New York has updated its breach notification and data security law, expanding the definition of a data breach and imposing detailed reasonable security requirements, among other changes. The amendment also adds a number of new data elements to the definition of “private information.” On July 25, 2019, Governor Cuomo signed S5575B, with the breach notification amendments taking effect on October 23, 2019, and the security requirements taking effect on March 21, 2020.
Notably, S5575B expands the definition of a “breach of the security of the system” to include unauthorized access to private information in addition to unauthorized acquisition. In assessing whether private data has been accessed without authorization, the amended law says businesses “may consider” factors such as indications that the information was viewed, communicated with, used, or altered without authorization. S5575B is the first state law to attempt to frame “access,” but it blurs the distinction between access and acquisition (e.g., unauthorized use is already mentioned as a factor to consider in assessing whether unauthorized acquisition has occurred).
The bill also expands its definitions of private information and personal information. It adds a new category of private information for user names or email addresses combined with a password, or security question and answer, that could permit access to an online account. It also adds the following data elements, in combination with personal information, to the definition of private information:
- biometric information; or
- account numbers, credit or debit card numbers that, under the circumstances, could be used to access an individual’s financial account without additional identifying information or passwords.
In addition, the amendment creates three exceptions to notification requirements:
- First, notification is not required for inadvertent disclosure by a person authorized to access the private information if the business determines that the disclosure will not likely result in misuse of the information, or financial or emotional harm to affected persons. This determination must be documented in writing, provided to the state Attorney General within 10 days (for incidents that affect more than 500 New York residents), and retained for at least 5 years.
- Second, notification to individuals is not required if individual notices are sent under certain other laws requiring notice (e.g., GLBA and HIPAA)—though notice to state regulators would still be required.
- Third, if a breach involves an individual’s e-mail address in combination with a password or security question and answer that would permit access to an online account, businesses must instead provide notice to the consumer online when the consumer is connected to the online account from an IP address or online location the consumer customarily uses to access the online account.
Finally, the amendment expands the timeframe in which the New York Attorney General can file a suit for violations of the statute, from 2 years to 3 years.
The bill also introduces reasonable security requirements for all businesses that own or license New York residents’ private information. To comply with the reasonable security requirements, a business must either (1) be subject to and comply with the security requirements of the Gramm-Leach-Bliley Act regulations, the Health Insurance Portability and Accountability Act Security Rule, the New York Division of Financial Services Cybersecurity Regulation, or other federal or state data security laws; or (2) implement a data security program that includes the specified reasonable administrative, technical, and physical safeguards. New York’s reasonable security safeguards resemble those required under Massachusetts’s robust data security law. However, unlike Massachusetts’s data security law, New York’s S5575B does not contain specific computer system security requirements.
The reasonable security requirements also permit a “small business” to scale its security program as appropriate for the business’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information it collects from or about consumers.
Navigating the Changing Landscape
S5575B highlights the growing trend among the states to expand the definitions of information covered by breach notification requirements. New York’s expansion of the definition of private information follows similar expansions of “personal information” in recently enacted laws in Arkansas and Washington. Moreover, New York now joins Connecticut, Florida, New Jersey, and Puerto Rico in defining a data breach to include unauthorized access.