Cybersecurity and Data Privacy: Proposed Legislation Would Substantially Expand and Strengthen New York’s Data Breach Notification Statute (6/16)

Bond Schoeneck & King PLLC

A bill currently pending before the New York State Assembly (A10475) would make a number of significant changes to New York’s data breach notification statute (General Business Law Section 899-aa) in the event that it is passed and signed into law. The proposed legislation would: (i) expand the type of information that is considered ‘private information,’ the disclosure of which triggers notification requirements, (ii) require that additional information be contained in notifications sent to consumers after a breach, and (iii) more than double the maximum penalty for a failure to comply with the notification requirements.

Specifically, the proposed legislation would add biometric information (i.e. fingerprints), user name or e-mail addresses in combination with a password or security question answer, and protected health information (as defined by HIPAA) to the definition of "private information." This is significant due to the fact that the disclosure of any "private information" triggers the notification requirements imposed by the statute. This change would bring New York law up to par with some of the most protective data breach statutes in the country.

The proposed legislation would also require that any notification provided to consumers include the phone numbers and website of "the relevant state and federal agencies that provide information regarding security breach response and identity theft protection information." It does not define which agencies will be considered ‘relevant.’ It also requires that a template of the notice that will be provided to consumers be sent to the Attorney General, the Department of State and the Office of Information Technology Services together with the notification of the breach that is already required by law.

Finally, and perhaps most strikingly, the proposed legislation would more than double the maximum penalty for failure to comply with the data breach notification requirements. Under the current law, civil penalties are limited to the greater of $5,000 or $10 per instance, but are not to exceed $100,000 total. Under the proposed legislation, this would be changed to the greater of $5,000 or $20 per instance, not to exceed $250,000 total.

As this pending legislation makes clear, New York State is becoming increasingly serious about imposing and enforcing data breach notification requirements. Businesses would be well-advised to monitor the quickly changing landscape in this area, and to ensure that they are prepared to comply with the law in the event that a data breach occurs.

Written by:

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.