Published on October 14th, 2019 📆 | 2033 Views ⚑
0New York Set to Launch New Biometric, Health Breach Notice Rules
Businesses hit with a biometric or health data security breach could face heightened scrutiny from New Yorkās attorney general under changes to the stateās notification law, privacy attorneys said.
As of Oct. 23, companies whose customers include New York residents must alert Attorney General Letitia James (D) to such breaches under the New York SHIELD Act. Companies that collect health data will now have to report data breaches to the New York attorney general, in addition to federal authorities.
Jamesā office has been aggressive in probing data breaches, including recent investigations into Equifax Inc., Dunkin Donuts Inc., and Capital One Financial Corp. The stateās top cop is unlikely to let up on this pressure and may use the new data breach notice law to go after more companies for data breach notice failures, privacy attorneys said.
Representatives for the New York Attorney Generalās Office didnāt immediately respond to requests for comment.
Privacy attorneys say businesses should revisit their data breach response plans and those collecting biometric or health information should carefully secure this data to limit state attorneys general enforcement risk.
Under the SHIELD Act, companies must notify James following a data breach for a wide group of sensitive data, including Social Security numbers and driverās license data. The increased transparency is likely to lead to more enforcement actions for companies that donāt do enough to protect biometric or health, privacy attorneys said.
Companies also must adopt reasonable security measures by March 2020, among other new rules.
Businesses that have good processes and perform due diligence should have minimal regulator risk because theyāll be more prepared for any post-breach enforcement probes, Joseph J. Lazzarotti, a privacy principal at Jackson Lewis in New Jersey, said. New York companies want to make a good showing to the state attorney general that they acted reasonably after a data breach, he said.
Notice New Data
The biometric data notification requirement is likely to apply to a large number of companies that use the technology for employee time-management purposes. To prepare for possible data breaches, businesses should map how they collect and use biometric data, privacy attorneys said.
Companies that use time management or point-of-sale biometric systems will, for the first time, have to notify the state attorney general after a data breach of this information, Lazzarotti said.
Companies subject to data breach disclosure requirements under the federal Health Insurance Portability and Accountability Act (HIPAA) will no longer be exempt from New Yorkās notification requirement. Many states carve-out these businesses from state notice lawās because they already comply with HIPAA.
Some states like Texas require companies to notify state attorneys general about a health data breach. The requirement gives state attorneys general a better look into health data breaches for possible enforcement actions, attorneys said.
Businesses that collect data on New York citizens will have dual obligations to notify federal and state regulators of health data breaches, Ellen Moskowitz, senior counsel in the health care department at Proskauer Rose LLP in New York, said in an interview.
The updates to the SHIELD Act āassures that the New York attorney general will know about all the HIPAA breachesā that could have gone unnoticed, she said.
Reasonable Security
The revised law extends reasonable data security standards to other companies that financial institutions already follow under the New York Department of Financial Serviceās cybersecurity rules. Companies that havenāt had to follow the DFS rules will have to increase their cybersecurity protections by March 2020 to avoid regulator scrutiny, privacy attorneys said.
Companies that collect data on New York citizens will have to āimplement reasonable cyber safeguards and controls including installing adequate network and software security, committing adequate resources and personnel, requiring employee cyber training, and ensuring proper data storage and disposal processes,ā Joseph Moreno, cybersecurity and data privacy partner at Cadwalader, Wickersham & Taft LLP in Washington, said.
The new requirements may not be too hard to follow, privacy attorneys said. Many companies already adopt reasonable safeguards that line up with industry standards, they said.
The SHIELD Act tracks āwhat data security professionals are speaking about,ā Moskowitz siad.
Gloss