By Robert Cosgrove and John Amato
At the end of every Yankees’ home victory, Frank Sinatra blares from the speakers. The song? Well, of course, it’s New York, New York! As Old Blue Eyes sings,
These little-town blues,
are melting away,
I’ll make a brand-new start of it,
in old New York …
Unfortunately, it seems New York is about to make a brand-new start of it when it comes to the mounting cyber issues of our time. When New York legislators are not distracted by the latest Governor Cuomo harassment or nursing home scandal, they are spending time trying to create an effective, modern cyber law framework for the Empire State. The pending bills are designed to protect New York residents by imposing more data security requirements on companies that collect information. And they represent (potentially) a big change for New York—a change that would make New York’s cyber law paradigm more like California’s or the European Union’s. This essay will explore those changes and provide some thoughts on what to expect in the future. Specifically, Part I addresses the modern trend of cyber law by addressing its inherent necessity, including influential cyber legislation in jurisdictions outside of New York. Part II addresses the current posture of New York’s cyber law landscape by contouring recently enacted legislation and other regulations. Part III briefly addresses proposed cyber legislation in New York, which would effectuate one of the most stringent regulatory data compliance schemes in the United States (if enacted). These ever-changing regulations have real world consequences for our legal clients, our business clients—especially insurance companies—and on practicing lawyers.
I. Modern Trend in Cyber Legislation
A. The Necessity for Cyber Legislation, Generally
Technology has changed how we interact, conduct business, and even think about ourselves and the world around us. Look no further than COVID-19’s effect on the legal industry—a glaring exemplar of how technology instantaneously reconfigured the status quo from the orthodox ways of the past. Who would have thought that twenty years of legal transformation could have been shoehorned into such a small timeframe!
But in this brave new world (pun intended), it is unsurprising that bad actors and their nefarious conduct has morphed and expanded, as well. As COVID life has made us more tethered to cyberspace and technology, bad actors have ramped up innovative tactics to obtain and utilize confidential, proprietary information to the detriment of the United States, its companies, and its citizens. If you never received a robot call from the “IRS” or an autonomous voicemail in Mandarin—well, consider yourself lucky. These are obvious, micro examples of cyber infiltration attempts. But from a macro level, cyber-attacks are broaching the targeted sophistication and consistency to be considered full-fledged proxy warfare. This is made apparent by the recent, high-profile cyber-attacks against the United States and its companies (e.g., SolarWinds, Microsoft, and Colonial Pipeline), which may have significantly compromised national security. These well-documented cyber-attacks, and others, have cost U.S. companies billions of dollars and provided hackers and foreign state regimes with masses of personal identifiable information. Undeniably, cyber-attacks are increasing with frequency, sophistication, and scale.
But our modern cyber issues don’t end at international espionage and corporate pillaging (if that isn’t bad enough). Rather, they are exacerbated by broader privacy concerns and the ever-growing collection and use of personal data. Individuals, consumer watch groups, and other advocates have become increasingly worried with how the emergent “Internet of Things” makes it more difficult to be left alone. Recently, the Pew Research Center published a study, which revealed a majority of Americans believe their online and offline activities are being tracked and monitored by companies and the government with some degree of regularity. Let’s be honest—if you use the internet, you have probably experienced that eerie moment when you see advertisements about a product that was recently discussed around friends and family. Unlike our neighbors across the pond, American citizens share no Constitutional right to “data” or “information” privacy at present. And any regulations in place are impeded by a systemic conundrum: technological developments are outpacing legislative responses.
B. Influential Cyber Legislation
With all these new challenges, domestic and foreign legislative bodies have responded to these emerging cyber issues by enacting laws and regulations reinforcing data privacy and security. Most notably, the European Union’s (EU) General Data Protection Regulation (GDPR) provides EU citizens with total control over the collection and use of their data. Touted as the “toughest privacy and security law in the world,” this framework applies to any entity that collects, stores, or processes the personal data of EU residents or citizens—regardless of the size of the company. Thus, the GDPR is legally binding on international companies—like insurance carriers—with global operations that offer goods or services to EU residents or citizens, or which monitor the activities of individuals within the EU. The GDPR is predicated on reinforcing individual rights, including the right to erasure (i.e., “to be forgotten”) and the right of access to information stored and used by companies.
In stark contrast to the GDPR framework—the American cyber paradigm supports Big Data practices. Traditionally, the burden of protecting one’s personal privacy has been placed on the individual. However, attitudes about Big Data practices are changing and lawmakers are trying to respond. In 2018, the GDPR’s individualistic, pro-privacy principles made their way into American legislation vis-à-vis enactment of the California Consumer Privacy Act (CCPA), which has muddied the waters for entities that became subject to, but were unfamiliar with, these new compliance regulations. Drawing from the GDPR’s underling policies, the CCPA created an overt, consumer-friendly cyber framework, which provided Californians the right “to be forgotten.” The CCPA applies to companies doing business in California that buy, share, or sell the personal data of more than 50,000 California residents, that earn more than 50 percent of their revenue from the sale of personal data, and which have an annual revenue of over $25 million. Thus, while the CCPA’s regulatory reach is not as broad as the GDPR, it shifted the status quo of American cyber legislation.
The CCPA’s data privacy and cybersecurity policies have gained traction in other U.S. jurisdictions. As of April 1, 2021—at least 38 states (including Washington D.C. and Puerto Rico) had introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity. States are rapidly proposing digital privacy legislation, as well. As of April 30, 2021—Nevada and Virginia followed California’s lead by passing comprehensive consumer-friendly data privacy laws. New York is following suit.
II. Cyber Legislation in New York
New York’s foray into its current cyber framework is traceable to the “Information Security Breach and Notification Act” (ISBNA), which became effective in December 2005. The ISBNA merely provided New York residents the right to know when a security breach resulted in the exposure of their private information and enabled minor penalties to be imposed against non-compliant entities. Certain provisions of the ISBNA were amended in 2013, but the amendments did not alter the legislation’s substantive impact—which was sparse in toto.
A. New York Department of Financial Services Cybersecurity Regulations
New York’s first significant cyber development occurred in February 2017, when the New York Department of Financial Services (NYDFS) issued a sweeping set of cybersecurity regulations, which were aimed at the ever-growing threat posed to financial systems by cyber criminals and were designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. See 22 NYCRR 500 et seq. These cybersecurity regulations are directly applicable to financial institutions, including, but not limited to: insurance companies, state-chartered banks, licensed traders, private bankers, foreign banks licensed to operate in New York, mortgage companies, and other service providers. Now, these institutions must implement risk assessments, create audit trails, develop incident-response plans, and impose limitations on data access and data retention. Further, they must train cyber staff, designate a chief information security officer, protect and encrypt consumer data in transit and at rest, and oversee the compliance of third-party organizations. Additionally, they must notify NYDFS within 72 hours of identifying an attempted material breach of their systems. If your entity qualifies as a financial institution under New York law, or more significantly, if you work as an outside vendor for a financial institution (i.e., a lawyer who does work for insurance companies), you have likely encountered and complied with these regulations.
B. Stop Hacks and Improve Electronic Data Security Act (SHIELD)
New York’s next significant response to evolving cyber concerns occurred in July 2019 vis-à-vis enactment of the SHIELD Act, which amended existing laws and added new ones. The SHIELD Act reinforced data privacy and security by increasing the regulatory requirements for certain market actors.
i. Expanded Regulatory Scope and Application for Breach Notifications
Before the SHIELD Act, the breach notification requirement promulgated by the ISBNA only applied to persons or businesses that conducted business in New York. Now, this compliance obligation is imposed against any person or business that owns or licenses the private information of a New York resident. Thus, the SHIELD Act substantially expanded the territorial scope of the data breach notification requirement.
In that vein, the SHIELD Act’s regulatory reach has been expanded through the broadened definitions of what constitutes “private information” and a “breach of the security of the system.” Now, “private information” includes additional sets of key data elements that are subject to protection. With respect to “breaches,” the broadened definition now includes incidents involving “access” to private information. Before, only “acquisitions” of private information triggered the breach notification requirement. Thus, these expanded definitions will likely trigger more situations requiring a breach notification. For example, if you’ve used the ParkNYC app (a convenient, cashless parking application), you may have been notified about a data breach incident that resulted in the unauthorized “access” of general account information. This notice was likely precipitated because of the SHIELD Act’s expanded regulatory reach.
While the SHIELD Act significantly broadened its regulatory scope and reach, it also provides two important exceptions that obviate the need for a breach notification: (1) the “good faith employee” exception; and (2) the “risk of harm” exception. The “good faith employee” exception was retained from existing law. Under this exception, the good faith access or acquisition of private information by an employee or agent does not constitute a “breach of the security of the system.” Thus, data breach notifications are not necessary in these scenarios. The “risk of harm” exception is newly included in the SHIELD Act. Under this exception, notice to affected persons is not required if the exposure was inadvertent, and the person or business “reasonably” determines such exposure will not result in misuse, financial harm, or emotional harm. For a person or business to avail itself to this exception, certain documentation and reporting measures must be taken and complied with, which vary depending on the nature of the incident.
With respect to the breach notification obligations imposed on small businesses—the status quo is unchanged: there are no exceptions for small businesses in the breach notification rule. Small businesses that experience a data breach affecting the private information of New York residents must notify the affected persons (subject to the above exceptions). However, the SHIELD Act profoundly changed New York’s cyber laws by codifying new “data security protections,” which impacts businesses of all sizes.
ii. New Cybersecurity Safeguards
The SHIELD Act ushered in new requirements for businesses of all types to create plans for “data security protections.” “Compliant regulated entities” (i.e., businesses that are already regulated by and comply with certain requirements, such as HIPAA, HITECH, Gramm-Leach-Bliley, and 22 NYCRR 500, et seq.) will be deemed to comply with the SHIELD Act. All other businesses, however, must meet the SHIELD Act’s new data security requirements.
To comply with these new data security measures, businesses must now develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, including data disposal. Particularly, there are three aspects to a company’s data security program that are considered into the “reasonable safeguards” calculus: (1) reasonable administrative safeguards; (2) reasonable technical safeguards; and (3) “reasonable physical safeguards.”
Considering these overwhelming new compliance measures, the SHIELD Act includes some relief for small businesses. Qualifying small businesses must still maintain a security program, but the sophistication and general nature of that program can be modified. Specifically, a small business’ security program is compliant with the law’s “reasonable safeguards” requirement if the measures adopted are appropriate for the size and complexity of the small business, and reasonable in light of the nature and scope of the business’s activities and the sensitivity of the personal information collected from or about consumers.
Any person or business that fails to comply with these data security protections will be deemed to violate the law, which provides the attorney general a cause of action on behalf of New York State. Penalties include injunctive relief and other civil penalties. Notably, New York residents do not currently have any affirmative rights under the SHIELD Act’s framework. However, proposed legislation is underway, which may provide such rights. This would be consistent with the modern trends of the GDPR and CCPA.
III. Proposed Cyber Legislation in New York
Turning to present—New York’s 2021–2022 legislative session kicked off with the introduction of additional, consumer-centric cyber bills.
A. Assembly Bill A680
Assembly Bill A680 (“New York Privacy Act”) would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared. Some commentators have noted that this bill, as currently drafted, would make it nearly impossible for businesses to remain in strict compliance. This bill would also create a private right of action for technical noncompliance with the statute, enabling claimants and other injured “persons” to bring actions (including for injunctive relief). Thus, this proposed bill has significant implications for data-keeping businesses, whose failure to adhere to these new, strict compliance requirements would theoretically open the floodgate for litigation.
B. Senate-Assembly Bill S567, A3709
Senate-Assembly Bill S567, A3709 would grant a consumer the right to request for a business to disclose the personal information it collects about the consumer, such as the categories of sources from which information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. As drafted, a consumer who suffers an injury in fact may recover the greater of statutory damages ($1000) or actual damages, and $3000 or actual damages for an intentional violation. Further, this bill provides: “any person who becomes aware, based on non-public information, that a person or business has violated this section may file a civil action for civil penalties.” Since a “person” is defined as “an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert” – this bill would also open the litigation floodgates by enabling various parties to bring suit (e.g., business competitors, consumer groups, vendors, and the like). Obviously, innumerable unintended consequences may result from this legislation as currently drafted.
C. Senate-Assembly Bill S2886, A405
D. Senate-Assembly Bill S1349, A400
Senate-Assembly Bill S1349, A400 (“Right to Know Act of 2021”) would restrict the disclosure of personal information by businesses. A “business” would be required to make available to a “customer” the categories of the customer’s personal information disclosed to third parties, including the names, contact information, and designated request address of all such third parties. This proposed bill is akin to new legislation in California, as it provides the right for customers to request access to their personal information. This bill would provide a private right of action for customers, while also authorizing actions initiated by the attorney general, district attorney, city attorney, or city prosecutor of competent jurisdiction.
E. Other Proposed Cyber Legislation
Other proposed cyber legislation includes: Senate-Assembly Bill S1933, A27 (“Biometric Privacy Act”) (requiring private entities in possession of biometric identifier or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information); Senate-Assembly Bill S301, A687 (imposing requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency); Senate-Assembly Bill S336, A713 (“Wellness Program Privacy Act”) (requiring employers and insurers to take certain measures to protect the security of wellness program participants’ private information); and Senate-Assembly Bill S893, A954 (directing the Director of the Office of Information Technology Services to conduct a study on the use of biometric identifying technology; prohibiting the use of biometric identifying technology in schools for a certain period of time).
Avoiding compliance violations in the modern cyber law landscape requires due diligence and proactive business management. This primer should have provided general clarity on modern cyber law trends, including how these trends have impacted current and prospective legislation in New York and other jurisdictions. If you are subject to these patch-work cyber laws and regulations (which is pretty much every lawyer and her/his clients), and especially given the uncertainty of a federal cyber standard, it is crucial to understand the law’s status quo and envisage what’s coming next. One way to help get there is to stay compliant with New York’s current laws and be prepared for the next sweeping set of regulations—whatever they may be. After all:
If I can make it there,
I’m gonna make it anywhere.
It’s up to you,
New York, New York.