New York State Makes Intriguing Changes In Its Databreach Disclosure Law

When New York Gov. Andrew Cuomo signed into law new security breach laws this summer (signed into law July 25, 2019), it included several intriguing changes for how the state insists data breaches impacting its citizens be handled. For starters, it used to only apply to businesses doing business in New York state. The new version of the law, however, has removed that requirement, ostensibly making any companies throughout the world exposed to its requirements, as long as the data of some New Yorker somewhere is impacted.
In theory, that could ensnarl a small company in Italy that doesn’t ship outside of Italy, but who might be visited by a New York state resident who chooses to fill out a form and thus provide sensitive information.

Another tweak to the law is that repeated references to attackers having acquired sensitive/private data was changed to “accessed or acquired,” which is an interesting but ultimately pointless revision. That’s because the nature of computing is that “acquiring” data requires it to be “accessed.” It’s not clear what scenarios where data was improperly acquired would be improved by saying “accessed of acquired.” Still, that change was made.

Far more interesting was an exemption from data breach notification “if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials” and “such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”

What this provision seems to be addressing is a situation where no ill-mentioned cyberthief is involved and the data breach is simply an accident. It’s a curious change because, accidental or intentional, state residents should know if their data is loose in the wild, even absent bad intent. The state tries and address that by saying that the exemption only exists if someone “reasonably determines” that the accidental leak will “not likely” result in information misuse or financial harm to anyone.

One scenario for such a determination might be unencrypted records in a laptop and the laptop was left overnight in the backseat of a car. But if the car was locked and security video footage happened to be focused on the car and detected no one approaching the vehicle, the business owner could conclude that the data was handled improperly, but no probable harm came to anyone.

That said, a common instance of an accidental data leak would be sensitive files that are briefly exposed on a public-facing Web site. In that case, the “no one was harmed” could be justified by noting that no one accessed the files at issue during their brief existence in a public state.

Also, the new requirement that such justifications must be documented “and maintained for at least five years” could impose new data-retention requirements on companies well outside New York state’s boundaries.

The revision also scored a compliance success by trying to reduce duplicative data breach announcements. It couldn’t eliminate them, of course, but even a small easing of that burden could be much appreciated. The new law declared that if a breach has already been made to affected persons via a handful of other regulations, the company need not send another one courtesy of the New York state law. The listed regs that apply to this reduction of the duplicate reporting burden include Title V of the federal Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act, “part five hundred of title twenty-three of the official compilation of codes, rules and regulations of the state of New York,” plus “any other data security rules and regulations of, and the statutes administered by any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the federal or New York state courts.”

Some common sense was acknowledged in another change with the new law dealing with e-mail notification. Although it continues to permit email notification, it logically enough now excludes email notifications “if the breached information includes an e-mail address in combination with a password or security question and answer that would permit access to the online account.”

If the email account was indeed compromised, the state now wants a business to “provide clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or from an online location, which the person or business knows the consumer customarily uses to access the online account.” Presumably, the state is envisioning some sort of a pop-up or similar notification to alert the customer when they next log in.

Another twist impacting data retention as well as general liability is that the state has made a change about when prosecution can happen. The new phrasing: “In no event shall an action be brought after six years from the date of discovery of the breach of private information by the company, unless the company took steps to hide the breach.”

That is a clever bit of carrot-and-stick from Albany. The state is simultaneously giving companies a carrot of not having administrative penalties hanging over their boards forever, but has added a stick to discourage being mischievous and “hiding the breach.” If such hiding can be established, the threat of state prosecution appears to be unlimited.

The SHIELD Act also states that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information” and sets forth a list of specific administrative, technical, and physical safeguards, which, if implemented in connection with the subject entity’s data security program, establish compliance. (An entity may also establish compliance by demonstrating that it meets the requirements of certain specified data security regulatory schemes, such as HIPAA or 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies.)  A small business, as defined by the Act, is in compliance if its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

Like the breach notification requirements, the data security protections requirements apply to any entity “that owns or licenses computerized data, which includes private information of a resident of New York.”  So, for example, a business in Anywhere, USA, that has no connection to New York other than the fact that it sells products to residents of New York through its website, and maintains customer information that meets the Act’s definition of “private information,” is required to comply, or face penalties.

One last noteworthy change can be found in the removal of the word “reasonable” from the original sentence about reporting a breach and performing “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” The new law says “restore the integrity of the data system” and strikes the word “reasonable.”