Since 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulation has established minimum cybersecurity requirements for financial services companies that are licensed or registered by NYDFS. The regulation is set to be updated[1] in 2023 to address the ever-increasing sophistication and scope of cyber threats. NYDFS issued a draft regulation last November, and the public comment period ended on Jan. 9. NYDFS is currently reviewing those comments, and a final rule is expected later this year.

Just like California’s emissions regulations’ far-reaching impact on the national auto industry, the cybersecurity regulation has altered the information security practices of financial services companies both domestically and, due to the global reach of the U.S. financial system, internationally. There’s little doubt the updated regulation will have the same effect.

Effective information governance plays a crucial role in complying with the NYDFS cybersecurity rules by managing the storage, maintenance, and retention of sensitive information. This article explores the most relevant updates to the NYDFS cybersecurity rules for records management professionals.

Company Risk Tiers

The proposed updated NYDFS cybersecurity regulation establishes three tiers of companies (previously, there were two) with targeted requirements tailored to the unique security needs of financial institutions of varying sizes. A new “Class A” designation applies to companies with at least $20 million in gross annual revenue in New York, $1 billion in gross annual revenue globally, and more than 2,000 employees. The proposal raises the threshold for the lowest tier to exempt companies with fewer than 20 personnel (previously, 10) and less than $15 million in assets (previously, $10 million).

Strengthened Controls

Although the current regulation requires robust cybersecurity policies and procedures, the proposed revision will require an even more comprehensive approach. The proposed revision would specifically cover data retention and device end-of-life management, remote access, security monitoring, security awareness and training, incident notification, and vulnerability management. Regulated entities would also need a comprehensive and continuously updated inventory of information assets, with detailed information about ownership, controls, sensitivity levels, support, and recovery time requirements.

The existing regulation already required user access to be appropriately limited. Under the proposed revision, however, these limitations would need to be significantly more detailed. For example, access privileges could not exceed those required to fulfill job responsibilities and privileged accounts could be used only when necessary. Also, regulated companies would need to review privileges at least annually, configure remote access protocols securely, and withdraw an employee’s access swiftly following their departure. Further, multi-factor authentication would be broadly required, rather than merely recommended, for remote access to company information systems, third-party applications, and all privileged accounts that do not already have equivalent or more stringent controls.

Additionally, Class A companies must use automated methods to prohibit commonly used passwords and employ a dedicated privileged access management solution. Moreover, Class A companies would need to conduct an annual independent audit of their cybersecurity program and engage external experts for a full risk assessment every three years.

Increased Governance & Accountability

The updates also extend to company governance. A company’s board of directors or similar governing body, if it has one, would need to oversee and direct the company’s cybersecurity risk management, require executives to develop an appropriate cybersecurity program, and obtain sufficient knowledge to conduct oversight effectively, including, if necessary, by hiring experts. Executives must review and approve cybersecurity policies annually.

Financial institutions were already required to have a chief information security officer (“CISO”); that individual must now have the authority to direct resources to ensure cybersecurity risks are appropriately managed. Companies also must require the CISO to report any material issues to the governing body.

Enhanced Risk Assessments & Incident Planning

Risk assessments and preparedness are another area of the regulation that is set to expand. The regulation currently directs companies to establish a cybersecurity incident response plan that outlines steps to take in the event of a breach. That plan must now be proactive, with measures to investigate and mitigate incidents and ensure operational resilience via incident response, business continuity, and disaster recovery planning and identify and memorialize measures to mitigate the risk of breach and ensure operational resilience.

For example, companies must now conduct a penetration test that specifically covers internal and external attack vectors from both inside and outside the information systems’ boundaries, and develop automated scans or manual reviews to discover, analyze, and report on potential vulnerabilities. Under the proposed revision, companies should also establish a monitoring process that promptly notifies them of security vulnerabilities, remediates them, and documents material issues.

Records management professionals must work with their IT and security teams to develop plans that address each of these components for the information repositories they oversee and their role in the event of a security incident. This includes identifying the type of information that has been compromised, determining the extent of the breach and whether sensitive information is impacted, and reporting the breach to the appropriate authorities.

Recordkeeping and Records Management Professionals

As with any regulation, compliance cannot stop at implementation; it must also be well-documented. The current regulation requires companies to maintain records of their cybersecurity program and activities for at least five years. Under the proposed update, the scope of those records will increase. Records management professionals must ensure that these records are maintained in a secure and accessible manner. Companies must ensure that they have in place adequate policies and procedures for the storage, maintenance, and retention of cybersecurity records. Records also must be readily accessible to authorized parties and protected against unauthorized access, alteration, or destruction.

Conclusion

The updates to the NYDFS cybersecurity regulation further develop the minimum cybersecurity requirements for financial services companies that are licensed or registered by NYDFS. Records management professionals play a critical role in complying with the regulation by ensuring that sensitive information is properly protected, incident response plans are in place, and records are properly maintained and protected. By collaborating with other teams, especially IT and security, to develop and implement cybersecurity and related policies and procedures, records management professionals can help their companies satisfy NYDFS cybersecurity requirements and better protect sensitive information from cyber threats.

[1] https://dfs.ny.gov/system/files/documents/2022/10/rp23a2_text_20221109_0.pdf

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The California Privacy Rights Act (“CPRA”) compliance deadline is fast approaching. Is your house in order? Don’t let the CPRA’s January 1, 2023, implementation date or the July 1, 2023, enforcement date sneak up on you! If you’re like many of our clients, you’ve heard a lot about the passage of the CPRA. You may have also heard about the CPRA’s new draft regulations approved in June by the new California Privacy Protection Agency (“CPPA”). These regulations are poised to significantly expand and codify privacy rights and procedures for a wide range of businesses that handle the personal data of California consumers.

If you haven’t prepared yet, don’t sweat: there’s still time to get ready. And even though specific compliance requirements under CPRA regulations remain in draft form, you can still take concrete steps today to get ready. There’s no reason to put CPRA compliance on the back burner until the regulations are finalized.

Join Zasio’s Frank Fazzio, CIPP-US / IGP / CRM for a workshop webinar on tackling the most high-priority items on the CPRA compliance checklist so that your organization can avoid a last-minute scramble as the deadlines approach. The presentation will cover:

– Conducting a Personal Information Inventory
– Identifying Sensitive Personal Information
– Setting Personal Information Retention Policies
– Policies, Consumer Notices, Opt-Outs
– Responding to Consumer Requests (Deletion, Correction, Information)
– IT Security Precautions

Take the stress out of CPRA compliance prep with Zasio. We’ll see you there!

CPRA Prep Workshop
Date: August 10, 2022
Time: 1:00 P.M. MT
Cost: Free

 

Register for Workshop

Virginia has just become the second U.S. state to enact a comprehensive privacy protection law. After passage by overwhelming majorities in both the Virginia Senate and House of Delegates, the Virginia Consumer Data Protection Act[1] (“VCDPA”) was signed into law by Governor Ralph Northam on March 2. While lawmakers in several other states like New York and Washington have proposed their own privacy bills, those efforts so far have hit various snags and stumbling blocks while winding their way through the legislative process that has thus far stalled their final passage into law.

Growing Trend of State-level Privacy Laws

The VCDPA is now the first broad state-level privacy law enacted since California’s CCPA. However, it is just the latest in the ongoing push among states to pass their own privacy legislation, spurred by the absence of any federal privacy legislation on par with the EU’s GDPR. It remains to be seen whether the resulting patchwork of state laws can effectively substitute the need for a comprehensive federal privacy law. As a sign that it may not, the VCDPA’s enforcement mechanisms invite concern that the law may not be tough enough to meaningfully change company behavior.

Numerous CCPA & GDPR Similarities, Some New Features

The VCPDA borrows many of the same key principles as California’s CCPA and the European Union’s GDPR. For example, it relies on a similarly expansive definition of personal data that includes any data or information that can be linked to an “identified or identifiable natural person” and carves out sanitized de-identified data. It also contains a similar bill of individual rights that includes the right to:

• know what personal data is being processed;
• correct or delete that data;
• obtain a portable copy of personal data;
• opt-out from having your personal data sold.

The VCDPA is applicable to any company that does business in Virginia or serves Virginia consumers (defined as natural persons residing in Virginia and acting in a non-commercial and non-employment capacity) and processes over 100,000 consumers’ data. This figure decreases to 25,000 consumers if a company earns over 50% of its gross revenue from selling personal data. This is similar to the CCPA’s standard of 50,000 consumers or 50% of revenue from selling personal data. However, while the CCPA has a monetary trigger that brings any company with gross revenue of at least $25 million under its purview, the VCPDA has no monetary trigger, which will allow some companies earning over $25m to avoid compliance.

The VCPDA also requires a person’s affirmative consent (known as an “opt-in”) before a company can process sensitive data. Under the VCPDA, sensitive data is defined as data showing racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, immigration status, genetic or biometric data, data collected from minors, and precise geolocation data. In contrast to the CCPA, a person’s opt-in under the VCPDA is required regardless of whether personal data is being sold.

A novel feature under the VCPDA is the requirement that controllers conduct a precautionary data protection assessment of any IT systems processing personal data for targeted advertising, sale of personal data, consumer profiling, or systems containing sensitive personal data or data that might cause a heightened risk of harm to the consumer. These checks will add another layer of defenses to help protect against the ever-intensifying efforts of cybercriminals.

Light-Touch Enforcement & Penalties for Opt-Outs

The VCPDA departs significantly from the CCPA’s formula for privacy regulation by not including any private right of action. Under the VCPDA, individual consumers who have been harmed by non-compliance will not be able to personally sue for civil damages. Instead, the law will be enforced exclusively by the Virginia attorney general’s office, which will have the power to levy fines of up to $7,500 per violation. But like the CCPA, offenders can cure any violations during a 30-day period to avoid paying a fine.

Also, under the CCPA, lawyers can band together hundreds or thousands of CCPA-affected Californians to form class action lawsuits against an offending company, and collectively seek millions of dollars in damages. This serves as a major deterrent against non-compliance. In contrast, under the VCDPA, the class action lawsuit threat is not present. Further still, crafting a lawsuit requires a significant amount of time and expense to organize, but a curative action undertaken within thirty days can completely negate the lawsuit and make it disappear. This would tend to strongly disincentivize lawsuits and blunt the VCDPA’s enforcement heft.

Another key difference between the CCPA and VCDPA is while both laws prohibit overt discrimination against consumers who exercise their opt-out rights (a company cannot change the rates, prices, or quality of goods and services that are offered to a consumer), it explicitly allows this kind of discrimination when the consumer’s choice prevents them from getting targeted advertising or from enrolling in a voluntary loyalty program. In other words, if processing or selling a consumer’s personal data is a prerequisite to participating in a company’s loyalty rewards program or targeted marketing, an opt-out can potentially leave consumers out in the cold on special prices or promotional offers that their less privacy-conscious peers may enjoy.

Taken as a whole, the VCDPA reveals a markedly different and more permissive enforcement landscape for companies when compared to the CCPA. The VCDPA is set to go into effect on January 1, 2023.

Conclusion

Once two states have taken the plunge by enacting big-ticket privacy laws, expect that others will surely follow. Presently, more than a dozen states continue to work on their own privacy laws. As more states pass privacy laws with their own eccentricities, the growing complexity caused by an overlapping patchwork of state requirements may increase pressure on Congress to set a baseline to which all personal data processors must adhere. With single-party control of the White House and both houses of Congress, the likelihood of passing comprehensive federal privacy legislation now may be greater than ever.

[1] https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The European Court of Justice’s recent move to strike down the US-EU privacy shield agreement has upended the bilateral personal data transfer framework and pulled the rug out from under numerous American businesses who work with European customers’ personal data. But although the agreement was invalidated, there remain several steps to take and options to pursue that can enable US businesses to help maintain their operations.

The 2016 bilateral US-EU Privacy Shield agreement allowed US companies to agree that they would adhere to the privacy and personal data rules and standards of the EU, thereby providing an equivalent level of protection to EU citizens and facilitating personal data transfers between the two. However, the European Court of Justice has now rejected that principle. In its decision(1), the court explained that the Privacy Shield agreement failed to provide adequate protection because it could not stop US intelligence services from accessing the personal data even for companies who were Privacy Shield compliant. Furthermore, it was quite difficult for an EU citizen to file a complaint about a potential violation.

Although the decision did strike down the legal validity of the Privacy Shield agreement, one key observation is that the decision notably did not eliminate privacy standard contractual clauses (SCCs). These are cookie-cutter contractual clauses drafted and pre-approved by European regulators for use in privacy-related service agreements with customers. The court allowed SCCs to remain a valid tool in principle because courts have the authority to potentially strike them down and invalidate them on a case-by-case basis if they determine that they are problematic. With the elimination of the Privacy Shield, SCCs will likely be the primary legal tool that US companies rely upon to achieve compliance with EU GDPR and the transfer of EU citizens’ data overseas, and this is an option many companies will want to pursue.

Several internet service provider (ISP) industry groups have joined together in bringing suit against the state of Maine in response to its new privacy law, LD 946 “An Act To Protect the Privacy of Online Customer Information,” asserting that the new rules run afoul of their free speech rights and constitute discrimination against their industry. According to Maine’s Governor Janet Mills, the law, which is set to go into effect on the 1^st of July, requires ISP’s to obtain customers’ opt-in consent before using, disclosing, selling or permitting access to customer personal information, and prohibits ISP’s from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information.[1]

Lawyers for the ISP’s contend that the new law violates their constitutional right to free expression. According to the lawsuit, the law impermissibly prevents “ISPs from advertising or marketing non-communications-related services to their customers; and prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer’s consent to use their personal information,” which violates the first amendment because it “excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits.” [2] The lawsuit also asserts that much of the data being restricted is neither sensitive in nature nor personally identifying.

The ISP’s further argue that the law is discriminatory because it targets only their industry subset, while “ignoring” other companies who are using or selling customer personal information in connection with services provided over the internet or through brick-and-mortar retail outlets. Absent any evidence or legislative findings that justify targeting ISP’s, they argue, Maine’s privacy law constitutes discrimination against similarly situated speakers forbidden by the first amendment. They also claim that the law is unconstitutionally vague, and is in any case preempted by federal legislation which repealed and prohibited ISP-specific federal privacy rules, and furthermore thwarts the ability of ISP’s to comply with several mandatory federal reporting requirements.

These arguments potentially raise colorable challenges to the efforts of state lawmakers to regulate privacy on a state-by-state basis. The United States Constitution’s guarantee of free speech offers a unique avenue for American companies to push back against the slew of new privacy laws being enacted by California (California Consumer Privacy Act – CCPA) and other U.S. states. In addition, the fact that Congress has declined to enact comprehensive federal privacy legislation – coupled with the Federal Communication Commission’s current posture that disclosure, competition, and federal oversight is the best way to regulate and promote internet consumer privacy – may weigh on the enforceability of the growing patchwork of state privacy laws in light of the supremacy of federal law.  Will federal courts interpret these facts as limitations on the authority of each State to enact its own privacy laws?

State legislatures will likely be paying close attention to the outcome of this case. If the industry groups’ argument against ISP-specific legislation gains traction, that may support a trend towards more broadly-written privacy laws that aim to generally cover all personal data use rather than focusing on a specific industry sector. But in a larger sense, the industry groups’ assertion that federal laws and regulations substantially preempt state efforts to regulate online consumer privacy represents an important skirmish in the ongoing struggle over efforts to fill the void left by Congress’ decision to refrain from passing a comprehensive federal privacy law. Unless and until such a federal law is passed, federal court decisions are likely to set the tone for both the pervasiveness and scope of potential privacy laws produced by state legislatures across the country. If legal challenges to state laws are successful, the result could be a simplified and streamlined legal landscape instead of a menagerie of sector-specific privacy laws among the 50 states, which would certainly be far simpler for RIM professionals from a compliance perspective. If lawsuits like this one are not successful, we can expect to see a lot more privacy legislation and complexity on the horizon.

[1] https://www.maine.gov/governor/mills/news/governor-mills-signs-internet-privacy-legislation-2019-06-06

[2] https://acaconnects.org/u-s-district-court-for-the-district-of-maine-complaint-for-declaratory-judgment-and-injunctive-relief-w-ctia-ncta-and-ustelecom-re-maines-l-d-946/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Encryption is an essential element in the toolbox of any security professional or records manager. In the event of a data breach, encryption acts as a failsafe to make stolen data unreadable to hackers and prevent them from putting it to nefarious uses. Encryption also plays a key role in our ordinary daily lives. When you log in to a website or pay with your credit card, you are relying on encryption to keep your credentials out of the hands of thieves. The encrypted contents of smartphones keep our private conversations and photographs safe from prying eyes. Even law enforcement agencies like the FBI and CIA are unable to read the contents of certain encrypted messages and devices. Blockchain technology built on encryption has captured the attention of investors and futurists during the last few years. Encryption has now become so effective, reliable, and ingrained in our society that it has even been enshrined in legislation — numerous laws, including the recently passed CCPA, require the encryption of personal information to protect against unauthorized disclosure. Indeed, encryption algorithms act as the mortar that binds together much of the elaborate architecture of our digital lifestyle. Unfortunately, scientific advances are beginning to reveal that this architecture might be built upon a foundation made of sand. New innovations in quantum computing have upended long-held assumptions about the level of safety and security that encryption provides, and may soon necessitate a shift in the way society relies upon it.

The basic premise behind encryption is that it offers effectively unbreakable security. There is simply no practical way to overcome strong encryption without the existence of a “backdoor” that allows one to obtain the decryption keys. The secret sauce behind unbreakable encryption is a numerical puzzle so incomprehensibly difficult that even the fastest computer would have no hope of solving it, not even if given (quite literally) a million billion years to run. However, that presumption of impossibility has now been shattered by the advent of quantum computing.

Quantum computers are fundamentally different from classical computers. Traditional computer transistors can take a value of either 1 or 0, on or off, to store one “bit” of information. Quantum computers instead use “qubits” that can assume a value of 1, 0, or any value in between. This allows qubits to counterintuitively be partly on and partly off at the same moment, a property called “superposition.” Superposition dramatically expands the number of possible different configurations that an arrangement of qubits can take, thereby amplifying their computational potential by a dizzying amount.

Qubits also make use of a phenomenon called “quantum entanglement.” Einstein called this “spooky action at a distance,” but in the ordinary sense this just means that entangled qubits are able to affect one another without necessarily being in physical contact. An operation or measurement performed on one entangled qubit will have a predictable impact on all other entangled qubits. A quantum computer exploits this relationship by entangling multiple qubits so that a collection of entangled qubits together stores all of the possible combinations of states that the computer system can assume.

As a consequence of these properties, quantum computers can dramatically outperform classical computers. While a classical computer’s problem-solving power scales linearly with the volume of computing power available to it, quantum computers operate on a geometric scale. For instance, a doubly difficult problem will take a traditional computer twice as long to solve, but it will only take a quantum computer √2 as long, or 41% longer. This may not sound like much of a difference, but the time savings add up when the problems get much harder. All things being equal, when dealing with a problem a million times harder, it will take a traditional computer a million times longer to solve it…but for a quantum computer, only a thousand times longer.

To illustrate the potential difference this could make, a 2048-bit SSL certificate would take an average desktop computer about 6.4 quadrillion years to crack.[1] But Martin Ekerå at the KTH Royal Institute of Technology in Stockholm, Sweden and Craig Gidney of Google have shown that a quantum computer with 20 million qubits could theoretically solve it in only about 8 hours.[2]

Quantum computing has been the stuff of science fiction for decades, but recent breakthroughs are now dramatically accelerating the timeline for quantum computing to go from concept to reality. Not long ago, experts assumed it would be decades before the first quantum computers would be built, but a 72-qubit quantum computer is now already operational.[3] Even more astonishingly, a paper last month stunned the world by revealing that Google has successfully used a 54-qubit quantum computer called Sycamore to complete a computation in just a few minutes that would have required over 10,000 years for the world’s fastest supercomputer to complete – an achievement that has been widely referred to “quantum supremacy.”[4] Encryption enthusiasts predicted with glee that a quantum computer like Sycamore could potentially pack enough computing power to mine all 3 million remaining Bitcoins in about 2 seconds (bitcoins are designed to be mined at a rate of 12.5 globally every 10 minutes).[5]  But IBM, another leading name in quantum computing research, has questioned the accuracy of Google’s claim, estimating that its Summit classical supercomputer could actually run the calculation in as little as 2.5 days.[6]

Even if Google’s achievement falls short of true quantum supremacy, that milestone is in any case still far closer than previously thought. While 72 bits may seem like a far cry from 20 million, consider the fact that computers in the 1970s contained only thousands of transistors, while today’s latest processors can pack billions onto a chip the size of a fingernail.[7]

There do exist post-quantum codes to encrypt information so that even a quantum computer will not be able to crack it. However, these encryption algorithms are rather unwieldy – for example, one post-quantum encryption algorithm requires the use of a public key with a file size weighing in at over a terabyte.[8] One can imagine the huge expenses and logistical challenges associated with rolling out this type of encryption on a wider scale. It might only make sense to use post-quantum encryption algorithms for critical information that needs to be kept secure for very long periods of time; longer than the 20-25 years it may take for quantum computing technology to advance.

Quantum computers are still in their infancy, but the technology is developing at a rapid and accelerating pace. Records managers and IT admins would do well to start thinking about employing post-quantum encryption for the most vital records and information that require long-term protection, lest they be caught unprepared once quantum computing technology eventually takes off. The consequences are trivial if an encrypted email about a new marketing initiative or an instant message about grabbing tacos for lunch might be decrypted 20 years from now. But for highly sensitive information – e.g., candid or embarrassing high-level conversations of top executives or government officials, classified top-secret documents, the formula for Coke – one may care very much about that information being potentially exposed a few years down the road.

While most companies do not possess information that rises to this level of sensitivity, those that do need to be clear-eyed about the potential future implications of quantum technology and take proportional measures to prepare for its arrival. A “wait-and-see” approach is often a wise choice in the records and information management space when dealing with potential legal, regulatory, or technological developments. But when hardening critical systems against quantum computing attacks, time may be a luxury that one can ill afford, and the failure to make necessary preparations well in advance of quantum computing technology developments could potentially have disastrous consequences for the security of vital information.

 

[1] https://www.digicert.com/TimeTravel/math.htm

[2] https://www.technologyreview.com/s/613596/how-a-quantum-computer-could-break-2048-bit-rsa-encryption-in-8-hours/

[3] https://www.sciencenews.org/article/google-moves-toward-quantum-supremacy-72-qubit-computer

[4] https://www.newscientist.com/article/2217347-google-claims-it-has-finally-reached-quantum-supremacy/

[5] https://bitcoinist.com/3-million-bitcoin-in-2-seconds-google-quantum-computer/

[6] https://hexus.net/tech/news/cpu/136028-ibm-disputes-googles-quantum-supremacy-claim/

[7] https://www.sciencealert.com/new-computer-chips-can-fit-30-million-transistors-on-your-fingertip

[8] https://eprint.iacr.org/2017/351.pdf

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Now that the one-year anniversary of the GDPR implementation date has come and gone, many in the business world are collectively exhaling after a long and arduous period of privacy compliance efforts. But the respite is short-lived: preparations are already underway to handle the new California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020 (pending any last-minute amendments during the interim). The CCPA has a one-year lookback period, meaning that CCPA-compliant recordkeeping should already be well underway. However, another challenging new privacy law is already potentially looming on the horizon. New York lawmakers recently introduced a groundbreaking new piece of legislation that in some aspects might be significantly tougher than either the GDPR or the CCPA. If passed as written, the New York Privacy Act may represent a seismic shift in how companies use and manage their customers’ personal data. While similar to other privacy laws in many respects, the draft law may have dramatically sharper teeth due to two important provisions.

In the first, it imposes a completely novel new duty on anyone processing consumer personal data, which the law calls a “data fiduciary.” A data fiduciary must exercise the “duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Any third party with whom the fiduciary shares or sells data must also agree to abide by that same standard. Furthermore, to avoid any doubt, the law clarifies that the data fiduciary duty “shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker, to whom this article applies.”

Acting in a way that protects the interests of consumers is a worthy goal, but the immediate issue with this provision for many businesses is that processing personal data for use in marketing, including the selling of targeted advertisements, generally confers a financial benefit on the company at the expense of consumers’ privacy. And although the businesses have a duty to their shareholders to manage the business in a profitable way and extract value from its assets, that duty now takes a backseat to their obligations to consumers. The practice is so lucrative that it has become an indispensable bedrock revenue stream for some of the largest tech giants of Silicon Valley, without which many of those companies may not be profitable at all.

In the second, the law departs from the CCPA by granting an expansive private right of action to consumers who have been harmed by non-compliance with the law. The CCPA mostly leaves enforcement to the California Attorney General, allowing private persons to recover damages only in the limited event of a data breach that exposes their unencrypted personal information. But New York’s draft law would instead give every individual the right to sue to enjoin any activity that violates the law and/or recover damages. The private right of action would potentially force companies to defend against a barrage of lawsuits, particularly class-action lawsuits, from a variety of different claimants. A similar provision was contemplated for the CCPA but was ultimately excluded from the final version after an intense round of lobbying from business interests.

Taken together, those two features could constitute a one-two punch that deals a heavy blow to company bottom lines by exposing them to open-ended liability while simultaneously hampering many of their most reliable and profitable revenue streams.

In addition, the law also doesn’t have any type of revenue hurdle for bringing businesses into its enforcement purview. The CCPA sets the threshold for compliance at one of the following: $25 million in revenue, service of 50k or more California consumers or devices, or deriving at least 50% of revenue from selling California consumers’ personal information. Conversely, the New York Privacy Act would be applicable to all entities and individuals, large and small—which could potentially make compliance for small businesses very tricky or expensive.

Since this bill is still only in draft form in committee, a lot could change before it is put for a vote or enacted into law. And with New York and other states joining California in a push to regulate personal data privacy, the incentive to replace a myriad of State-level laws with one unified Federal privacy act may grow even stronger in the near future. As they wait for the legislative process to unfold, in the meantime business managers and privacy professionals should continue to build out their capacities to monitor and control their processing of personal data so that they will have the flexibility and agility to be able to proactively manage requirements like the New York Privacy Act and other future regulatory developments.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Reading Time: 4 minutes, 37 seconds

The €50 million fine levied last week by the French National Commission on Informatics and Liberty (CNIL) against Google for violations of the GDPR has struck the tech industry with a resounding thunderclap, sending shockwaves that are being felt in boardrooms across the globe.  As the first significant penalty imposed against a major multinational technology company under the EU’s new GDPR regime, the hefty fine is widely viewed as a shot across the bow in the coming struggle between privacy regulators and big data aggregators about the scope of conduct that will be permitted under the new rules.  While surely intended as an instructive example to set the tone of regulators’ expectations, the contours of the CNIL decision and Google’s swift pledge to appeal the ruling likely means this event will generate as many new questions as it answers.

Long before the GDPR came into force last May, tech companies have been pouring tremendous resources into bringing their operations into compliance with the new requirements, and those efforts continue today. But the degree to which those requirements would be enforced and the severity of the actual penalties that would be imposed have remained hypothetical—until now.

In announcing the penalty, the CNIL identified two areas where Google allegedly violated GDPR requirements. In the first, the CNIL cited a “violation of the obligations of transparency and information” because the information provided by Google is not easily accessible.  Google’s data processing purposes, storage periods, and the categories of personal data can only be reached after clicking several buttons, totaling as many as five or six actions before reaching the relevant information. Furthermore, the operations are “particularly massive and intrusive” in light of the constellation of different services offered and the volume of data processed and combined.

In the second, the CNIL identified a “violation of the obligation to have a legal basis for ads personalization processing.” While Google does obtain users’ consent to process personal data for targeted advertisement, the CNIL alleges that the consent is “not validly obtained” because the user is not sufficiently informed and the consent is neither specific nor unambiguous. By spreading the necessary information across several documents, users struggle to understand the scope of the information processing.  While options for targeted ads can be customized through a series of check-boxes, the default state is for those boxes to be ticked “yes,” while the GDPR conversely requires an affirmative act—for instance, ticking a box that has by default been set to “no.”

Although this action is rightly interpreted as a warning intended to provide clarity and induce companies to take heed and make changes, it also raises a number of new questions.  And some of the largest tech industry players may find that there is no easy way to revise their products and services framework and literature to bring their operations in line with regulators’ expectations.

Google is by no means a small company and, while €50 million will not have a material impact on the financial condition of a company the size of Google, fines of this magnitude could threaten the survival of many smaller companies who handle personal data.

In addition to the threat of much higher fines, the ruling also threatens the company’s bottom line by potentially disrupting the tremendous targeted ad revenues that make up a large portion of that $110 billion in revenue.  For instance, even by just making one single alteration referenced in the CNIL’s decision—changing the default personal data sharing option to “no”—the number of users who opt to make their personal data available for processing could suffer a precipitous fall. This trend might be exacerbated once newly revised privacy disclosures lead to customers having a more complete understanding of all that is being done with their data. Armed with this knowledge, customers are more likely to opt “no” in far greater numbers.

Furthermore, the ruling raises important questions about what general conclusions the tech industry can draw about adequate privacy disclosures based on the deficiencies identified by the CNIL.  Are boxes ticked by default to “yes” to be prohibited in all cases, or just in this particular case? If five or six actions to access relevant privacy information is opaque, will two or three be considered transparent, or must it be one… or zero?

One might also wonder: how it is possible for a company to offer dozens of interconnected services that share and co-mingle customers’ personal data across platforms, while at the same time making it easy to understand all of the purposes, uses, and retention periods for that data? Is it even possible, or is that a contradiction in terms? This conundrum could present a Gordian knot that Google and others in the tech industry may find impossible to untangle without cutting some of their current product and service offerings. The answers to these questions and many others will come into greater focus as the appeal plays out and future enforcement actions come down the pipeline. But for now, one thing is crystal clear: this ruling presents an ill omen for business models that rely on customers to swiftly click “accept” and share their personal data.

While the drumbeat of GDPR compliance may have become all too familiar to privacy practitioners during the past few years, the CNIL’s decision on Google underlines the reality that we are likely only just witnessing the opening act of an epic drama whose scenes will take center stage for a global audience of politicians, regulators, and tech titans for many years to come.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.