Governor Extends Data Breach Protections to email

July 29, 2019 at 10:16 am Leave a comment

Good morning folks

A guy goes away on vacation for one week to go chasing tornados in the tornado alley of Cape Cod. And the governor has the audacity to sign off on a whole bunch of important bills in my absence. Not only that but the Yankee’s  pitching staff goes from acceptable to atrocious and NCUA promulgates some deceptively important new requirements. Today I’m going to analyze the most important of these changes and tomorrow I will fill you in on some HR issues that are going to create even more work for your over worked HR staff.

The most important thing I want to tell you about is the legislation that extends the scope of data breaches to include emails and any information that can be used to access a person’s account.  It also mandates the creation of new policies and procedures. Remember this measure applies to your credit union whether you are a state or federally chartered institution.

First some context NY general business law section § 899-aa generally requires any entity conducting business in NY which maintains computerized personal data to provide notifications in the event that computer date containing personally identifying information is compromised. The SHIELD ACT extends the definition of private information to include a username or email address “in combination with a password or security question and answer that would permit access to an online account.”

This new language intrigues me for several reasons beyond the  obvious. For example the inclusion of email addresses effectively puts you on notice that you have an obligation to not only protect the private information of your customers but your employees’ information  as well. I’m still recovering from my vacation fog but I know of at least one case in which an employer was sued by its employees because of its sloppy handling of email.

Secondly, keeping in mind, that this blog is one man’s opinion and not a substitute for legal advice,  it is not entirely clear from the plain language of the amendments if the legislature intended to extend protection to email addresses or only to email addresses which are compromised in conjunction with identifying passwords and codes. For what it’s worth I believe that the latter is probably the best interpretation.

The bill does much more then impact your email. For instance under existing law personal information includes credit and debit card account information in combination with passwords or social security numbers. The new law extends this provision to account information which in combination with “other information.” Would permit a person to access the account.

The legislature also wants you to have policies and procedures implementing an appropriate data security program. My guess is that many of you already have a program in place to satisfy these requirements but you should to take the time to review the statute.

Finally, the bill extends the statute of limitations for the attorney general to bring actions against companies for violating this law. Now for the really good news, parts of this bill take effect as early as three months from now. The bill was officially signed on July 25, 2019. On that note get to work and have a nice day.


Entry filed under: Compliance, HR, Legal Watch, New York State. Tags: .

Washington Tees Off On Facebook; Senate to Hear from CU’s on Pot Banking and Main Street is where the $ is Three More Changes to Make to HR Handbook

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 755 other followers


%d bloggers like this: