Tag Archives: New York

A Bridge Too Far?

Okay, gonna do some local humor. What bridges are these?

TappanZeeBridgeFromBelow.JPG

The first one is the Verrazzano-Narrows Bridge between Brooklyn and Staten Island. The second one is the Tappan Zee Bridge between Tarrytown (NY) and Nyack. Neither of these are a bridge too far and both of which I have traveled over many times.

But New York is following in the footsteps of California and State Sen. Leroy Comrie has introduced the “It’s Your Data Act” (SB 9073). Who knows if it will pass but it sounds a lot like CCPA/CCRA/GDPR.

In particular it:

  1. Amends New York’s civil rights law to create a new “right of privacy”. That is something Facebook would be thrilled about.
  2. It also would amend the state’s general business law to add features similar to these other privacy laws.
  3. Like CCPA, it would affect businesses with more than $50 million in revenue -OR- who buy/sell/disclose information on more than 50,000 consumers, households or devices -OR- who derives more than 50% of the company’s revenue from selling your data.

It requires businesses to disclose:

  1. Your rights as a consumer
  2. Categories of sources from which information was collected
  3. Categories of third parties with whom your data is shared
  4. Length of time information is retained
  5. And several more rights

The retention disclosure requirement is new to New York and does not exist in CCPA or CCRA.

Among consumers new rights are:

  1. Right to deletion
  2. Access to retained personal information
  3. Access to disclosure of personal information to third parties
  4. Consent to additional collection or sharing of personal information
  5. Right to not be discriminated against for exercising these rights

Unlike California’s law, it requires reasonable security practices and procedures to protect that information (reasonable to a jury, that is).

Lastly, unlike CCPA, which only allows for a private right to sue a business in case of a breach, the IYDA proposes that same $750 damages (or more if actual damages are more) per consumer, per violation FOR ANY VIOLATION OF THE LAW BY A BUSINESS. That could change the equation of whether it is cheaper to be breached than be secure.

Of course, bills come and go and change a lot, so do not assume that this is what it will look like IF and WHEN it comes out the other end.

Businesses need to rethink the relationship they have towards security and privacy practices because even if this bill does not become law, others like it will. There was another bill introduced in New York earlier this year that proposed that companies that collect your data would have a fiduciary responsibility around using and protecting that data.

In light of that bill, is the IYDA a bridge too far? Seems pretty tame by comparison. Credit: JDSupra and Hinshaw Law Firm

Security News for the Week Ending January 24, 2020

Breaches Gone Wild – Very Wild

Since EU’s GDPR went into effect on May 25, 2018 – about 18 months ago – 160,000 Breaches have been reported to EU authorities.  A calculator will tell you that means that people are reporting between 250 and 300 security incidents A DAY!

If you think that magically, 18 months ago, the number of breaches that were occurring skyrocketed – well that is not likely.  At least one of the data protection authorities says that there is over-reporting, but that two thirds of the reports are legitimate.

So far companies have PAID about $125 million in fines and the largest single fine was about $55 million.  Expect many more fines in the future since the authorities have not processed most of those 160,000 reports.  Source: ZDNet

Hacker Posts 500,000 Userid/Password Combinations

A hacker who is changing his business model posted the userids, passwords and IP addresses of 515,000 servers, routers and IoT devices on the Internet.  The hacker had used the compromised devices to attack other computers in Distributed Denial of Service attacks.

But he has decided to change his business model and instead use powerful servers in data centers to attack his victims, so he didn’t need all of these devices any more.

What is not clear is why he published the list.  He certainly could have sold it.  Maybe he thought that if the list became public people who change their passwords from the default or easy to guess ones that they were using.  Source: ZDNet

 

New York State Want to Ban Government Agencies From Paying Ransoms

Two NY Senators, a Republican and a Democrat, have each introduced bills that would outlaw using taxpayer money to pay ransoms.  One of the bills includes language to create a fund to help local municipalities improve their security.  Given the number of attacks on government networks, this would cause some tension.  If a city could pay a ransom and get operational in a few days vs. if they didn’t have good backups, it could take months to recover.  Stay tuned.  Source: ZDNet

 

U.N. Report: Bezos Hacked By Saudi Prince MBS

While some people are questioning the report by U.N. experts that Amazon and Washington Post CEO Jeff Bezos phone was hacked by Saudi Crown Prince Mohammed Ben Salman.  The report says that the hacking can be tied directly to a Whatsapp message sent from MBS’s phone.  Give other things MBS is accused of doing, this is certainly possible.  While the Saudis, not surprisingly, called the report absurd, others are calling for an investigation.  Source: The Register

Will New York Follow In California’s Footsteps?

The New York Privacy Act was introduced last month.  Like California’s CCPA, it gives consumers more power over their data, but in addition to that, it would require companies to put their customer’s privacy before their own interests.  I am sure that there will be a huge lobbying effort by special interests.

While the sponsor is still looking for cosponsors in the lower house, he thinks he already has enough votes to pass it in the Senate.

The Committee on Consumer Protection is scheduled to hold a hearing this week.

Like California’s law, this bill would allow people to find out what data companies are collecting, who they are sharing it with, get it deleted, make companies correct incorrect data and stop companies from sharing the data with third parties.

One difference from the California law, is that this bill allows from consumers to sue companies over privacy violations.  One compromise that was made when the California bill was passed was to change that to only allow a private right of action in cases where there was a breach.  Here, a private right of action would exist for any violation.

Another big difference is that while the California law only applies to companies with revenues over $25 million (or a couple of other situations), this bill would apply, like Colorado’s law does, to any company of any size.

Obviously, the big companies (Facebook,. Google and others) and their lobbyists (the Internet Association) are more than just freaking out.    They are saying that keeping customer’s data private is “unworkable for businesses” which really means that it messes with their business model and fails to give residents meaningful control over their data, which makes no sense at all.  Are they suggesting that their current business model already gives people meaningful control over their data?  That certainly doesn’t seem to be the case.

While I certainly agree that a law like this messes with the business models of some companies that have built a business around selling your data, if those businesses have something that people find valuable, most people will recognize that this is a reasonable trade.

What is required is transparency and that is something that folks like Google and Facebook fight, because they know that for many people, it is not worth the trade.

This is far from law, but definitely a bill to watch.

The name of the bill is NY S 5642.

While this bill may not pass in its current form, it seems like the handwriting is on the wall and smart businesses will start to understand privacy concerns and rework their business models to take that into consideration.

Information for this post came from Wired (registration required).

 

NY Introduces Tough New Cyber Security Bill

New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.

After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.

This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents.  Schneiderman says that the update is needed.

The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.

Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.

Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.

The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000.  Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.

For small businesses of less than 50  employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.

The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions.  This is a great incentive to conduct annual cyber risk assessments.

The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data.   If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity.  So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.

Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.

Information for this post came from Law.com.

The text of the bill can be found here.

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!