New Data Privacy and Security Laws Will Impose Strict Mandates on Businesses

Article

New Jersey Law Journal

December 2, 2019

By: John T. Wolak, CIPP-USJason R. Halpin

Heightened concerns for the privacy and security of personal information in 2019 prompted at least 25 state legislatures across the country to propose a variety of bills addressing the privacy of consumer data. In New Jersey and New York, legislators are acting to enhance businesses’ privacy and security obligations, including the privacy practices and policies of commercial entities and commercial websites that collect, process, and store personal information of state residents. These enhanced obligations promote individual interests in privacy and security, but they also may have a dramatic effect on a company’s ongoing compliance efforts and the resulting costs. Based on pending legislation in New Jersey and recently enacted legislation in New York, all affected businesses should implement, or review and reassess, their data privacy and security programs, as well as their breach prevention and response activities, in order to meet the requirements of today’s ever-evolving compliance regimes.

Bills currently pending in the New Jersey Senate and Assembly would implement new requirements for companies doing business in New Jersey that collect or process the personal information of New Jersey residents. Although Senate Bill 2834 (with companion Assembly Bill 4902) and Senate Bill 3153 (with companion Assembly Bill 4640) have very similar compliance requirements, there are some substantive differences—perhaps most notably, whether an exemption will be allowed for certain businesses below a threshold of annual revenue or total number of people from whom personal information is collected. There has been considerable discussion since these bills were introduced about the scope, terms, and requirements of any legislation that may ultimately be enacted. At this juncture, it remains unclear what the final terms of any enacted statute will be, and it is likely that any legislation enacted will represent a blending of the requirements of both bills. To ensure that businesses are prepared for the legislation ultimately enacted, this article highlights some of the more restrictive provisions of the bills being considered to ensure transparency about what personal information a business collects, what that information is used for, and who that information is shared with.

In general, the proposed bills would require a company to provide a complete description of the personally identifiable information the company collects, the purpose of the collection, and the time parameters for storage of the data. In addition, with limited exceptions—e.g., to comply with legal requirements, prevent fraud, or protect the consumer—the company must identify the third parties to which it may disclose personal information, the purpose of such disclosure, and whether it profits from such disclosure. Companies would also have to provide consumers with the right to access their own personal information, and, within 30 days of each consumer’s request, provide detailed information about the requesting party’s personal information (including, for example, the identity and contact information of third parties that received the personal information), along with an actual copy of the processed data. Consumers would be able to opt out of certain disclosures and processing of their personal information, and the company would be prohibited from discriminating against or penalizing the consumer for opting out. Companies would also be required to develop and maintain information security programs that meet applicable industry standards or the requirements of any applicable federal law, but the current bills do not provide any specific measures that may be implemented to achieve compliance.

Both bills currently include an expansive definition of “personally identifiable information” that would extend far beyond the scope of “personal information” found in New Jersey’s Identity Theft Prevention Act (ITPA). The ITPA sets forth the requirements for disclosure of a breach of security of “personal information,” which is defined to include a name linked with a Social Security number, driver’s license number, or certain financial account information. In May 2019, the ITPA was amended to add “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” It is not clear whether unauthorized access to any data within an expanded scope of “personally identifiable information” under the pending bills would constitute a “breach” under the ITPA that triggers a company’s obligation to notify affected consumers and law enforcement.

Notably, the current version of these bills, like many proposed bills in other states, would give consumers a private right of action under the state Consumer Fraud Act against companies that fail to comply. For obvious reasons, the private right of action is anathema for businesses across the country. In many jurisdictions, the alternative to an immediate right of action includes an extended “right to cure” before a private action (which S3153 includes) or enforcement solely by the state Attorney General.

In New York, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) implements broad new data security requirements for all businesses that have the private information of New York residents, and also modifies the state’s breach notification requirements. The SHIELD Act reaches beyond New York’s own borders to compel even companies that do not do business in New York to take affirmative steps to protect the personal and private information of New York residents that companies may be collecting or storing.

First, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a Social Security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”

Second, the SHIELD Act expands the definition of what constitutes a breach to include mere access to private information, instead of the previous requirement of actual acquisition without authorization that compromised the private information. “Access” depends on whether someone without authorization (or without valid authorization) has viewed, communicated with, used, or altered the information. Companies must still provide notice of breaches to affected New York residents, but there is no additional requirement if notice is made under Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services (NY DFS) Cybersecurity Regulations, or other New York state data security regulations. The breach notification provisions in the SHIELD Act took effect on Oct. 23, 2019.

Third, and significantly for businesses that do not do business within the State of New York, the SHIELD Act now applies to any company that possesses the private information of even a single New York resident—even if the company does not conduct business in New York. All companies must now protect that data and report breaches to each impacted resident if they involve the resident’s private information.

Fourth, the SHIELD Act creates an entirely new obligation for all companies that own the private information of even a single New York resident to “implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” Entities that already comply with Gramm-Leach-Bliley, HIPAA, the NY DFS Cybersecurity Regulations, or other New York data security regulations will be deemed to be compliant with the SHIELD Act’s data security requirements. For a company not otherwise deemed compliant, “reasonable safeguards” require implementing a “data security program” that includes administrative, technical, and physical safeguards to protect the private information. Unlike the New Jersey bills, the SHIELD Act lists specific measures that businesses can employ to achieve compliance, including, but not limited to, employee training; careful selection of service providers; risk identification and assessment; procedures to detect, prevent, and respond to attacks or intrusions; and disposal of private information no longer needed for business purposes.

While the obligations of the SHIELD Act are universal, it is important to note that a “small business”—defined as business with (1) fewer than 50 employees, (2) less than $3 million in gross annual revenue in each of the last three fiscal years, or (3) less than $5 million in year-end total assets—is given some leeway (there is no exemption) and will be deemed compliant if the business establishes a security program that “contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” The SHIELD Act’s data security requirements take effect March 21, 2020.

Finally, there is no private right of action under the SHIELD Act; the New York Attorney General alone is authorized to enforce these requirements.

Businesses should take affirmative and proactive steps now to ensure that they will be compliant with the heightened data security and privacy obligations imposed by the anticipated New Jersey law and the New York SHIELD Act. Although the New Jersey legislation has not yet been enacted, and its exact contours are undetermined, it is likely only a matter of time, so New Jersey businesses should begin now to focus on compliance. For any business that does not currently have a data security program, develop and implement one that is appropriate for the full scope of the company’s operations. And for any business that has a data security program in place, now is the time to review and update that program, focusing on the nature and scope of the personal information it collects, what that information is used for, who that information is shared with, and additional measures to enhance the privacy and security of personal information of New Jersey and New York consumers.


Reprinted with permission from the December 2, 2019 issue of the New Jersey Law Journal. © 2019 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.