Privacy & Cybersecurity Update - July 2019

New York Enacts Two Laws Expanding Consumer Protection for Data Breaches On July 25, 2019, New York Gov. Andrew Cuomo signed two bills into law that enhance the rights of state residents in the event of a data breach.

New Yorkers will soon have increased rights if they find their personal information has been compromised. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)1 expands the definition of personal information to which data breach reporting requirements apply and requires companies to use reasonable measures to protect private information. The second measure, known as the Identity Theft Prevention and Mitigation Services Act2, requires consumer credit reporting agencies that suffer a data breach involving Social Security numbers to provide five years of identity theft protection to affected consumers.

The SHIELD Act expands New York's current data breach notification law to add the following categories of information to the definition of "private information" to which notification requirements may apply in the event of a data breach:

account number or credit or debit card number, in circumstances where such number could be used to access an individual's financial account without additional identifying information (e.g., security code or password); biometric information; or user name or email address in combination with a password or security question and answer that would permit access to an online account. The notification requirements now apply in the case of unauthorized access to private information in addition to cases where such information is acquired without authorization.

The SHIELD Act also expands the entities to which the data breach notifications apply. Under the prior version of the state's data breach notification law, any person or business that conducts business in New York and collects private information must notify any state residents whose private information was acquired in a data breach. Under the SHIELD Act, any person or business, regardless of where they conduct business, must notify affected New York residents in the event of a breach of such residents' private information, but the notice to affected residents is not required if:

the exposure of private information was an inadvertent disclosure by persons authorized to access such information, and the entity reasonably determines such exposure will not likely result in the misuse of such information or harm to the affected state resident; such a determination must be documented and retained for five years, and if the incident affects over 500 state residents, the determination must be provided to the attorney general within 10 days after the determination; or notice of the security breach is made to affected New York residents pursuant to breach notification requirements under any other state or federal laws, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA). Note that in the above cases, while notice to affected New York residents is not required, companies still must notify the state's attorney general, Department of State Division of Computer Protection and Division of State Police.

Finally, the SHIELD Act requires any person or business that maintains computerized private information of New York residents to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of such data, including its proper disposal. A person or business is deemed to be in compliance if it:

is subject to, and in compliance with, the data security requirements under any other state or federal laws, including Gramm-Leach-Bliley and HIPAA; or implements a data security program that includes the following: reasonable administrative safeguards, such as designating a security program coordinator; identifying reasonably foreseeable internal and external risks; assessing the sufficiency of safeguards to control such risks; training employees in the security program practices and procedures; selecting service providers capable of maintaining safeguards and requiring such safeguards by contract; and adjusting the security program in light of changes in circumstances; reasonable technical safeguards, such as assessing risks in network and software design; assessing risks in information processing, transmission and storage; detecting, preventing and responding to attacks or system failures; and regularly testing and monitoring the effectiveness of key controls; and reasonable physical safeguards, such as assessing risks of information storage and disposal; detecting, preventing and responding to intrusions; protecting against unauthorized access and use of private information; and disposing of private information within a reasonable amount of time after it is no longer needed by erasing electronic media. Failure to comply with the data security provisions of the SHIELD Act may result in penalties assessed by the attorney general of up to $5,000 per violation. There is no private right of action.

The SHIELD Act takes effect on March 21, 2020.

Under the Identity Theft Prevention and Mitigation Services Act, any New York consumer credit reporting agency that experiences unauthorized acquisition of, or access to, a Social Security number must offer to each consumer whose number was breached, or is reasonably believed to have been breached, (1) reasonable identity theft prevention services and (2) if applicable, identity theft mitigation services, in each case for up to five years at no cost to the consumer, unless the agency determines after a reasonable investigation that the breach is unlikely to result in harm to the consumer.

The consumer credit reporting agency must provide all information necessary for consumers to enroll in such services, including information on how consumers can request a security freeze.

The Identity Theft Prevention and Mitigation Services Act takes effect 60 days from the date it was signed into law. It is applicable to any breach of the security systems of a consumer credit reporting agency that occurred within three years prior to the effective date.

h3>Key Takeaways

Companies that collect personal information from New York residents should evaluate their data collection practices to determine whether they are subject to the new broader notification and data security requirements under the SHIELD Act and, if so, begin implementing policies and procedures to be able to comply by March 21, 2020. In particular, companies subject to the data security requirements should determine whether their existing data security programs include the elements listed in the SHIELD Act and, if they do not, consider updating such programs to include any missing elements.

In addition, consumer credit reporting agencies should consider whether they have experienced data breaches within the past three years that are in violation of the Identity Theft Prevention and Mitigation Services Act, and take steps to prepare to offer identity theft prevention and mitigation services to affected consumers, as applicable.

Two DC Circuit Rulings Deepen Standing Split in Data Breach Cases

Two recent rulings in the D.C. Circuit held that increased risk of identity theft due to unauthorized disclosure of personal information may constitute an injury in fact, deepening the split between appellate courts on standing requirements in data privacy litigation.

On June 21, 2019, the D.C. Circuit decided in National Treasury Employees Union v. Office of Personnel Management that heightened risk of identity theft resulting from a cybersecurity breach is sufficient to establish standing at the pleading stage.3 Shortly after, on July 2, 2019, the court held in Jeffries v. Volume Services America Inc. that a receipt printed by the defendant containing all 16 digits of a customer's credit card number in contravention of the Fair and Accurate Credit Transactions Act (FACTA) satisfied the plaintiff's standing requirement because the receipt in question increased the plaintiff's risk of falling victim to identity theft.4 These decisions further deepen the divide between circuits on...