The Empire State Strikes Back
The Empire State Strikes Back:
New Push for Privacy and Data Regulation
The past few years have seen a rapid rise in government regulation related to how companies handle customer data and report data breaches. In Europe, the European Union’s General Data Protection Regulation (GDPR) has come into effect, instituting some of the most stringent data protection requirements on organizations to date. GDPR sets restrictions on how companies collect and store the data of European Union citizens and imposes strict fines—€20 million or 4 percent of global revenues, whichever is higher—on violators. In the United States, state governments have taken the lead to enact stringent data protection laws, driven to action by the number of massive data breaches that have affected hundreds of millions of users’ data. One such law, for example, is the California Consumer Privacy Act (CCPA), which is set to go into effect in 2020. CCPA aims to provide consumers increased control over their data by requiring private industry to indicate what data they are collecting and allow customers to opt out of their information being sold to third parties. But California is not alone. More and more states are pushing for stricter regulations to put pressure on businesses to protect the data they collect on customers.
New York State’s Focus on Data Protection
New York’s state legislature has in the past month taken major steps towards increasing the state’s data security regulations. One major new piece of legislation organizations should be following is the New York Privacy Act (S-5642). Introduced in May, the bill would require that organizations:
- Provide greater control to customers over their data, including full knowledge of what data is being collected and that organizations obtain expressed consent to process, share, or sell data to third parties.
- Act as “data fiduciaries,” meaning that they legally not use data to benefit their companies to user detriment.
In addition, the bill would allow New York residents “private right to action,” meaning that they could directly sue companies for privacy violations. This provision goes further even than California’s privacy law in this regard, and has the potential to bring a deluge of individual lawsuits against organizations. This “private right to action” section has already faced pushback from the tech industry as “unworkable.”
A second major new bill organization’s should be tracking to keep track of is New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, S.5575-A). The bill, which passed the New York State Senate on June 5th, 2019 does the following:
- Expands what information is subject to New York’s data breach notification law to include biometric data, email addresses, passwords, security questions and answers, and protected health information (PHI).
- Broadens the definition of a data breach to include any unauthorized access to private information.
- Widens data breach notification requirements beyond entities that do business in New York to any organizations that hold the private information of a New York resident.
The SHIELD Act (not to be confused with a similar bill introduced in 2017) follows in the footsteps of CCPA and is more extensive than California’s law. The act expands data breach notification requirements beyond those organizations that do business in the state in many ways mirrors a GDPR requirement which similarly requires notification in the event of a breach of EU citizens’ data regardless of the physical or registered location of an organization.
The New York Senate’s Consumer Protection Committee and Internet and Technology Committee held a joint hearing on the NY Privacy Act in early June, but the bill remains in committee and will likely face major opposition from industry through the legislative process (you can see the bill’s progress in the state legislature here). If the NY Privacy Act does pass without changes, it will impose some of the strictest data protection requirements to date in the United States. The bill would open organizations of all sizes up not only to major regulatory challenges to comply with the customer consent and “data fiduciary” provisions, but also to a bevy of individual lawsuits if customers perceive that their privacy may have been violated.
Meanwhile, the SHIELD Act has already passed in the state Senate and thus there is a high likelihood that the bill becomes law in New York (You can see the bill’s progress in the state legislature here). The impact of the SHIELD Act’s notification provision extends far beyond the state’s borders. Any organization that holds New York residents’ data will be required to adhere to the state’s notification requirements, including informing appropriate relevant regulatory, law enforcement, and consumer reporting agencies.
Keeping abreast of existing and pending regulations around data security can challenge any organization. It is important for organizations to ensure there is a close working relationship between your General Counsel, outside counsel, Chief Information Security Officer (CISO), and designated Data Protection Officer (DPO) to coordinate on how best to identify and protect data, as well as how to properly respond to a data breach should one occur. Maintaining relationships with regulators and law enforcement agencies can also help to ensure compliance with current and future rules and regulations. And lastly, it’s important for organizations to test out their policies and procedures using tabletop exercises or other simulated breach events. Firefighters aren’t good at putting out fires because they read their Standard Operating Procedures, they’re good at fighting fires by practicing over and over again with their Company Unit—your organization needs to take the same approach when it comes to cyber breaches.
CyberVista is Here to Help
Need help keeping up with important regulations and maintaining compliance? CyberVista is here to help. Our Resolve program is designed to quickly get senior executives up to speed on essential cyber regulatory and compliance issues. Be sure to check out our Digital Cyber Risk Seminars, which come with our complimentary Executive Cyber Briefings — a monthly newsletter that wraps the latest cybersecurity headlines, and explains how they impact your business — and our Practice What They Breach offering, a cyber risk tabletop exercise that will test leadership’s decision making during a data breach scenario.