Cybersecurity and Data Privacy: Proposed Legislation Would Substantially Expand and Strengthen New York’s Data Breach Notification Statute

June 7, 2016

By: Michael D. Billok and Clifford G. Tsan

A bill currently pending before the New York State Assembly (A10475) would make a number of significant changes to New York’s data breach notification statute (General Business Law Section 899-aa) in the event that it is passed and signed into law. The proposed legislation would: (i) expand the type of information that is considered ‘private information,’ the disclosure of which triggers notification requirements, (ii) require that additional information be contained in notifications sent to consumers after a breach, and (iii) more than double the maximum penalty for a failure to comply with the notification requirements.

Specifically, the proposed legislation would add biometric information (i.e. fingerprints), user name or e-mail addresses in combination with a password or security question answer, and protected health information (as defined by HIPAA) to the definition of "private information." This is significant due to the fact that the disclosure of any "private information" triggers the notification requirements imposed by the statute. This change would bring New York law up to par with some of the most protective data breach statutes in the country.

The proposed legislation would also require that any notification provided to consumers include the phone numbers and website of "the relevant state and federal agencies that provide information regarding security breach response and identity theft protection information." It does not define which agencies will be considered ‘relevant.’ It also requires that a template of the notice that will be provided to consumers be sent to the Attorney General, the Department of State and the Office of Information Technology Services together with the notification of the breach that is already required by law.

Finally, and perhaps most strikingly, the proposed legislation would more than double the maximum penalty for failure to comply with the data breach notification requirements. Under the current law, civil penalties are limited to the greater of $5,000 or $10 per instance, but are not to exceed $100,000 total. Under the proposed legislation, this would be changed to the greater of $5,000 or $20 per instance, not to exceed $250,000 total.

As this pending legislation makes clear, New York State is becoming increasingly serious about imposing and enforcing data breach notification requirements. Businesses would be well-advised to monitor the quickly changing landscape in this area, and to ensure that they are prepared to comply with the law in the event that a data breach occurs.

If you have any questions about this Information Memo, please contact Michael D. Billok, Clifford G. Tsan, Christopher J. Stevens or the attorney in the firm with whom you are regularly in contact.