Data privacy is a hot topic. The media seemingly reports on a data breach virtually every day. Cybersecurity is often referenced as the most significant threat that our country faces. Indeed, nation states target governments and businesses in order to obtain information and gain leverage in a war that involves a different type of weapon. At the same time, consumers increasingly are becoming concerned about the use of their private data by businesses that have obtained their information through financial transactions and online purchases. The big technology companies are facing investigations based on their use, and sale, of private information. Although there have been a number of highly-publicized data breaches over the last few years, the Equifax data breach, reported in September 2017, attracted significant attention because of the company’s utter failure to employ cybersecurity safeguards and its lack of an incident response plan, which led to legislative hearings, governmental investigations, and private class actions.
With this backdrop, we have seen a proliferation of legislative actions to address data privacy concerns. The European Union had acted early, with the passage of the General Data Protection Regulation (“GDPR”).[1] In the U.S., although several proposed statutes have been introduced in Congress, the federal government continues to be plagued by political differences, and thus the states appropriately are responding with new laws to protect their residents. Last year, California passed the California Consumer Privacy Act (“CCPA”), a particularly broad statute that imposes stringent standards and provides a private right of action for California consumers against companies that have experienced a data breach of their personal information.[2] Other states followed, including New Jersey and Oregon. Most recently, New York has joined these other states in enacting data privacy laws to protect the private information of New York residents.[3]
The Stop Hacks and Improve Electronic Data Security (“Shield”) Act was signed into law by Governor Cuomo in July 2019 and takes effect on March 21, 2020.[4] The Shield Act expands New York’s breach notification requirements and imposes requirements to prevent a breach, subjecting violators to penalties and other remedies by the New York Attorney General. Relatedly, New York also recently enacted the Identity Theft Prevention and Mitigating Services Act, which took effect within 60 days.[5] When combined with other laws in New York, including the Department of Financial Services (“DFS”)’s cybersecurity and credit reporting agency regulations, New York is acting to respond at the state level to the proliferation of data breaches and the privacy and credit concerns that have followed those breaches.
The New York Shield Act
The New York Shield Act amends existing New York law in two principal ways. First, the law provides more expansive data breach notification requirements and, second, it provides for heightened data security requirements. Each of these provisions expands existing law, while also recognizing the substantial efforts previously undertaken by DFS in this area.
The Shield Act’s Data Breach Notification Requirements
The Shield Act’s scope is quite broad: Any person or business that owns or licenses computerized data that includes “private information” of New York residents must comply with the Act, even if that person or business is not conducting business in New York.[6] The Act’s definition of “private information” is also an expansion of existing law. Under the Act, “private information” generally means either:
- personal information in combination with a list of data elements (social security number, driver’s license number or non-driver identification card number, account number, credit or debit card number, in combination with a security or access code, or biometric information such as a fingerprint or other unique physical representation used to authenticate identity), or
- a user name or email address in combination with a password or security question.[7]
This definition goes beyond that of preexisting law to include biometric information and user name/email address in combination with a password or security question and answers. It also includes an account number or credit/debit card number, even without a security or access code or password, if the account could be accessed without such information.[8]
The Shield Act also expands the definition of what constitutes a data breach, requiring companies to provide notice in circumstances when a New York resident’s private information is accessed by unauthorized persons, even if the information is not acquired, which had been the standard previously. Specifically, if an unauthorized person viewed, “communicated with,” used or altered private information, the law states that an unauthorized access took place that requires notice to affected persons. The notice provided to consumers must include contact information of “the relevant state and federal agencies that provide information regarding security breach response and identify theft prevention and protection information.”[9]
Requirement of “Reasonable Cybersecurity Safeguards”
The Shield Act is also notable for its entirely new provisions that require businesses that collect private information on New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”[10] The Act states that such safeguards are to include administrative, technical, and physical safeguards, and it provides examples of practices that may be considered reasonable safeguards. In this respect, the Act appears to follow some of the features of DFS’s Cybersecurity Regulation. The DFS Regulation mandates certain cybersecurity standards for New York’s financial services industry, including New York chartered banks and insurance companies licensed to do business in New York.[11] In mandating reasonable security standards for all businesses that affect New York residents, the Shield Act, like the DFS Regulation, references risk assessments, incident response, employee training, and vendor management. In addition, the Shield Act makes clear that compliance with certain other laws is deemed compliance with the Act, including HIPAA, the federal Gramm-Leach-Bliley Act (“GLBA”) and, for DFS-regulated entities, the DFS Part 500 Cybersecurity Regulation.[12] While the inclusion of GLBA and HIPAA likely was necessary to avoid federal preemption, the inclusion of the DFS Regulation is a nod to the agency’s expansive jurisdiction over New York’s financial services industry.
The Act also includes certain protections for small businesses, providing that the reasonable safeguards required are those “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”[13]
Notably, unlike California’s CCPA, the Shield Act does not authorize a private right of action, and instead provides for enforcement by the New York Attorney General. The Attorney General may seek injunctive relief and civil penalties for all violations. Notably, the Act’s provision for actual damages is limited to a violation of the breach notification provision, allowing for recovery only of the actual costs or losses incurred by a person entitled to notice.[14]
While the Shield Act is a significant expansion of existing New York law, it does not go as far as laws passed in other states.
Identity Act
New York’s Identity Theft Prevention and Mitigating Services Act (“Identity Act”) appears to be a direct response to the Equifax data breach that affected more than 147 million persons. The Identity Act requires credit reporting agencies involved in a breach that includes Social Security numbers to provide affected New Yorkers with the right to freeze their credit at no cost, and five years of identity theft prevention and mitigation services.[15] Among other things, this statute seeks to prevent for purposes of future data beaches what occurred following the Equifax data breach, where consumers who wished to protect their credit were required to pay credit reporting agencies a fee to lock (and unlock) their credit.
While this statute was introduced earlier, its signing by Governor Cuomo followed on the heels of Equifax’s July 2019 settlement of the claims by the federal government and 50 states and territories. According to the Federal Trade Commission (“FTC”)’s press release, Equifax has agreed to pay at least $575 million, and potentially up to $700 million, to settle the claims of the FTC, the Consumer Financial Protection Bureau (“CFPB”) and 50 U.S. states and territories. More specifically, an initial $300 million is to be paid into a fund that will provide affected consumers with credit monitoring services. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years, in addition to the one free annual credit report that the three major credit reporting agencies currently are required to provide. The company also agreed to pay $175 million in fines to 48 states, the District of Columbia and Puerto Rico, and an additional $100 million to the CFPB. Finally, as part of the settlement, Equifax is required to implement a comprehensive information security program and an annual certification.[16]
It is notable that the FTC and the CFPB joined forces on this settlement. Questions remain, however, as to which agency of the federal government has oversight over credit reporting agencies going forward, beyond the requirements in the settlement agreement with Equifax. Notably, in June 2018, DFS took action to address this oversight issue in New York. DFS issued a final regulation requiring all consumer credit reporting agencies that reported on 1,000 or more New York consumers to register annually with DFS (the “DFS Regulation”).[17] The DFS Regulation prohibits credit reporting agencies from engaging in certain harmful conduct, subjects them to examinations by DFS,[18] and requires them to make annual reports to DFS. Furthermore, the DFS Regulation requires every credit reporting agency to comply with DFS’s cybersecurity regulation, including the provisions governing third-party vendors and the filing of an annual certification of compliance with DFS.[19] In these respects, the DFS Regulation provides for regulatory oversight over credit reporting agencies in New York.
The federal government, too, should ensure that credit reporting agencies are supervised on an ongoing basis for cybersecurity safeguards. And, more broadly, it remains to be seen whether the federal government will follow the lead of the states in enacting laws and regulations that mandate reasonable cybersecurity safeguards. Until it does, the states continue to be poised to fill the void. With the NY Shield Act and the Identity Act, combined with two previously implemented DFS regulations, New York has lurched forward for cybersecurity protection.
Footnotes
[1] See EU Data Protection Rules.
[2] California Code section 1798.150.
[3] The New York Privacy Act, S.B. 5642 (PDF: 35.4 KB), which closely paralleled the CCPA, did not pass.
[4] S.B. 5575, 242nd Leg. Sess. (N.Y. 2019) (PDF: 28.8 KB).
[5] S.B. 3582, 242nd Leg. Sess. (N.Y. 2019) (PDF: 3.02 KB).
[6] S.B. 5575, sec. 3, par. 2 (PDF: 28.8 KB).
[7] Id., sec. 3, par. 1(b) (PDF: 28.8 KB).
[9] Id., sec. 3, par. 1(c) & par. 2(b) (PDF: 28.8 KB).
[10] Id., sec. 4, par. 2 (PDF: 28.8 KB).
[12] S.B. 5575, sec. 4, par. 1 (PDF: 28.8 KB).
[13] Under the Act, a “small business” is considered any business with fewer than fifty employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets. In this respect, too, the Act appears modeled after the framework of the DFS Regulation, which provides for certain exemptions for certain regulated entities. Id., sec. 4, par. 1(c) & 2(c) (PDF: 28.8 KB).
[14] Id., sec. 2(d), (e) (PDF: 28.8 KB).
[15] S.B. 3582, 242nd Leg. Sess. (N.Y. 2019) (PDF: 3.02 KB).
[16] The two states that did not join this settlement are Massachusetts and Indiana. See Federal Trade Commission, “Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach” (July 22, 2019).
[17] 23 NYCRR 201; see N.Y. State Dep’t of Fin. Servs., “DFS Takes Additional Action To Hold Equifax Accountable for Massive 2017 Data Breach” (June 27, 2018).
[18] This examination requirement reinforces DFS’s position that it already has this authority. In June 2018, DFS, along with bank commissioners in seven other states, announced a Consent Order with Equifax, under which Equifax was required to undertake certain enhanced security measures to bolster the company’s cybersecurity defenses. See Consent Order with Equifax, Inc. (June 25, 2018) (PDF: 493 KB).
Maria T. Vullo is a Senior Fellow at NYU School of Law’s Program on Corporate Compliance and Enforcement, and previously served as superintendent of financial services for the State of New York.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.