policies and practices of various of these types. But in listing these exemplary measures, the SHIELD Act goes a step further than statutes in other states in describing the factors and practices that a set of “reasonable safeguards” may include.

As we noted last summer, businesses that are already regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Biley Act (GLBA) are exempt from the SHIELD Act, so long as they still provide the AG notice of any data breaches they may incur. §899(aa)(2)(b)(i) and (ii). However, no other businesses, including small businesses[3], are exempt.  Instead, a small business is at risk of an enforcement action if it cannot show it has adopted a security program containing reasonable administrative, technical and physical safeguards that are appropriate for its size and complexity, the nature and scope of the business’s activities, and the sensitivity of personal information it collects. §899(bb)(2)(c). At the same time, the exposure of private information due to an inadvertent disclosure by persons authorized to access such information does not trigger data breach notification obligations under SHIELD, so long as the business reasonably determines such exposure will unlikely result in misuse of the exposed information, financial or emotional harm.  §899(aa)(2)(a). Such a determination must be documented in writing and maintained for at least five years. Id.

Notably, the SHIELD Act expressly stops short of creating a private right of action.  However, it specifically provides that failure to comply to the aforementioned “reasonable safeguards” is deemed a violation of NY Gen. Bus. L. §349, prohibiting deceptive acts or practices, and it expressly subjects companies to the same risk of injunctive relief and civil penalties of not more than $5,000 for each violation that the AG may seek under §350(d).[4] Given the March 21, 2020 effective date, these new regulatory demands are of course coming online at a time where the COVID-19 pandemic has led to the rise of both cyberattacks and the disruption of regular operational security controls.  For companies holding the “private information” of New York residents, these factors are significantly increasing the risks that businesses face from potential information security issues.

New Privacy Bills to Come:

Apart from the ITMPS Act and the SHIELD Act, additional new privacy and data security legislation in New York remains in the offing. Most importantly, we reported last summer on the proposed New York Privacy Act (S. 5642), which was previously proposed in May 2019 but failed to emerge from committee before the end of the legislative session. The bill was reintroduced at the start of the current legislative session on January 8, 2020 and remains pending. The NYPA has been touted to be even more stringent and more expansive than the California Consumer Protection Act (CCPA), in that it seeks to add the concept of a “data fiduciary” to the legislative privacy firmament — subjecting any entity that collects, sells, or licenses personal information of consumers to “the duty of care, loyalty and confidentiality expected of a fiduciary.” Notably, the bill, if passed in the form in which it was pending at the end of the last legislative session, would have created a private right of action by “any person who has been injured” by a violation of NYPA. As of the date of this alert, the creation of a private cause of action remains in the proposed bill.

In addition to the NYPA, a series of other privacy bills, many of which contain CCPA inspired elements, are also still pending with the New York legislature, some of which are summarized below:

AB 8530 – Prohibits telecommunication carriers and mobile applications from sharing a user’s location data with third parties and allows municipalities to enact local laws or ordinances prohibiting location data sharing. This bill has been referred to Consumer Protection Committee.

AB 9112 – Amends the tax law, by requiring a five percent tax on a corporation’s gross income if the corporation derives income from the data it receives from New York residents. This bill has been referred to Ways and Means.

SB 6848 – Requires registration of data brokers and directs the AG to maintain a website of such registrations. This bill has been referred to Consumer Protection Committee.

AB 7736 – Known as the “It’s Your Data Act” establishes a duty of care requirement for data extractors and miners and requires businesses to be transparent with its collection, use, retention and sharing of personal information. This bill has been referred to Consumer Protection Committee.

SB 4411 – Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information it collects about the consumer, the sources from which it is collected, purpose of the collection or selling of the information and the categories of third parties the information is shared. This bill has been referred to Consumer Protection Committee.

SB 224 – Restricts businesses from disclosing personal information by requiring businesses to provide the personal data it has collected back to the New York consumer upon request, in addition to notifying the consumer what kind of personal data it is collecting. This bill has been referred to Consumer Protection Committee.

Ropes & Gray will continue to monitor developments in New York and other states and will publish additional alerts relating to these privacy laws. For more information on these New York laws or to discuss privacy or data security issues generally, please contact a member of our Data Privacy and Cybersecurity group or visit https://www.ropesgray.com/en/practices/data-privacy-cybersecurity.

[1] The terms “consumer credit reporting agency” for purposes of the ITPMS Act is defined in NY Gen. Bus. L. §380, the Fair Credit Reporting Act, as “a consumer reporting agency that regularly engages in the practice of assembling or evaluating  and  maintaining,  for  the  purpose  of furnishing consumer credit  reports  to  third  parties  bearing  on  a  consumer’s   credit worthiness,   credit   standing,   or  credit  capacity,  public  record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.” (§380-A(e)).

[2] As previously, “private information” under the breach notification statute in New York continues to include social security number; driver’s license number or non-driver identification card number; and account, credit or debit card number in combination with any required security code, access code, or password permitting access to the individual’s financial account. §899(aa)(1)(b). Also, as previously, “private information” only includes information that is unencrypted or, if encrypted, where the encryption key is accessed or acquired.  Id.

[3] The New York SHIELD Act defines “small business” as any person or business with (i) fewer than fifty employees, (ii) less than $3 million in gross annual revenue in each of the last three fiscal years or (iii) less than $5 million in year-end total assets. § 899(bb)(1)(c).

[4] Under §350(d), any person or business engaging in deceptive or unlawful acts or practices may be liable to a civil penalty of not more than $5,000 dollars for each violation, which may be recovered in a civil action brought by the AG.