Jul 26, 2019

How New York’s new data security law affects you and your agency

Gov. Andrew M. Cuomo signed S.5575-B into law July 25. The law, which was sponsored by Sen. Kevin Thomas, D-6, updates New York’s data breach notification law—to keep pace with today’s technology. While it creates some new requirements for data breach notifications, the law does not create new requirements for entities subject to existing or future regulations by any federal or other New York state government entity.

The law requires certain information to be included in the notice to those affected by a breach that would direct consumers to federal and state data security prevention entities and require businesses to send a template of their notices to consumers to the attorney general and the Office of Information Technology Services. It also requires reasonable data security for private information, with a more flexible standard for small businesses.

The law also authorizes businesses in certain circumstances, such as if mailing the notifications would cost more than $250, to notify the consumer of the breach via email. If the consumer’s email is believed to have been compromised, the law authorizes the business to use other electronic methods to notify the consumer.

Since insurance agents, who are doing business in New York, already must comply with the New York cyber security regulation and the federal Gramm-Leach-Bliley Act, this law does not imposes upon them any additional requirements. The law considers them, and others, to be a “compliant regulated entity.”

However, even though the law does not require any additional notification requirements, since producers are covered by the aforementioned regulations and act, you still would need to give notice of a breach to the state attorney general, the department of state and the division of state police.