Tag Archives: New York

Will New York Follow In California’s Footsteps?

The New York Privacy Act was introduced last month.  Like California’s CCPA, it gives consumers more power over their data, but in addition to that, it would require companies to put their customer’s privacy before their own interests.  I am sure that there will be a huge lobbying effort by special interests.

While the sponsor is still looking for cosponsors in the lower house, he thinks he already has enough votes to pass it in the Senate.

The Committee on Consumer Protection is scheduled to hold a hearing this week.

Like California’s law, this bill would allow people to find out what data companies are collecting, who they are sharing it with, get it deleted, make companies correct incorrect data and stop companies from sharing the data with third parties.

One difference from the California law, is that this bill allows from consumers to sue companies over privacy violations.  One compromise that was made when the California bill was passed was to change that to only allow a private right of action in cases where there was a breach.  Here, a private right of action would exist for any violation.

Another big difference is that while the California law only applies to companies with revenues over $25 million (or a couple of other situations), this bill would apply, like Colorado’s law does, to any company of any size.

Obviously, the big companies (Facebook,. Google and others) and their lobbyists (the Internet Association) are more than just freaking out.    They are saying that keeping customer’s data private is “unworkable for businesses” which really means that it messes with their business model and fails to give residents meaningful control over their data, which makes no sense at all.  Are they suggesting that their current business model already gives people meaningful control over their data?  That certainly doesn’t seem to be the case.

While I certainly agree that a law like this messes with the business models of some companies that have built a business around selling your data, if those businesses have something that people find valuable, most people will recognize that this is a reasonable trade.

What is required is transparency and that is something that folks like Google and Facebook fight, because they know that for many people, it is not worth the trade.

This is far from law, but definitely a bill to watch.

The name of the bill is NY S 5642.

While this bill may not pass in its current form, it seems like the handwriting is on the wall and smart businesses will start to understand privacy concerns and rework their business models to take that into consideration.

Information for this post came from Wired (registration required).

 

Facebooktwitterredditlinkedinmailby feather

NY Introduces Tough New Cyber Security Bill

New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.

After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.

This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents.  Schneiderman says that the update is needed.

The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.

Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.

Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.

The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000.  Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.

For small businesses of less than 50  employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.

The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions.  This is a great incentive to conduct annual cyber risk assessments.

The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data.   If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity.  So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.

Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.

Information for this post came from Law.com.

The text of the bill can be found here.

Facebooktwitterredditlinkedinmailby feather

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!

 

 

Facebooktwitterredditlinkedinmailby feather