New York is gearing up to enact some of the toughest cybersecurity, privacy and data protection laws in the country. Modeled on the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), two privacy bills introduced this year would impose strict rules protecting New Yorkers’ personal data and fundamentally change how social media companies operate. The Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act, which updates New York’s data breach laws, has already passed the state senate and assembly and awaits the governor’s signature. The New York Privacy Act (NYPA), a more far-reaching proposal introduced in the state senate in May, is under consideration by the senate’s Committee on Consumer Protection. Both bills have garnered national attention and, if signed into law, would significantly alter the cybersecurity landscape and bring renewed pressure on lawmakers in Washington to set uniform, nationwide privacy standards.
The SHIELD Act
Currently on the governor’s desk, the SHIELD Act would update the body of law governing data breaches in three main ways by: (A) broadening the definition of private information, (B) expanding notification requirements and (C) requiring that individuals and businesses handling sensitive information implement “reasonable” data security measures.
A Broader Definition of “Private Information”
The 2005 Breach Notification Act defined “personal information” as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” For the purposes of the law, that personal information becomes “private information,” and thus subject to notification requirements in the event of a breach, when it is combined with an individual’s:
- Social Security Number;
- Driver’s license number or non-driver ID card number or account number; and/or
- An account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
The SHIELD Act would add three more categories to the list, including:
- Account number, credit or debit card number, if circumstances exist wherein such number(s) could be used to access an individual’s financial account without any additional identifying information, security code, access code or password; or
- Biometric information data generated from electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity; or
- A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
While adding these elements would trigger notification requirements for more types of data breaches, some states have gone even further. For example, California includes health insurance information and Colorado includes a passport number, employer ID number and financial transaction devices. The SHIELD Act most closely resembles the statutory scheme in Massachusetts, but differs by including biometric data in response to advancements in facial recognition and other technologies. Other updates may be forthcoming to reflect additional technological advancements.
Expanded Notification Requirements
One of the SHIELD Act’s most significant reforms relates to the definition of a data breach. The 2005 Breach Notification Act only applies to the unauthorized acquisition of private information, but the SHIELD Act includes instances of unauthorized access. Breach victims would have to notify affected New Yorkers “in the most expedient time possible and without unreasonable delay” if data had been subjected to unauthorized access, unless the breach victim can verify that the exposure was “inadvertent” and reasonably determine it “will not likely result in misuse” or harm to affected persons. As a result, many more incidents may require notification than previously.
“Reasonable” Data Security Measures
The SHIELD Act also provides: “Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information …”
The statute lists examples of reasonable administrative, technical and physical safeguards. These include employee training, risk assessments, regular testing of key controls and procedures, and the disposal of private information within a reasonable amount of time after it is no longer needed. Other state laws do not include a list of specific examples of reasonable practices, which gives the SHIELD Act more teeth than an undefined reasonableness standard. The Attorney General, whose office praised the bill’s passage and urged the governor to sign it, would be empowered to bring civil actions against entities that do not implement reasonable data security measures.
Though some have called it “one of the strictest laws in the country,” the SHIELD Act has received a warmer welcome from the tech industry than has the proposed NYPA described below. Significantly, the SHIELD Act does not provide a private right of action, as does the NYPA, and therefore bars large class action litigations.
The bill passed the state senate by a margin of 41‒ 21. A spokesperson for Governor Andrew Cuomo confirmed that the governor will review the legislation, but it is not yet clear whether he will sign it.
The New York Privacy Act
State Senator Kevin Thomas introduced the NYPA in May and experts immediately noted it would be far tougher and bolder than the European GDPR and California CCPA on which it was modeled. Like its European and Californian precursors, NYPA would require social media companies to disclose how they gather personal information and provide New Yorkers with the power to request that their data be corrected, delete, or kept from third-party entities. However, the bill goes much further than both the California and European Union laws in that it: (A) has no minimum revenue requirement and therefore applies to any entity holding sensitive data of New Yorkers, regardless of size; (B) contains a data fiduciary clause that could upend the business models of most tech companies; and (C) provides a private right of action for New York residents to pursue violators.
No Revenue Requirement
Though the CCPA is similar to the NYPA in many ways, critically, it only applies to companies that have at least $25 million in gross annual revenue. The NYPA deliberately has no revenue requirement, reflecting its drafters’ intention to “capture as many businesses as possible.” Even a small social media startup with a few employees and no revenue would fall under the NYPA’s purview and could face substantial fines and damages if it runs afoul of new privacy protections. This significantly broadens the application of the NYPA’s provisions in a major departure from other states’ privacy laws.
Data Fiduciary Clause
Perhaps the most controversial provision in the NYPA is its data fiduciary clause, which mandates that social media companies
exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances … The fiduciary duty owed to a consumer under this section shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker, to whom this article applies.
The concept of a data (or information) fiduciary was developed by Professor Jack Balkin in 2014 as a solution to data privacy issues. Balkin suggests social media companies be treated like doctors, lawyers and accountants — professionals who “have to keep our secrets” and “can’t use the information they collect about us against our interests … on pain of loss of their license to practice, and a lawsuit by their clients.” In an interview, State Senator Thomas made the same analogy, adding that social media companies should not be allowed to share private information and target users with advertisements against their interests.
The idea has generated significant controversy, especially from within the tech industry, which successfully lobbied against a data fiduciary clause in California’s privacy law. John Olsen of the Internet Association, which lobbies for Facebook, Google, Amazon, Microsoft and many other tech companies, called the bill “unworkable.” In particular, Facebook has expressed serious concerns about the data fiduciary clause affecting its ability to operate in New York.
Private Right of Action
The last major departure from the CCPA is the NYPA’s enforcement mechanism. While the California Attorney General is charged with enforcing the provisions of the CCPA, every New York resident “injured by reason of a violation” of the bill would be empowered to personally sue offending companies. Wary of facing millions of lawsuits stemming from a violation, industry groups opposed this provision in California and successfully lobbied to keep it out of the final version of the CCPA.
It is unclear whether lobbyists will have similar success in New York with the NYPA. The bill is currently under consideration by the New York State Senate Consumer Protection Committee, which its sponsor, Sen. Kevin Thomas, chairs.