to the Public and Regulators:
Changing Standards?
(NYS) Cybersecurity Regulation
requires covered companies to notify
the NYS Department of Financial
Services (NYSDFS) for "any act or
attempt, successful or unsuccessful,
to gain unauthorized access to, disrupt
or misuse" a computer system. The
NYS regulation appears to go beyond
regulations and laws, including through
public filings (10-Ks and 8-Ks), state
data breach laws, the Gramm-Leach-
Bliley Act (GLBA) and the Health
Insurance Portability and Accountability
Act (HIPAA). This article will explore
several current disclosure laws, how
they differ from each other, in what
circumstance each applies, and what
corporate counsel must do to keep their
companies safe in the face of existing
legal ambiguity.
Several Current Regulations
and Laws
enacted laws requiring notification of
security breaches involving personally
identifiable information (PII). The
primary purpose of these laws is to
prevent identity theft. Most of these laws
apply to any organization that collects
PII from individuals in the state (even if
not stored in that state). Some, but not
all, of the laws create exemptions for
organizations that are already covered by
HIPAA or the GLBA.
PII is typically defined as an
individual's name plus one or more of
the following: (i) social security number
(SSN), (ii) driver's license number
or state issued ID card number, (iii)
account number, credit card number or
debit card number combined with any
code or password needed to access an
broader than the general definition (e.g.,
California includes email addresses, and
Illinois includes fingerprints and other
biometric data, etc.).
For the most part, breach is defined
as the unlawful and unauthorized
acquisition of PII that compromises
the security, confidentiality or integrity
of PII. In some states, notification is
triggered by access, and not acquisition
(e.g., Connecticut and New Jersey). If a
breach occurs, organizations must notify
the residents that are affected by the
breach, in some cases law enforcement
(e.g., New York and California, etc.), and
in other cases they must make a public
disclosure via publication. As for timing,
organizations must generally notify as
soon as practicable, although several
states have specific time requirements,
ranging from five calendar days to 90
days (many are 45 days).
A formal incident response plan is
typically not required by state laws, but
note that several states have specific
requirements on storing information
and security plans (e.g., Massachusetts
requires organizations to draft and update
a written information security plan).
focuses on the risk of harm to consumers
and identity theft. HIPAA requires
covered entities
notification following a breach of
Salsburg P.C., and chairs its cybersecurity and
privacy law group. He focuses his practice on
cybersecurity, privacy, data and technology
transactional and litigation matters. He counsels
clients ranging from individuals to emerging
growth companies to publicly traded, global
organizations, in a variety of industries, including
businesses in the banking and financial services,
consumer retail, healthcare, professional
services and education sectors.
School, assisted with the research for this article.
3 Becker Farm Road, Suite 105
Roseland, New Jersey 07068
lawfirm.ms