On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are:

  1. expanding data breach notification requirements under New York law; and

With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.
Continue Reading State Privacy Laws Have the Potential to Haunt Industry

On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law.  The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending New York’s data breach notification statute to broaden the circumstances under which notification may be required.  The second bill, meanwhile, will require consumer reporting agencies to offer identity theft prevention and mitigation services.  Both bills are described in further detail below.
Continue Reading New York Passes New Data Security and Breach Notification Requirements

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:
Continue Reading New York DFS Publishes FAQs on New Cybersecurity Regulations

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten

New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers.  These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, and a threefold increase in the number of records exposed.

According to an analysis conducted by the Attorney General’s office, which builds on a 2014 report, most of the exposed records consisted of social security numbers and financial account information, and the leading causes of data security breaches in New York were hacking and inadvertent disclosures.  Schneiderman’s statement cautioned that these record numbers make it “all the more important for companies and citizens alike to take precaution when sharing and storing personal data” as “these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.”
Continue Reading NY Data Breaches Reached Record Levels in 2016

Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016.  That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017.

On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks.  As we covered when Governor Andrew Cuomo announced this first-in-the-nation

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks.  The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation