N.Y. Gen. Bus. Law 899-aa

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> In Lesson 10.4,
00:00
we're going to continue our review of
00:00
several US state-level data breach notification laws.
00:00
In this case, we're going to look at
00:00
New York's data breach notification law.
00:00
We have several learning objectives.
00:00
We're going to look at who has to comply with this law.
00:00
We're going to look at definitions
00:00
of personal information.
00:00
How does it define a breach of private information?
00:00
We're going to look at whether it has
00:00
a requirement for an analysis of risk of harm.
00:00
We'll look at if there's a safe harbor provision for
00:00
the need to not
00:00
notify regulators and affected persons
00:00
if the information is encrypted,
00:00
rendered unreadable, unusable or it's been redacted.
00:00
We'll look at notifications
00:00
to individuals and regulators,
00:00
those requirements and we'll
00:00
conclude with a discussion on enforcement,
00:00
private cause of action or your right or
00:00
the state's right to sue in civil court,
00:00
and also any penalties for non-compliance.
00:00
Let's look at this law.
00:00
We looked at the California and Texas laws previously.
00:00
We looked at how they define personal information.
00:00
They use different terminology,
00:00
but again, many of the identifiers were the same.
00:00
Now, New York takes a different approach.
00:00
It defines personal information
00:00
>> as personal information,
00:00
>> as well as private information.
00:00
This broader definition of personal information is
00:00
any information that relates to a natural person,
00:00
a living breathing person because of a name, number,
00:00
personal mark or some other type of identifier
00:00
can be used to identify that natural person.
00:00
Now, New York also
00:00
defines this information as private information,
00:00
and that's the information
00:00
that is unauthorized disclosure,
00:00
acquisition or access is what triggers
00:00
a data breach notification under this New York law.
00:00
Much like we saw with the previous laws,
00:00
it defines private information as
00:00
personal information that in combination with one
00:00
of the more of the following identifiers
00:00
if the information itself is
00:00
not encrypted or if the information
00:00
encrypted with an encryption key
00:00
>> that's been compromised.
00:00
>> We're talking about social security numbers,
00:00
driver's licenses or non-driver ID,
00:00
card information like state identification numbers,
00:00
financial account information, credit card numbers,
00:00
debit card numbers, and combination with
00:00
some type of security access information.
00:00
We're talking about information,
00:00
biometric information like we
00:00
saw in the case of California.
00:00
We're also talking about any information to include
00:00
a username or email
00:00
address and combination with
00:00
some type of access information,
00:00
password or security question
00:00
>> and answer that would allow
00:00
>> someone to gain unauthorized access
00:00
>> to an online account.
00:00
>> It also defines a data breach.
00:00
In this case, we're talking about
00:00
the unauthorized access to
00:00
acquisition of private information, and in this case,
00:00
we're talking about computerized private information
00:00
that compromises the security,
00:00
confidentiality or integrity of
00:00
>> this private information
00:00
>> that's been stored by individuals or
00:00
businesses that have to comply with this law.
00:00
Now, the New York law has
00:00
an extensive analysis of risk of
00:00
harm requirement that far exceeds that
00:00
which was stated under California or Texas laws.
00:00
This says that once
00:00
the covered entity has determined that
00:00
a breach of private information has been discovered,
00:00
then it needed to conduct a risk assessment.
00:00
That risk assessment is based
00:00
on any indications that the information's in
00:00
the physical possession and control of
00:00
an authorized person like someone might have lost
00:00
a smart device or a computer or
00:00
stolen information that if someone has actually
00:00
downloaded or copied that information
00:00
or if the information was used by
00:00
an unauthorized person for
00:00
fraudulent purposes or to engage in identity theft.
00:00
Now, it says that those companies,
00:00
those businesses have to comply with this law again,
00:00
must provide notice to those affected people if it was
00:00
an inadvertent disclosure by
00:00
persons authorized to access information.
00:00
If you divulge this information to
00:00
someone that was authorized to receive it,
00:00
then that doesn't require notice.
00:00
Now, the law does state that again,
00:00
if the information was
00:00
disclosed via the use of the username or email
00:00
address in combination with some type of
00:00
access information that would
00:00
allow them to access an online account,
00:00
then again, once you've done that analysis,
00:00
it has to be documented in writing and then
00:00
that covered entity must maintain
00:00
that information for at least five years.
00:00
In the event that this breach affects
00:00
more than 50 New York residents,
00:00
then that covered entity must
00:00
provide the written risk analysis
00:00
to the State Attorney General but then
00:00
10 days after concluding that risk assessment.
00:00
There is a safe harbor provision for
00:00
divulged private information that's
00:00
been encrypted and readable and usable or redacted,
00:00
but again, like we saw in the previous two laws,
00:00
that's only under certain circumstances.
00:00
Now, New York's law says that once you
00:00
determine there's a breach of private information,
00:00
then again, you have to notify individuals in
00:00
the most expedient time
00:00
possible and without unreasonable delay.
00:00
Now, again, it also has
00:00
a law enforcement delay provision that again,
00:00
law enforcement can request
00:00
that the business or individuals
00:00
not make notification if it's
00:00
going to impact a criminal investigation.
00:00
But then just like we saw another two laws,
00:00
then they have to immediately
00:00
notify again those affected persons.
00:00
As notification to regulator's requirements,
00:00
it states that again,
00:00
if you have to comply with this law,
00:00
you've got to notify the State Attorney General,
00:00
the Department of State,
00:00
The Division of State Police
00:00
providing them information on the timing, content,
00:00
distribution of the notices,
00:00
and then an approximate
00:00
number of those affected persons,
00:00
and you got to do that without
00:00
delay to affected New York residents.
00:00
Now, if more than 5,000
00:00
New York residents are to be notified at one time,
00:00
then you also have to notify
00:00
those computer reporting agencies
00:00
and provide them with the information,
00:00
also with the timing, content,
00:00
distribution of the notices,
00:00
and those approximate number of affected people.
00:00
Then, that notice should be made without
00:00
delaying notice to those affected New York residents.
00:00
Now, it also has a condition there also where it talks
00:00
about if you have to comply with
00:00
this law to provide notification of the breach,
00:00
including a breach of
00:00
that information that is
00:00
not consider private information,
00:00
then you have to do so and it
00:00
involves medical information,
00:00
you have to notify the Secretary of Health and Human
00:00
Services in compliance with HIPAA.
00:00
If you have to make those disclosures,
00:00
it's because there's been a disclosure
00:00
of protected health information or
00:00
electronic protected health information and you
00:00
have to notify the Secretary
00:00
of Health and Human Services,
00:00
then you got to notify the
00:00
>> State Attorney General within
00:00
>> five business days of notifying HHS.
00:00
It's going to be the New York Attorney General
00:00
that enforces this law,
00:00
and they can issue temporary injunctions that have
00:00
the covered entity cease
00:00
processing this private information.
00:00
There are also civil penalties
00:00
for non-compliance with the law.
00:00
It says that the courts can
00:00
award damages for actual calls or
00:00
losses incurred by New York residents
00:00
entitled to notice under this law.
00:00
It said that if the law itself,
00:00
if the business or person
00:00
was acting in a reckless manner,
00:00
then the court can also assess
00:00
civil penalties of the greater of
00:00
$5,000 or up to
00:00
$20,000 for each instance of failed notification.
00:00
There's also a cap in this law where again,
00:00
you can't exceed $250,000.
00:00
Now, Question 1 defines
00:00
personal information under New York law and
00:00
private information as A and B.
00:00
Question 2 asks New York's data breach notification law
00:00
requires covered entities
00:00
notify affected individuals when.
00:00
The appropriate answer is A.
00:00
In summer, we took a good look at
00:00
New York's data breach notification law.
00:00
We saw that it had many similarities to
00:00
the California and Texas laws and the way it
00:00
defined personal information and private information,
00:00
also in the way that it defined
00:00
a data breach of private information.
00:00
We said that there was a provision for
00:00
a safe harbor provision and it did
00:00
require an analysis of risk or harm requirement.
00:00
There's also penalties for
00:00
non-compliance from a silver perspective
00:00
of not complying with this law.
Up Next