On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks. The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will
This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation. Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful. This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation
On the heels of a number of well-publicized data security breaches, a White House data breach proposal, and California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman has announced that he will propose legislation to strengthen New York’s data breach notification law. The legislation had not been made public as of the date of publication, but the Attorney General has stated publicly that he anticipates it will include the following elements:
- “Private Information” Definition. The legislation would expand the definition of “private information” that, if breached, requires notice to New York residents. According to the Attorney General, “private information” should be defined to “include both the combination of an email address and password and an email address in combination with a security question and answer,” as well as “medical information, including biometric information, and health insurance information.” It is worth noting that the White House proposal unveiled earlier this week also would cover these data elements, and there are some existing state laws that already cover these data elements. For example, California’s recent amendments to its data breach statute require notice of certain breaches involving “[a] user name or email address, in combination with a password or security question that would permit access to an online account.” In addition, several states, including California and Texas, have breach notification statutes that cover certain types of medical information.
- “Reasonable” Data Security Requirement. Consistent with the approach that a number of other states (including, most recently, California) have taken, the legislation would impose an affirmative obligation on companies to reasonably safeguard “private information,” including through appropriate administrative, technical, and physical safeguards. Massachusetts and Nevada are among the states that have imposed more prescriptive data security obligations.
- Safe Harbor. Schneiderman’s press release provides that “New York should offer a safe harbor if a company adopts a heightened form of security. . . . Once [an entity implements a data security plan that meets the standard], an entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.” It is not clear based on the Attorney General’s press release, but we presume that this safe harbor would pertain to the obligation to maintain reasonable data security safeguards and not from other obligations. In addition, Schneiderman’s proposal would legislate that entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
Continue Reading New York Attorney General Unveils Data Breach Proposal
Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.” The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.Continue Reading Cybersecurity Regulators (Renew) Focus on Outside Vendors of Financial Institutions
Earlier this week, Twitter appealed a New York state judge’s ruling that required the company to produce an Occupy Wall Street protestor’s tweets, email address, and certain subscriber information. The trial court judge had reasoned that the public nature of Twitter meant that the defendant lacked privacy interests in his tweets and that the government’s…
Two bills have been proposed in the New York State Legislature that aim to de-anonymize online commenting.
The proposed Internet Protection Act — introduced in the identical bills S.6779 and A.8688 —would amend New York civil rights law to require a website administrator upon request to “remove any comments posted on his or her web…
Rep. Eliot Engel (D-NY) recently introduced a bill in the U.S. House of Representatives that would prohibit employers from requiring current and prospective employees to disclose website usernames, passwords, and other online content. The Social Networking Online Protection Act (SNOPA), H.R. 5050, also would apply to students at colleges, universities, and K-12 schools, and impose…
A California law that took effect on January 1, 2011 makes it a crime to impersonate someone online. Any person who knowingly and without consent impersonates another actual person through electronic means for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor. “Electronic means” is defined to include opening an e-mail account or social networking profile in another person’s name. A violation of the law occurs only if the impersonation is credible, meaning that another person would reasonably believe that the defendant was the person impersonated.Continue Reading California’s Online Impersonation Law Comes Into Effect