Preparing for New York’s New Data Security Requirements
Posted on August 26, 2019
New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions.
Under the new requirements, companies will need to develop and implement “reasonable safeguards” to protect the security, confidentiality and integrity of computerized data that includes private information. The private information that companies must protect includes social security numbers, driver’s license numbers, financial account numbers, biometric information, and other personal information that -if breached- would give rise to a duty to notify. Companies will be deemed in compliance with the Act’s requirement for reasonable safeguards if the company has implemented a data security program that establishes certain administrative, technical, and physical safeguards. This includes designating one person in charge of coordinating the program, conducting employee training on security practices, requiring (by contract) that service providers similarly maintain appropriate safeguards, regularly testing and monitoring the effectiveness of systems and controls, conducting risk assessments relating to network and software design, disposing of private information after it is no longer needed, and modifying the program in light of business changes or new circumstances. The law does not provide for a private right of action.
PUTTING IT INTO PRACTICE: Prior to March 2020, companies should re-evaluate their existing data security program against the data security program outlined in the Act to take advantage of the compliance presumption, and should consider, if not done already, memorializing such data security program in writing.
Bombas Settles with NYAG Over Credit Card Data Breach
Posted on July 11, 2019
Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties. According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014. The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that bad actors had accessed customer information (names, addresses and credit card numbers) of almost 40,000 people. While the company notified the payment card companies at the time, it concluded that it did not need to notify impacted individuals because the payment card companies “did not require a formal PFI or otherwise pursue the matter beyond basic questions.”
In 2018, Bombas updated its cyber program, causing it to “revisit” the incident, deciding to notify impacted individuals and attorneys general. The NYAG concluded that the company had delayed in providing notice in violation of New York breach notification law, which requires notification “in the most expedient time necessary.” In addition to the $65,000 penalty, the company has agreed to modify how it might handle potential future breaches. This includes conducting prompt and thorough investigations, as well as training for employees on how to handle potential data breach matters.
PUTTING IT INTO PRACTICE: This settlement is a reminder to companies to ensure that they have appropriate measures in place to investigate potential breaches, and understand their notification obligations.
   27 Eye on Privacy 2019 Year in Review