Testimony to Senate Standing Committees on Consumer Protection & Internet and Technology
June 4, 2019
Chairman Thomas, Chairwoman Savino, Senators. Thank you for the opportunity to address you today. My name is Johnny Evers, Director of Government Affairs for The Business Council of New York State, Inc. The Business Council is the state’s largest business and industry employer association, representing over 2,400 companies. I am also responsible for The Business Council’s Information Technology, Telecommunications and E-Commerce Committee. Our IT committee is comprised of hundreds of companies who manufacture technology products; utilize, or engage in technology; operate on the so-called “platform economy”, and create the new digital markets of the 21st century.
As part of a new digital age, our companies – large and small – have evolved and in many cases re-invented themselves to meet the demands of markets and consumers, and to keep pace with technological advances. Key in this evolution is the processing of data. Commerce and financial services are particularly important parts of this interconnectivity, with data serving as the intermediary between goods/service and the individual - often in the form of electronic exchange. When consumers place their personal information in the hands of our businesses, they place a trust in these businesses to handle their information safely. Likewise, businesses have a responsibility to safeguard this information and prevent its unintentional access or release. To that end, we have had numerous discussions with administration and legislative representatives, and have worked very closely with the Attorney General’s office on their proposed “SHIELD Act,” in order to provide business input in a growing area of government regulation and oversight.
At the outset, let me state that S.5575-A / A.5635-A is not a perfect bill. But, as in all things that are rapidly changing and advancing, it is a good start. In fact, this bill has been the subject of well over 2 years of discussions, conferences, and negotiations among The Business Council, the Office of the Attorney General, and the sponsors. We are extremely appreciative that Attorney General James enlisted our input. Likewise, we are appreciative that the sponsors of the measure in the Legislature, Assemblyman DenDekker and Senator Thomas, have recently accepted amendments to address key concerns of various stakeholders, including IT business.
This legislation provides workable, baseline standards for both security features and notification practices for New York State businesses. Importantly, it recognizes existing standards that are universal for businesses nationwide, with clear reporting mechanisms that are largely already in place and best suited to protect the consumer. Federal guidelines, as well as universal state standards such as recent reporting regulations by the Department of Financial Services (DFS), are recognized and accommodated in this new law. This will avoid confusion that would be caused by having businesses and/or sectors being subject to multiple standards, an outcome that would only serve to complicate the system with no new discernable benefit to consumers.
S.5575-A / A.5635-A places into the general business and state technology laws several provisions to stop hacks and improve electronic data security. First, the bill explains the interconnectivity of “personal information” and “private information” and the use of this identifying information in conjunction with financial or biometric information (passwords, etc.) to access and acquire personal data. Second, the bill delineates the differences between internal, inadvertent breaches of private data and external access and acquisition of the data. In the case of the former, an inadvertent breach can be addressed as an incident under which data is accessed internally by those who should not be viewing such data, but no adverse impact has been caused nor any evidence of malicious intent to utilize this data. In these cases, the incident must be documented in writing and, if it impacts over 500 New York State residents, must also be sent to the Attorney General. These records must be maintained for 5 years.
In the case of a breach of the security system under which it is evident that data has been both accessed (an external non-authorized breach from outside the system) and acquired (the information has been “viewed”, “used”, or “altered” by an unauthorized person leading to “download” or copying for intent to use maliciously), entities would be required to notify consumers immediately following discovery. A variety of methods including, but not limited to, written notice, telephone, e-mail, etc. may be utilized. At the same time, entities must notify the Attorney General (as well as the State Police and Department of State) in all instances of an “accessed and acquired” data security breach. If entities fail to follow these procedures, they are subject to action by the Attorney General. Entities are required to provide state officials with a template of the notice as well as relevant websites and telephone numbers of federal and state agencies “regarding security breach response and identity theft prevention and protection information.”
One key provision in the bill is the adoption of new data security protections under a new §899-bb of the general business law that places into state law the acceptance of existing federal and state security provisions. These include Gramm-Leach-Bliley, HIPPA, Part 500 of Title 23 of the official compilation of codes, rules, and regulations of New York State, and “any other data security rules and regulations” administered by official departments of federal and New York State governments. The Attorney General will review the cases of breach and determine what, if any, security practices and systems the entity has been following, and if proper notification procedures were followed.
As to small business entities, defined as those under 50 employees or those under certain monetary thresholds, new guidelines are placed into law. Generally, these guidelines are defined as “reasonable”. Small businesses must maintain a “data security program” that insures a baseline, minimum data security system such as training of employees to handle data properly and software and updates that “assess risks” in both network and software design. These protective provisions insure data is accepted, processed, stored, and disposed of properly by small businesses.
In discussing the bill with the Attorney General’s office over that last 2 years, we would have preferred “acquisition” as opposed to the bill’s current standard of access or acquired in regards to data breaches and their subsequent reporting to that office. The reporting mechanism designed to insure that the Attorney General receives inadvertent breach (as opposed to external “acquisition”) occurrences is also something we would have preferred to avoid. The reasons are simple: reporting “inadvertent” internal breaches may possibly provide the Attorney General with a number of reports that contain information on breaches that do not result in consumer data acquisition. The same is true with regard to “accessed” breaches that fail to penetrate the system to the degree that it results in any data being “acquired” subsequent to an initial access. The Attorney General’s staff claims they are relevant to investigations and therefore we have dropped our initial objection, but we urge that after implementation, this provision of law can be revisited.
We are pleased that, under this bill, any action by the Attorney General must be brought within 3 years of the breach or 3 years of the Attorney General being made aware of the breach, with a statute of limitation being 6 years (except if evidence is found that the breach was hidden). Initial drafts were far too expansive and provided no clear end point as compared to the triggering event. The Business Council is also pleased that the new version of the bill maintained language stating there is no private right of action under this law. We are also grateful that this bill – and this is at least the fourth permutation of this legislation – addresses various parts that we believed would prove unworkable. As stated above, the bill still contains some provisions that we do not support, such as the doubling from ten to twenty dollars the civil penalty per violation.
It is gratifying that the new law holds government entities to the same standards as those in the private sector and maintains the exact same baseline data protection standards for New York State government and agencies, as well as similar reporting mechanisms. Further, it enlists the help of the New York State Office of Information Technology Services (ITS) to study any breaches and make recommendations for restoration and improvements to the system. Further, it charges ITS with a delivering a report within 90 days on any breach and mandates ITS develop “regular training to all state entities relating to best practices for the prevention of a breach of the security of the system.”
Overall The Business Council supports this initiative and appreciates the opportunity to be engaged in this process.