New York Proposes Overhaul of Its Data Breach Statute and a New Data Security Standard in the Wake of Recent Cyber Attacks

The largest data security breaches ever reported have occurred in the last several years. The organizations whose data security systems were compromised in connection with these massive breaches include Anthem, Ebay, Target, Home Depot, JP Morgan Chase, Adobe and now the federal government’s Office of Personnel Management. Not only is the scope of these breaches staggering but so are the trends that are emerging about these large scale data thefts. These massive security breaches all involved the theft of electronic data and are being deliberately perpetrated by an increasingly sophisticated form of attacker who is typically targeting the stolen data.

Like most states, New York has a data breach notification statute that is enforced by the State Attorney General. In the face of the increasing number and severity of data security breaches, New York has proposed legislation to update its data security protections. Presently, New York General Business Law § 899-aa governs notification of consumers in the event of a data security breach. This statute focuses on post-breach notification, rather than data security. It requires notification by any person or entity doing business in New York of a data security breach when a resident’s “private information… was, or is reasonably believed to have been, acquired by a person without valid authorization. N.Y. General Business Law § 899-aa defines “private information to mean:

any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Thus, under the current New York law notification is required only upon the unauthorized acquisition of one of these three unencrypted data elements concerning a New Yorker. This definition has proved significant. For example, when hackers acquired personal and account information from over 24 million Zappos customers in 2011, Section 899-aa was not triggered because names, email addresses, billing and shipping addresses, the last four digits of credit card numbers, and “cryptographically scrambled versions of website passwords were not within the scope of “private information.

Critics argue that the current New York law has not kept pace with technological advances in computerized data security and data breach trends. One such critic, New York Attorney General Eric Schneiderman, announced in January 2015 his plans to propose legislation to update New York’s information security laws. Attorney General Schneiderman’s announcement came within days of President Obama’s January 13, 2015 announcement proposing a national data breach notification standard for the purpose of “simplifying and standardizing the existing patchwork of… state laws… into one federal statute.

There is a bill currently pending in the New York State Senate (Bill 4887) that would dramatically change Section 899-aa and give New York one of the toughest state data security statutes in the country. Bill 4887 would initially expand the definition of “private information to include the following:

• “biometric information (i.e., data generated by automatic measurements of an individual’s physical characteristics, which are used by the owner or licensee to authenticate the individual’s identity)
• “online credentials (i.e., a user name or email address in combination with a password or security question and answer that would permit access) and
• “any unsecured protected health information as defined by HIPAA, as amended.

If this bill becomes law, these changes would drastically expand the scope of the New York data breach statute and lead to far more reports of data breaches.

The bill proposes additional changes to Section 899-aa regarding notice, potential penalties and several other topics. These changes include enhancing the notification requirements so that in the case of a security breach involving online credentials, the affected persons could be notified electronically and with the directive “to change his or her password and security question or answer, or “to take other steps appropriate to protect the online account… In the event of a breach involving “login credentials of an email account provided by a person or business subject to Section 899-aa, email notice to the email address involved in the breach would be insufficient. Instead, notice would need to be provided by another method available under Section 899-aa or by “clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.

Another proposed modification to Section 899-aa would increase the maximum civil penalty that could be imposed on a violator who acts “knowingly or recklessly from one hundred fifty thousand to one million dollars. Additional enforcement and penalty provisions are being proposed in connection with a new section (Section 899-bb) and standard under the existing statute, as further described below.

The most significant proposal in Senate Bill 4887 is the imposition of new data security requirements for those that conduct business in New York State and own or license computerized data containing “personal information under the proposed expansive definition described above. Bill 4887 proposes the creation of a new section of the statute (Section 899-bb) and the requirement that these entities have “reasonable safeguards that would be among the most demanding state standards in existence if the bill become law. Under Section 899-bb, a covered person or business would need to meet at least one of the following standards: (i) any state or federal law that provides greater protection to private information than Section 899-bb; (ii) the regulatory standard under Title V of the Gramm-Leach-Bliley Act of 1999; (iii) the current International Standards Organization information security standards; (iv) the regulatory standard under HIPAA and the HITECH Act; (v) the current National Institute of Standards and Technology (NIST) standards; or (vi) the security standard contained in Section 899-bb. The security standard proposed under Section 899-bb mandates a variety of administrative, technical and physical safeguards that will seem familiar to those who deal with the regulatory requirements under HIPAA and the HITECH Act. The highlights of the administrative, technical and physical safeguards that New York will require of covered entities and persons under Bill 4887 are below:

• Administrative safeguards that include designating one or more employees to coordinate the security program, assessing the sufficiency of the safeguards in place, identifying reasonably foreseeable internal and external risks, training employees about the security program, demanding service providers maintain appropriate safeguards, and updating or adjusting the security program based on changing circumstances.
• Technical safeguards that include conducting assessments of the risks associated with network and software design and data processing, transmission and storage, detecting, preventing and responding to attacks or system failures, and regularly testing and monitoring the key controls, systems, and procedures implemented.
• Physical safeguards that include assessing the risks associated with data storage and disposal, detecting, preventing and responding to intrusions, protecting against unauthorized access and misuse of private information, and the proper disposal of private information.

Bill 4887 also proposes a safe harbor and allows covered people and businesses to be certified as compliant with the security standard proposed under Section 899-bb. Those entities covered by the proposed new data security statute could obtain immunity from civil liability resulting from a data breach by complying with the latest NIST Special Publication 800-53 and avoiding willful misconduct, bad faith or gross negligence. While meeting the standards of NIST Special Publication 800-53 is achievable, this publication sets out a series of security controls for all U.S. federal government information systems and constitutes a much higher level of security than most companies are willing to adopt. Another proposal in Bill 4887 is the creation of the ability for covered entities to establish a “rebuttable presumption of having maintained reasonable safeguards in compliance with Section 899-bb if they obtain an annual audit and certification from a designated, independent third-party. The value of such a presumption is that it would essentially shift the burden of proof to anyone challenging the covered entity’s data security by creating a likelihood or assumption of compliance, even in a situation where a breach has occurred. Although it would be possible for the Attorney General or a plaintiff to prove an entity’s security measures were insufficient with enough specific evidence, this presumption would have a real benefit to many New York companies. If Bill 4887 becomes law, those interested in obtaining a rebuttable presumption of compliance or civil immunity through the safe harbor will want to follow the regulations the N.Y.S. Department of Financial Services promulgates for these third party licensed insurers who will decide what entities qualify.

Section 899-bb includes an enforcement component that would allow the Attorney General to bring a lawsuit against any violator of the statute and to obtain injunctive and monetary relief. In such a lawsuit, the court would be authorized to award actual costs or losses incurred by an affected person, including civil penalties of up to $250 for each person whose private information was compromised. The only limitation on the potential damage award in such an action is that the aggregate amount of any civil penalties cannot exceed ten million dollars. In cases where the court finds that a violator acted “knowingly or recklessly the court may impose a civil penalty of up to $1,000 for each person whose private information was compromised. Such an penalty is capped at the aggregate amount of “the greater of fifty million dollars or three times the aggregate amount of any actual costs and losses as determined by the court. Significantly, the proposed Section 899-bb authorizes a court to award these civil penalties “without a showing of financial loss. This is important because it means that covered entities could be subject to large fines even in situations where no harm or identity theft or actual personal financial loss was experienced by the individuals whose data was compromised in the breach.

One aspect of Section 899-aa that will not be modified if Bill 4887 is passed into law is the breach standard. The statute defines a breach as an “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. A business attempting to determine whether a breach has occurred can consider the following factors, among others: “(1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or (2) indications that the information has been downloaded or copied; or (3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. This standard essentially allows businesses that experience a security incident to conduct an analysis regarding whether the “personal information involved has been actually acquired before the notification requirements are triggered. It is odd that New York would revamp its data breach statute but not seek to replace this risk based standard with one that is more objective. Other states and the federal government, through the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, have made the decision over the past several years to move away from the risk of harm standard out of a concern that it is too subjective.

If it becomes law, Bill 4887 will take effect January 1, 2016 and it will bring with it some positive and negative consequences. The pros include an objective security standard proposed under Section 899-bb, the rebuttable presumption and safe harbor protections, and the more robust protection that New Yorkers’ personal data will enjoy. On the flip side, those covered New York entities that are not already subject to similar data security and notification standards will be required to make substantial investments of human and financial resources due to the security requirements of Section 899-bb. Some will see the potential financial penalties as too great and ambiguous a risk and the increase in the scope and mandates of the New York statute as overly burdensome and expensive. If it passes, Bill 4887 will have major ramifications for businesses operating in New York and the effective date (currently January 1, 2016), and any potential extensions, will be important to watch.

This post was contributed by Kurt Bratten.