Recent Amendment to New York State Technology Law Demonstrates Rapid Evolution of Privacy Laws

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

The New York State Technology Law (STT) § 209 governs the obligations of state agencies if there is a data breach or other privacy incident. Under the STT, state agencies are defined to include state boards, bureaus, divisions, committees, commissions, councils, departments, public authorities, public benefit corporations, offices, or other governmental entities performing governmental or proprietary functions for the state of New York. In short, even though data collection and use by private entities is governed by the New York General Business Law (GBL) § 899-aa, the STT impacts a number of public entities. The GBL applies to all entities that own license or maintain personal information of New York residents and requires notification to state entities in the event of unauthorized access or exfiltration to personal information. The STT addresses the obligations of those state entities upon receiving notice of a data breach.

The reporting obligations under the STT requires the Office of Information Technology Services to take a leading role with state agencies’ use and storage of private data. Recently, a situation came to light where the Office of Information Technology Services was notified of a breach in January 2020 but failed to report the breach to impacted agencies. Unfortunately, the impacted agencies first learned about the breach in a Wall Street Journal article published months later in April 2020. Specifically, the Wall Street Journal article reported a hack of the computer network serving New York State’s government. This incident required New York to engage an outside firm to change thousands of employee passwords. In response to scrutiny from this incident, a senior advisor to the Governor is quoted in the Wall Street Journal article as saying there is “no evidence that personal data of any New York resident, employee, or other individuals were compromised or have been taken out of our network.”

In response to this incident and the initial disclosure in the Wall Street Journal, the New York legislature introduced New York Senate Bill 7019, which amended the New York State technology law to add a new section requiring state agencies to work together on providing proper notification of a privacy incident. Bill 7019 was entitled “[a]n act to amend the state technology law, in relation to the notification of certain state agencies of a data breach or network security breach” and would have a drastic impact on how state agencies provided notification of an incident.

On December 22, 2021, New York Governor Kathy Hochul signed into law the Senate Bill enacting section 209 in an effort to remedy the miscommunications between various state agencies regarding notices of data breaches as discussed in the April 13, 2020 Wall Street Journal article. Section 209, as amended, now requires the Office of Information Technology Services to take the following steps when it discovers a data breach or network security breach:

• Section 1 of the bill adds a new section 209 to the state technology law. Subdivision 1 of the new section 209 requires the office, within 24 hours following discovery of a data breach or network security breach, to notify the chief information officer and, where appropriate, the chief information security officer of any state entity with which it shares data, provides networked services or shares a network connection and whose data is or may have been the subject of such breach whether or not such data was, or is reasonably believed to have been, acquired or used by an unauthorized person.
   
• Subdivision 2 of the new section 209 requires the office to notify the chief information officer and, where appropriate, the chief information security officer of such state entity with which it shares data, provides networked services, or shares a network connection and whose data is or may have been the subject of such breach of its plan for remediation of the breach and future protection of such data and network.

It should also be noted that “Data Breach” is defined broadly in subdivision 3 of section 209 to include the unauthorized access or exfiltration of data without knowledge or authorization of the data owner. This definition is much broader than the definition under the GBL. The GBL applies only to the unauthorized access or exfiltration of personal information, which has its own enumerated definition. Section 209 does not appear to be limited only to personal information. This is evident by the incident that led the New York State legislature to enact section 209. The usernames and passwords that were impacted by the January 2020 incident do not fall within GBL’s definition of personal information.

While the amended Section 209 does not impose additional requirements on private entities, the steps taken in New York offer guidance to both public and private entities. It is important to consider that this amendment was the result of a particular incident. The New York State legislature is trying to ensure more intragovernmental communication to avoid a similar embarrassment. Given the heightened scrutiny that the Office of Information Technology Services has been under as a result of the January 2020 incident, private entities, especially ones that contract with the state, may face heightened scrutiny after filing their GBL notices. The actions taken to amend the SST demonstrates the rapid pace at which privacy laws develop and the need to be constantly aware of any changes in the law that may directly impact data collection and storage.

For more information on this development, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.