Businesses hit with a biometric or health data security breach could face heightened scrutiny from New York’s attorney general under changes to the state’s notification law, privacy attorneys said.
As of Oct. 23, companies whose customers include New York residents must alert Attorney General Letitia James (D) to such breaches under the New York SHIELD Act. Companies that collect health data will now have to report data breaches to the New York attorney general, in addition to federal authorities.
James’ office has been aggressive in probing data breaches, including recent investigations into Equifax Inc., Dunkin Donuts Inc., and Capital One Financial Corp. The state’s top cop is unlikely to let up on this pressure and may use the new data breach notice law to go after more companies for data breach notice failures, privacy attorneys said.
Representatives for the New York Attorney General’s Office didn’t immediately respond to requests for comment.
Privacy attorneys say businesses should revisit their data breach response plans and those collecting biometric or health information should carefully secure this data to limit state attorneys general enforcement risk.
Under the SHIELD Act, companies must notify James following a data breach for a wide group of sensitive data, including Social Security numbers and driver’s license data. The increased transparency is likely to lead to more enforcement actions for companies that don’t do enough to protect biometric or health, privacy attorneys said.
Companies also must adopt reasonable security measures by March 2020, among other new rules.
Businesses that have good processes and perform due diligence should have minimal regulator risk because they’ll be more prepared for any post-breach enforcement probes, Joseph J. Lazzarotti, a privacy principal at Jackson Lewis in New Jersey, said. New York companies want to make a good showing to the state attorney general that they acted reasonably after a data breach, he said.
Notice New Data
The biometric data notification requirement is likely to apply to a large number of companies that use the technology for employee time-management purposes. To prepare for possible data breaches, businesses should map how they collect and use biometric data, privacy attorneys said.
Companies that use time management or point-of-sale biometric systems will, for the first time, have to notify the state attorney general after a data breach of this information, Lazzarotti said.
Companies subject to data breach disclosure requirements under the federal Health Insurance Portability and Accountability Act (HIPAA) will no longer be exempt from New York’s notification requirement. Many states carve-out these businesses from state notice law’s because they already comply with HIPAA.
Some states like Texas require companies to notify state attorneys general about a health data breach. The requirement gives state attorneys general a better look into health data breaches for possible enforcement actions, attorneys said.
Businesses that collect data on New York citizens will have dual obligations to notify federal and state regulators of health data breaches, Ellen Moskowitz, senior counsel in the health care department at Proskauer Rose LLP in New York, said in an interview.
The updates to the SHIELD Act “assures that the New York attorney general will know about all the HIPAA breaches” that could have gone unnoticed, she said.
The revised law extends reasonable data security standards to other companies that financial institutions already follow under the New York Department of Financial Service’s cybersecurity rules. Companies that haven’t had to follow the DFS rules will have to increase their cybersecurity protections by March 2020 to avoid regulator scrutiny, privacy attorneys said.
Companies that collect data on New York citizens will have to “implement reasonable cyber safeguards and controls including installing adequate network and software security, committing adequate resources and personnel, requiring employee cyber training, and ensuring proper data storage and disposal processes,” Joseph Moreno, cybersecurity and data privacy partner at Cadwalader, Wickersham & Taft LLP in Washington, said.
The new requirements may not be too hard to follow, privacy attorneys said. Many companies already adopt reasonable safeguards that line up with industry standards, they said.
The SHIELD Act tracks “what data security professionals are speaking about,” Moskowitz siad.