New York Passes Landmark Cybersecurity Law
The Federal Trade Commission is the nation’s primary privacy and data security enforcer. But the FTC is not the only regulatory body that enforces data privacy laws and regulations.
For example, last month, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “Act”). The Act expands data breach notification obligations under New York law and imposes cybersecurity obligations on covered businesses. New York has joined states like California that have bolstered data breach notification laws.
Changes to existing New York law include, but are not limited to increased civil penalties for notification obligation breaches, application to entities that maintain private information of NY residents - regardless of where they conduct business; and expanded definitions of “private information” and what constitutes a “breach.”
Importantly, the Act applies to those that conduct business in New York state, and owns or license computerized data that includes private information. Location of the business activities is no longer a factor.
The Act’s expanded definition of “private information” includes the addition of two data points. It is now defined as “any information concerning a natural person which, because of name, number, and personal mark, or other identifier, can be used to identify such natural person” - in combination with one of the following: (i) social security number; (i) driver's license number or non-driver identification number; (iii) account number or credit or debit card number, with a password or code that would allow access to a financial account; (iv) an account number or credit or debit card number if it provides access to a financial account without a password or access code; and (v) biometric information.
Consistent with thresholds established by FTC CID attorneys, covered entities will be required to design and implement “reasonable” administrative, technical and physical data security safeguards, including risk vulnerability assessments, training and vendor oversight. The “reasonable safeguards” requirements exempt certain businesses from compliance.
The statute of limitations for violations of the Act has been increased to three years in order to permit the Attorney General more time to initiate an enforcement action, Some of the Act’s provisions become effective in October 2019, while the compliance program-related obligations do not become effective until March 2020.