This Alert identifies bills currently pending before the United States Congress and the New Jersey state legislature that address “data privacy” and “cyber security” – two concepts that are similar, but distinct. To appreciate the intersections and distinctions between “data privacy” and “cyber security,” it is helpful to review what these words mean. To do so, it is perhaps apropos to turn to data giant Google for the pertinent, everyday definitions (none of which are controversial).
According to Google’s dictionary, “Data” means “facts and statistics collected together for reference or analysis.” “Privacy” is “the state or condition of being free from being observed or disturbed by other people.” Google defines “Cyber” as “relating to or characteristic of the culture of computers, information technology, and virtual reality.” Last, “Security” is “the state of being free from danger or threat.”
With these concepts in mind, it is possible to imagine the various “facts and statistics” that we take for granted each day – and that we willingly turn over to those who observe or disturb us. As one might presume from the recent deluge of bills and proposed rules (introduced below), these “facts and statistics” have great value to many observers and disturbers. It follows that, with the advent of the culture of computers, information technology, and virtual reality, one need not look far to realize that companies and individuals are ripe targets for danger and threat. For New Jersey businesses, the proposed rules and laws discussed below should jumpstart introspection about whether or not you are low-hanging fruit for a data breach – and the epic penalties such incidents portend.
COMPLIANCE: A PERILOUS AND EVOLVING LANDSCAPE
No discussion of data privacy and cyber security in the United States would be complete without a comparison to the Giant Elephant in the Room, the notorious European Union’s massive privacy opus known as the General Data Protection Regulation (“GDPR”). The all-encompassing scope of the GDPR, and the potential penalties it threatens, are the de facto standards by which any new rule or law will undoubtedly be compared. For the purposes of this Alert, however, suffice it to say that the GDPR is big, bold, broad, and brutal:
Big: contains eleven chapters, including ninety-nine different articles, along with 171 comments and explanations;
Bold: described as “the most important change in data privacy regulation in two decades,” the regulation treats personal data protection as “a fundamental right”;
Broad: applies not only to the 28 member states of the European Union, but also to any company outside of the E.U. that serves E.U. residents;
Brutal: in addition to the considerable expense associated with the infrastructure, software, and human resources necessary for compliance (including the 72-hour breach notification window), the regulation imposes penalties ranging between 2%-to-4% of global revenue, or roughly $11 million-to-$23 million, whichever is greater, as well as operational bans.
In the States, New York and California are notable among the jurisdictions that have approved and enacted stringent data privacy and cyber security regimes. In March 2017, the New York Department of Financial Services implemented 23 NYCRR 500, titled “Cybersecurity Requirements for Financial Services Companies.” See “New York Cybersecurity Regulations –
Tips On The First Required Filing,” Christopher Osnato, Bressler – Insurance Law Alert (Jan. 1, 2018); “The New York Department of Financial Services’ First Cybersecurity Compliance Deadline is Today: Are You Ready?,” Cynthia J. Borrelli and Christopher Osnato, Bressler – Insurance Law Alert (Aug. 28, 2017). Among other things, the New York regulation:
• establishes a robust data protection policy and program;
• requires covered entities to prepare and implement specific incident response plans;
• effects a risk-based minimum standard for security controls (most notably, requiring encryption of data at rest and in transit and multifactor authentication);
• institutes minimum standards for responses to data breaches, and seeks to foster a culture of accountability and remediation.
The New York regulation broadly targets financial institutions operating in New York, as well as companies that conduct business, or wish to conduct business, with financial institutions incorporated in New York. Thus, many New Jersey businesses must be prepared to comply with the New York regulation.
The State of California has also impacted the data privacy and cyber security terrain. In June 2018, the state enacted the California Consumer Privacy Act, or the “CCPA” (A.B. 375), which becomes effective on January 1, 2020. The CCPA applies to any for-profit company that:
(i) collects personal information on California residents;
(ii) does business in the state of California; and
(iii) meets one or more of the following thresholds:
(a) has annual gross revenues in excess of $25,000,000;
(b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Companies located outside the state of California that meet the statutory thresholds will also be covered by the Act, and must be prepared to comply. The CCPA provides for civil penalties ($2,500 per negligent violation; $7,500 per intentional violation), as well as a personal right of action for affected residents (between $100 and $750 per resident per incident).
Finally, industry groups, self-regulatory bodies, and others have offered commentary, as well as their own “model” laws and rules, which reflect additional thought and guidance in this rapidly developing realm. Most notably perhaps is “Insurance Data Security Model Law” approved by the National Association of Insurance Commissioners (“NAIC”) in the 4th quarter of 2017 (the “NAIC Model Law”). See 2017 4th Quarter Proceedings of the NAIC. Though similar to New York’s regulation targeting financial institutions, the NAIC Model Law would place greater responsibility (and accountability) on a covered company’s board of directors, require stricter assessment of controls, procedures, and systems, and (similar to the GDPR) mandate reporting of data breaches within 72 hours of discovery and across thirteen categories of information. The NAIC Model Law is not enforceable unless adopted by a state, which to date has not occurred. Note, however, that the NAIC Model Law expressly provides that if a licensee is in compliance with the New York cybersecurity regulation (codified at 23 NYCRR 500), such licensee is also in compliance with the NAIC Model Law.
With this backdrop, it is clear that many New Jersey companies are already subject to data privacy and cyber security regulations. New Jersey companies that do business in the E.U., California, and/or with New York financial institutions (and New York-licensed financial institutions domiciled in New Jersey) are currently covered by the respective jurisdiction’s laws and regulations. It is also clear that the law is not yet settled, since there remain pending state and federal statutes (and likely implementing regulations to follow). Thus, much work remains to be done.
CURRENTLY PENDING LEGISLATION AFFECTING NEW JERSEY
This Alert focuses on the current landscape for companies in New Jersey and identifies bills pending before the United States Congress and the New Jersey state legislature with the potential to further impact New Jersey businesses. The list of bills identified below is not intended to be exhaustive, but merely contains the most significant legislation that is likely to be reflected in any future state or federal law promulgated to strengthen data privacy and cyber security.
United States Congress
1. Data Acquisition and Technology Accountability and Security Act (H.R. __)
Status: Not yet formally introduced; draft circulated “for discussion purposes” in March 2018; Immediately challenged by a group of 32 state attorneys general with respect to preemption.
Purpose and Key Provisions:
Establishes (i) standards for data protection across various industries, (ii) post-data breach notification requirements, and (iii) a process that covered entities must follow to notify law enforcement, regulators, and victims following different types of data breaches.
Preempts all state data breach and data security laws; Exempts banks, financial institutions, and credit reporting agencies; Requires notifications by covered companies only if the company believes there is “a reasonable risk that the breach of data security has resulted in identify theft, fraud, or economic loss.”
2. Cybersecurity and Infrastructure Security Agency Act of 2018 (H.R. 3359)
Status: Passed House; Passed Senate with amendments; In conference.
Purpose and Key Provisions: Repurposes the Department of Homeland Security’s National Protection and Programs Directorate and changes its name to the “Cybersecurity and Infrastructure Security Agency.”
Establishes the Cybersecurity and Infrastructure Security Agency as an operational component of DHS on equal footing with FEMA; Streamlines the Agency’s mission to protect federal agencies and critical infrastructure from cyber-threats and to assist the private sector in matters related to cybersecurity.
3. Data Breach Prevention and Compensation Act of 2018 (S.2289)
Status: Hearing before Committee on Banking, Housing, and Urban Affairs held in July 2018.
Purpose and Key Provisions: Creates an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies.
Requires the promulgation of regulations establishing standards for effective cybersecurity at consumer reporting agencies; empowers the Office of Cybersecurity to (i) supervise, evaluate, and regulate specified agencies' management of data security, examine agencies annually for compliance with regulations, (ii) investigate an agency in the event of a breach covered by the bill or suspected noncompliance with regulations, (iii) report on any findings of such investigation, (iv) coordinate with the National Institute of Standards and Technology and the National Cybersecurity and Communications Integration Center of the Department of Homeland Security, and (v) impose penalties on credit reporting agencies for cybersecurity breaches that put sensitive consumer data at risk.
4. Consumer Data Protection Act (H.R. 4544 and S. 2188)
Status: Referred to the House Committee on Financial Services.
Purpose and Key Provision: Amends the Fair Credit Reporting Act to direct a consumer reporting agency experiencing a data breach to (1) notify the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), other appropriate law enforcement agencies, and affected individuals, (2) provide affected individuals with free credit freezes and credit monitoring services, and (3) establish a consumer assistance unit; establishes legal enforcement provisions concerning data breaches at consumer reporting agencies; empowers the CFPB to examine a consumer reporting agency to assess compliance with personal information protection laws.
Companies whose revenue exceeds $1 billion per year, or who warehouse data on more than 50 million consumers or consumer devices, must submit “annual data protection reports” to the government detailing all steps taken to protect the security and privacy of consumers’ personal information; imposes penalties of up to 20 years in prison and $5 million in fines for executives who knowingly mislead the FTC in such reports.
5. Cybersecurity Disclosure Act of 2017 (S. 536)
Status: Hearing before Committee on Banking, Housing, and Urban Affairs held in June 2018.
Purpose and Key Provisions: To promote transparency in the oversight of cybersecurity risks at publicly traded companies.
Requires publicly traded companies to explain in their filings with the Securities and Exchange Commission whether cyber security expertise exists on their boards and, if not, why the company believes such expertise is unnecessary because of other steps taken by the company; Directs the SEC, in consultation with the National Institute of Standards and Technology, to define what constitutes expertise or experience in cybersecurity.
New Jersey Legislature
1. Assembly, No. 1766; Senate, No. 2692 (Requires certain persons and business entities to maintain comprehensive information security program)
Status: Assembly: Introduced Jan. 9, 2018, Referred to Assembly Homeland Security and State Preparedness Committee; Senate: Introduced June 11, 2018, Referred to Senate Law and Public Safety Committee.
Purpose and Key Provisions: This bill requires any person, corporation, association, partnership or other legal entity that owns or licenses personal information about a resident of this State to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are necessary to protect the personal information.
The bill provides that it would be an unlawful practice under the consumer fraud act, P.L.1960, c.39 (C.56:8-1 et seq.), to willfully, knowingly or recklessly violate the provisions of the bill. An unlawful practice is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for any subsequent offense. Additionally, a violation can result in cease and desist orders issued by the Attorney General, the assessment of punitive damages, and the awarding of treble damages and costs to those injured as a result of the violation.
2. Assembly, No. 4640; Senate, No. 3153 (Requires certain businesses to notify data subjects of collection of personally identifiable information and establishes certain security standards)
Status: Assembly: Introduced Oct. 25, 2018, Referred to Assembly Science, Innovation and Technology Committee; Senate: Introduced Oct. 29, 2018, Referred to Senate Commerce Committee.
Purpose and Key Provisions: This bill requires certain businesses to disclose to people who knowingly or unknowingly reveal personally identifiable information to that business that the business is collecting that information and that the person may opt out of the collection. Further, this bill sets forth certain security requirements for businesses that collect the personally identifiable information of a person, or data subject. The bill also requires a business that collects a data subject’s personally identifiable information to make the certain information available to the data subject free of charge upon receipt of a request from the data subject for this information through a toll-free telephone number or email address.
In addition, this bill provides that a business is to allow a data subject to opt out, in a reasonable form and manner as determined by the business, at any time during processing of the data subject’s personally identifiable information, and upon receipt of the data subject’s opt out notification.
The bill further provides that it is to be an unlawful practice and violation of State law for a business to fail to comply with any of the provisions of this bill that results in the unauthorized access and exfiltration, theft, or disclosure of a data subject’s personally identifiable information. A business is to be liable to an affected data subject for any violation for a civil penalty of not less than $100 and not more than $750 per data subject per security incident, or actual damages, whichever is greater, and may be recoverable by the data subject in a civil action in a court of competent jurisdiction, which may also order injunctive relief or any other relief the court deems necessary.
3. Assembly, No. 3542 (Requires state, county, and municipal employees and certain state contractors to complete cybersecurity awareness training)
Status: Introduced Mar. 5, 2018, Referred to Assembly Consumer Affairs Committee
Purpose and Key Provisions: This bill provides for a cybersecurity awareness training program for all State, county, and municipal officers and employees and certain State contractors. Under this bill, all State officers and employees in the Executive Branch and the Judicial Branch of State government will be required to complete a cybersecurity awareness training program in each calendar year. The Chief Technology Officer of the Office of Information Technology will approve the format and content of the training program, which will be provided online. The program may include content which addresses certain identified groups of officers or employees, such as those who are involved in contracting processes. The requirement in this bill includes officers and employees of State authorities and of public institutions of higher education.
Members of the Legislature and the officers and employees in the Legislative Branch, as well as officers and employees of the counties and municipalities in the State, will also be required to complete the program approved by the Chief Technology Officer.
Finally, this bill requires State contractors and subcontractors and their officers and employees who have access to the State computer system or a State database to complete the same cybersecurity awareness training program as a term and condition of the State contract, except that the Chief Technology Officer may include content in the program which addresses contractors and their officers and employees.
The bill further requires periodic audits to ensure compliance with the requirements of this bill.
4. Assembly, No. 3546 (Directs Rutgers Discovery Informatics Institute, the Office of Information Technology, and Big Data Alliance to develop an advanced cyber infrastructure strategic plan; appropriates funds)
Status: Introduced Mar. 5, 2018, Referred to Assembly Science, Innovation and Technology Committee; Reported out of Assembly Comm. with Amendments, 2nd Reading on Sept. 17, 2018; Assembly Floor Amendment Passed (Johnson) on Sept. 17, 2018; Assembly Floor Amendment Passed (Johnson) on Oct. 29, 2018.
Purpose and Key Provisions: This bill directs the Rutgers Discovery Informatics Institute, Office of Information Technology, and the New Jersey Big Data Alliance to coordinate and establish an advanced cyberinfrastructure strategic plan. The advanced cyberinfrastructure strategic plan is to include, but is not to be limited to: (1) assessing the State’s cyberinfrastructure, public and privately-owned, including, high performance computing, data storage systems, advanced instrumentation, data center facilities, visualization environments, the human expertise necessary to operate the cyberinfrastructure, and the software and advanced networks that link these resources together; (2) creating a roadmap for implementing advanced cyberinfrastructure improvements throughout the State, which shall include, but not be limited to the development of a shared data cloud that integrates data infrastructure, hosted data, and data analytics, and the development of a high speed network infrastructure. The shared data cloud is to host an open data repository to address big data challenges and catalyze collaborations between academia, industry, and government; (3) recommending implementation strategies and policies for improving the State’s cyberinfrastructure; (4) identifying the benefits and the essential applications of cyberinfrastructure; (5) recommending workforce development strategies to ensure that the necessary human expertise is in place; and (6) identifying the means of using advanced cyberinfrastructure to drive economic development and facilitate the creation of public private partnerships.
5. Assembly, No. 3922 (Requires state employees to review best cybersecurity practices)
Status: Introduced on May 7, 2018, Referred to Assembly Homeland Security and State Preparedness Committee
Purpose and Key Provisions: This bill requires State employees to receive training regarding using best safety practices while utilizing State computers. The training should include a review of best practices for using State computers including updating passwords; detecting phishing scams; preventing ransomware, spyware infections, and identity theft; and preventing and responding to data breaches.
In addition, the bill requires the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the New Jersey Office of Homeland Security and Preparedness, to establish the cybersecurity training program for all State employees in the Executive and Legislative Branch of government who have access to a State computer. The bill further requires the Director of the Office of Homeland Security and Preparedness to adopt guidelines to implement the program.
6. Assembly, No. 3983 (Requires public institutions of higher education to establish plans concerning cyber security and prevention of cyber attacks)
Status: Introduced on May 17, 2018, Referred to Assembly Higher Education Committee
Purpose and Key Provisions: This bill requires public institutions of higher education to establish plans and procedures to enhance cyber security and prevent cyber attacks against the institution’s information technology systems. Under the bill, the plans and procedures are required to address, at a minimum: system monitoring to identify potential cyber security risks and vulnerabilities; cyber threat assessment; techniques for mitigating risk and preventing cyber breaches; and response and recovery for cyber security incidents. The bill requires public institutions of higher education to regularly update their cyber security plans and procedures in order to reflect current technologies and information security techniques.
In connection with developing their cyber security plans, public institutions of higher education may consult with the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) regarding information and best practices on cyber security and data protection. The NJCCIC was established in 2015 by executive order as the State’s central organization for cyber security information sharing and threat analysis.
Lastly, the bill requires a public institution of higher education to notify the New Jersey Office of Homeland Security and Preparedness of any cyber attack against the institution’s information technology systems within 24 hours of becoming aware of the incident.
7. Assembly, No. 3659; Senate, No. 998 (Requires Economic Development Authority (EDA) to establish program offering low-interest loan to certain financial institutions and personal data businesses to protect business's information technology system from customer personal information disclosure)
Status: Assembly: Introduced on Mar. 13, 2018, Referred to Assembly Science, Innovation and Technology Committee; Senate: Introduced on Jan. 16, 2018, Referred to Senate Economic Growth Committee
Purpose and Key Provisions: This bill requires the New Jersey Economic Development Authority (authority), in consultation with the Department of Banking and Insurance, to establish and administer a program where the authority offers a low-interest loan or loan guarantee to an eligible business for 100 percent of any unreimbursed costs to the eligible business for the purchase and installation of information technology equipment and computer software used for the purpose of protecting the eligible business’s customers’ personal information from an unwarranted security breach of that information.
The bill defines an “eligible business” as New Jersey-based business that is a State chartered bank, savings bank, savings and loan association, credit union, or a business that derives a majority of business sales and revenues from the protection of personal information of their customers, as determined by the authority.
The bill defines a “low-interest loan” as a loan for a term not exceeding 10 years at a rate of interest not exceeding more than three percent or one-half of the prime interest rate as reported in a financial newspaper published and circulating in New York City.
8. Assembly Joint Resolution, No. 54 (Designates October of each year as Cyber Security Awareness Month)
Status: Introduced on Feb. 1, 2018, Referred to Assembly Homeland Security and State Preparedness Committee; 10/18/2018 Reported out of Assembly Committee, 2nd Reading on Oct. 18, 2018; Passed by the Assembly (76-0-0) on Oct. 29, 2018.
Purpose and Key Provisions: Assembly Joint Resolution No. 54 designates the month of October as “Cyber Security Awareness Month” in New Jersey to educate the citizens of the State on the risks of the Internet and the importance of being safe and responsible cyberspace users. The resolution also requires the Governor to issue a proclamation calling on public officials and citizens of New Jersey to observe October as “Cyber Security Awareness Month.”
This resolution will allow the State to increase awareness, education, and training to create a digital community that is safer in this State.
9. Assembly Joint Resolution, No. 86; Senate Joint Resolution, No. 22 (Urges Secretary of State to assure Legislature and public that State's electoral system is protected from foreign computer hackers)
Status: Assembly: Introduced on Feb. 15, 2018, Referred to Assembly State and Local Government Committee; Senate: Introduced Jan. 25, 2018, Referred to Senate State Government, Wagering, Tourism & Historic Preservation Committee.
Purpose and Key Provisions: This resolution urges the Secretary of State to assure the Legislature and the public that the State’s electoral system is protected from foreign computer hackers.
Companies large and small should take a moment to read the writing on the wall. The legal and regulatory considerations with respect to data privacy and cyber security continue to multiply, as does the peril for non-compliance. Persons subject to the myriad laws in this area should consider seeking counsel to discuss and assess the risks to your business, as well as potential solutions to make sure you are informed and prepared.