November 2017

Proposed New York Legislation: Cybersecurity Is Not Just an Issue for Financial Services and Insurance Companies

Much attention has been paid to the NYS Division of Financial Services Cybersecurity Requirements for Financial Services Company adopted earlier this year.[1]  Recently, New York proposed new legislation which, if adopted, will require all businesses that own or license Private Information[2] regarding New York residents to proactively adopt “reasonable safeguards to protect the security, confidentiality and integrity” of that data unless the data is encrypted (at rest and in motion) such that even if accessed, the data could not be (i) used for an unauthorized and otherwise unlawful purpose, or (ii) altered.

The proposed legislation outlines what a “reasonable” security program would entail, including, without limitation the following steps:

• Designate a security coordinator (or a chief information security officer);
• Identify internal and external risks to the business and its Private Information;
• Undertake a risk assessment;
• Train personnel on cyber-mindfulness and the business’ procedures and policies related to data privacy and security;
• Vet vendors that may have access to Private Information to confirm those vendors have appropriate security policies and procedures;
• Assess the adequacy of security features in the technology employed by the business, including software, cloud environments and application;
• Implement appropriate technology to prevent and detect system attacks and failures;
• Adopt an incident response plan to enable the business to quickly respond to an attack and resume “normal” operations;
• Adopt and implement appropriate safeguards for the physical environment in which the business operates;
• Implement technology and business practices to protect against unauthorized access to or use of Private Information; and
• Securely dispose of and destroy Private Information after it is no longer needed for business purposes so that the information cannot be read or reconstructed.

Businesses that are subject to certain statutory frameworks[3] may be deemed to be in compliance with the legislation based on their current practices. 

Small businesses[4] would be required to implement and maintain reasonable safeguards “appropriate to the size and complexity” of the business.

As the legislation is currently drafted, if a business is found to be in violation, the business could be subject to a civil penalty not to exceed $5,000 per violation (e.g., for each record compromised).

Businesses that “wait and see” what the cyber-legal landscape will look like in New York State will not only find themselves behind the curve, but leave themselves exposed if they have yet to adopt a meaningful cybersecurity program. We anticipate that this legislation (or something close to it) will be passed in New York State. Similar legislation is already in effect in Massachusetts, California and Rhode Island; and New Jersey has been considering the adoption of a similar statute. Please contact our cybersecurity and data privacy attorneys to help you navigate the expanding landscape of cybersecurity legislation and to implement the necessary policies, procedures and planning to best protect your business.

---

[1] 23 NYCRR 500 et. seq. See our prior alert on these regulations. 
[2] Under the proposed legislation, “Private Information” includes  personal information consisting of (i) a person’s first name or initial and last name, together with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been accessed or acquired:

1. Social security number;
2. Driver's license number or non-driver identification card number;
3. Account number, or credit or debit card number, in combination with any required identifying information, security code, access code, or password which would permit access to an individual's financial account;
4. Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password;
5. Biometric information, meaning data generated by automatic measurements of an individual's physical characteristics, which are used to authenticate the individual's identity;

(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or
(iii) any unsecured protected health information held by a "covered entity" as defined in the health insurance portability and accountability act of 1996 (45 c.f.r. pts. 160, 162, 164), as amended from time to time.
[3] E.g. HIPAA, GLBA, and 23 NYCRR 500 et. seq.
[4] Under the proposed legislation, a “small business" is defined as a business with (i) fewer than 50 employees, including any independent contractors, of the business; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets, calculated in accordance with generally accepted accounting principles.

For more information, please contact your CSG attorney or the authors listed below.

Michelle A. Schaap | Member of the Firm | mschaap@csglaw.com | (973) 530-2026

Frank Peretore | Member of the Firm | fperetore@csglaw.com | (973) 530-2058

Rhonda Carniol | Member of the Firm | rcarniol@csglaw.com | (973) 530-2101

Robert L. Hornby | Member of the Firm | rhornby@csglaw.com | (973) 530-2032