New York Isn’t Sleeping on Consumer Privacy

Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.  

Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:

Senate Bill S3582

The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.  

SHIELD Act

The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces. 

In short, the new law requires businesses to report any breach of personal information that an organization hasWhat is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.  

What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by thnew law to include biometric data and a usernames or email addresses in combination with a password or security question.  

In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.” 

Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.  

Signs of Regs to Come

These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries. 

While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.  

How The Cookie Crumbles

Cookies have been and continue to be an essential part of how we use the internet. In essence, cookies are small files created by websites you visit that are saved on your computer. The files contain information on what websites you visit and how you interacted with those sites.  

This might make any privacy-minded person pause. Why should we allow websites to create records of what we do online? Well, the answer isn’t so straight forward. Not all cookies are created equal. Some forms of cookies are essential to what we’ve come to expect from our online experience. Others are a little more suspect.  

First-Party Cookies

In general, first-party cookies are there to make our online experience easier and more convenient. They’re used by individual websites, and store information so you don’t have to re-identity yourself every single time you use a site. They allow you to stay logged into websites as you navigate between pages and visits to those sites. They save your location so you can quickly check the weather in your area or buy movies tickets without having to re-enter your information every time you use those sites. 

In short, we rely on first-party cookies every time we visit a website. Their essential to how we use the internet and don’t necessarily present a risk to your privacy online. 

Third-Party Cookies

Third-Party Cookies, on the other hand, are a different story. Unlike first-party cookies, these cookies track your movements between websites. These types of cookies are not created by the website your visiting, but by a third-party whose code is on that site. This could come from plug-ins, or, as is more often the case, from advertising platforms. These cookies can then keep track of your movement between any website that features these third-party codes.  

Because they are not limited to your interaction with one specific website, they can be used to construct a much larger and more detailed profile of not only your online presence, but personal characteristics, spending habits, and lifestyles.  

Taking Control of Your Cookies

Because cookies are such an important part of how we interact with websites, blocking all cookies is unnecessary and will make using sites far more inconvenient. However, depending on your level of comfort there are steps you can take to have more control of what cookies websites are using. 

  • One option is to change your browser’s privacy settings to ask permission before accepting cookies for all websites. You can choose which websites save cookies depending on your level of trust and how frequently you use those sites. 
  • Most browsers also give you the option to only block third-party cookies. This will still allow individual websites to save information about how you use their sites but will stop entities from tracking your movement across the web. There are also several ad-blocking extensions you can use that will remove advertising codes from websites when you visit them, effectively blocking those third-parties from saving cookies on your computer. 

Cookie Disclosure Requirements

By now, you’ve probably seen many websites display banners either stating that they are using cookies or asking consent for their use. This is due to several laws coming out of EU that now require websites to obtain consent to use cookies. The ePrivacy Directive was implemented in 2002 and was the first of such laws to require notification of a website’s use of cookies.  

However, the newly enacted GDPR has further enhanced these requirements. Now, websites are required to not simple notify users that cookies are being used, but most give information on how those cookies will be used and gain consent from users for each of those purposes.  

While the U.S. currently does not have such laws in place, if your organization has servers in an EU nation, you may still be subject to GDPR restrictions. In any case, it is likely such regulations will be also enacted in the U.S. soon, so many organizations are choosing to display such banners preemptively.  

Cyber Security Regulations for Small and Medium Size Businesses

As cybersecurity concerns increase, so have government regulations. The problem, however, is that these regulations are not all enforced on the federal level, and sometimes pertain only to specific types of businesses. It is important for  businesses to understand the regulations for their industry and/or geographic location and take steps to put the right cybersecurity program in place in order to comply. To help with that process, here is a short guide to four of the most important cybersecurity and privacy regulations in the U.S. today.

  • HIPPA –  The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is one of the oldest and well-known federal privacy regulations in the U.S. These regulations requires that all companies within the healthcare and health insurance industry implement administrative, physical, and technical safeguards to ensure the protection of all electronic health information. This includes periodic risk assessment reports, workforce training and management, and access and audit controls. More information on HIPPA and how to ensure compliance can be found here

 

  • NYSDFS Cybersecurity Regulations – In 2017 The New York State Department for Financial Services put in place regulations for all financial institutions requiring a license to operate in New York. These regulations require that a comprehensive cybersecurity program be put in place including the designation of a Chief Information Security Officer, the implementation of cybersecurity policies based on  a comprehensive risk assessment, and periodic penetration and vulnerability tests. The regulations require businesses to provide cybersecurity training for employees, limit the amount of time data is retained, encrypt all nonpublic information, audit their third party vendors, develop an incident response plan, as well as notify the NYSDFA of any breach of nonpublic information. 

 

  • Securities and Exchange Commission: As of 2018, the SEC has put in place cybersecurity initiatives designed to protect retail investors from cyber-related attacks. These regulations effect all investment and public companies operating in the U.S. The role of these initiatives is primarily to provide resources for business to identify and assess cybersecurity risks, detect compromises to systems, plan for response to compromises, and steps to recover stolen data. However, SEC does require companies to report how data is being secured, and any cyber-related incidents such as data breaches. You can find the SEC’s resource page here. For even more information, the Financial Industry Regulatory Authority has additional resources and checklists for small business.

 

  • California Consumer Privacy Act (CCPA): The CCPA is one of the newest regulatory laws in the U.S. and provides consumers extensive control over how businesses collect and use personal information. The law applies to all for-profit entities doing business in California that collect personal consumer data. According to the CCPA, companies must provide consumers information on what data is being collected, and gives consumers the right to opt-out of the sharing or selling of personal information. Consumers additionally have the right to sue if a breach occurs when the company used careless or negligent means to protect data. The CCPA will go into effect in January 2020, and the full initiative can be found here

 

 

While not all of these regulations are will pertain to your business, it is likely that such initiatives will be standardized across industries and states in the near future. It is therefore essential that businesses begin to put some of these practices in place now. Here are some basic steps that can be taken today:

  1. Develop a cybersecurity policy. Two tools that can help come from the National Institute of Standards and Technology (NIST), which provides security and privacy controls for federal organizations, and the International Organization for Standardization (ISO), which specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization.
  2. Work towards improving the security controls in the organization with special emphasis on access control, data encryption, security governance, incidence response, vulnerability management (eg: patching and scanning), and vendor management.
  3. Train everyone on their role in cybersecurity
  4. Have someone in the organization responsible for cybersecurity and make sure they are getting training.

Finally, while the emphasis in this post is compliance, recognize who you are really doing this for:  your customers, your employees, your investors and yourself.

First Insurance Data Security Act Goes into Effect in South Carolina

As of the first of this year the South Carolina Insurance Data Security Act has gone into effect. These regulations are based primarily on the National Association of Insurance Commissioners’ Data Security Model Law and are the first of its kind in the U.S. However, given increasing public scrutiny on how business handle sensitive information, it is likely such regulations will be taken up by other states in the years to come. New York, for instance, already has in place similar regulations via the Department of Financial Services. Not even to mention the California Consumer Privacy Act of 2018. Insurance Carriers, brokers, agents and other licensed entities should therefore take some time to familiarize themselves with these new regulations.

 

The South Carolina Insurance Data Security Act contains two major aspects:

 

  1. It requires any “person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to [ ] insurance laws” to notify the state within 72 hours of any cyber security event. The regulation defines such an event as any “resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.”

 

  1. Licensee’s are required to maintain a comprehensive information security program that details how the company will protect the security and confidentiality of private information against the outside threats. Companies must conduct a full risk assessment of a cyber security event in order to then design and implement a program to mitigate identified risk.

 

  1. Licensees will also be required to implement a third party provider program and to require their providers implement appropriate administrative, technical and physical measures to protect non-public information and relevant systems.

 

It must be noted that these regulations not only pertains to insurance companies, but will also impact insurance brokers, agents other licenses and their third party vendors. The first deadline is a written security program in place by July 1, 2019.  The implementation of a third party provider program needs to be in place by July 1 2020.

 

Moreover, the regulations themselves could easily be applied to fields outside of insurance. The concept of an information security program, for instance, is something that any business handling private information should begin considering in the event that similar regulations are applied across other states and in different sectors.

 

     

    Privacy is coming out of the shadows. Should businesses be scared?

    Just a few months after Facebook’s highly-publicized data breach California passed the strongest regulations on the collection and sale of personal information that the U.S. has ever seen. Around the same time, the EU passed the General Data Protection Regulation (GDPR) that even surpass the new regulations in California. Then, late last month, Google admitted to a breach of information on their Google+ platform that potentially affected over 500,000 users.

    What businesses now need to realize is that such high-profile scandals will likely have direct impacts not simply in Silicon Valley, but on a national and even global scale.

    In fact, on October 22, Google, Facebook, Apple and Microsoft are endorsing a federal privacy law based upon a framework developed by the Information Technology Industry Council.

    To help businesses better understand the impact privacy regulation may have for them, we have put together the top three implications these new regulations could have on businesses in the coming months.

    Consumers will play an active role in how companies collect and use personal information

    Perhaps the strictest aspect of California’s new regulations is the central role consumers will now play in deciding how (or if at all) their information is used. Consumers now have the right to request from companies not only what information is being collected (even allowing the consumer to request an accessible copy of that data), but also for what purpose. Moreover the law allows consumers to request that companies deleted their personal information and can even opt-out of the sale of such information.

    A broader definition of protected private data.

    The California Privacy Act substantially broadens what is considered ‘personal information’ and therefore increases the scope of regulations beyond what we generally consider tech companies. Under the new regulations, ‘personal information’ now includes the consumers’ internet activity, biometric data, education and employment information, as well as information on the consumer’s purchases and personal property. Broadening the definition of personal information therefore implicates far more businesses than the likes of Facebook and Google. Now, any company that collects or uses such consumer data will be subject to regulation.

    Targeted advertising will become less effective

     The effectiveness of targeted online advertising campaigns relies on the extreme specificity enabled by access to consumer data. As Dipayan Ghosh of the Harvard Business Review points out, these regulations will have any impact on any business that makes use of online advertising. Targeted campaigns will become less precise and may therefore “significantly cut into the profits [ ] firms currently enjoy, or force adjustments to [ ] revenue-growth strategies.”

     Any business that has customers in California need to be seriously considering how they will now comply will these new regulations. What’s more, discussions of putting in place federal regulations are well underway and it is possible that California’s new private information laws could form the basis of such regulations. It is therefore in the best interest of any business that makes use of consumer data to seriously consider what impact such regulations could have in the coming months and years.

     What should businesses be doing now, even if they don’t fall into under California or GDPR privacy regulations?

    1. Know what data you are capturing and where it is stored.  Review your data flows in your customer, accounting, employee and other databases so you know what you are capturing, the reason you are capturing it and where you are storing it.  Keeping an accurate data inventory is critical. And, it makes good sense.
    2. Be Transparent to your users with what you are doing with their data.  Review your privacy policies.  Make sure they are free of legalese and clearly explains what you will doing with the data, who (if any) will you share the data with and what rights the user has if they want to have the data changed or removed.  Try not to think of this as a compliance exercise. Think of it as customer engagement. By doing so, you can create a better relationship with your customers because you show that you respect them and their information.
    3. Ask before you Capture — Where possible, get the user’s consent prior to capturing the data.  You will have better customers if they opt in to the relationship rather than finding themselves in one.

    Privacy does not have to be viewed as compliance or even a restriction on doing business.  In fact, successful businesses going forward will use privacy as a tool for increased customer engagement.