Data Privacy & Cybersecurity

Data Privacy and Cybersecurity

We hear about corporate data breaches nearly every day, and federal, state and international legislative and regulatory bodies have responded. Businesses that collect personal information must meet certain privacy and security standards to manage legal risk. This includes providing timely notice to consumers and governmental entities when there is a data breach. These laws are sometimes confusing, and small and midsize businesses may be confused about which rules apply to them and the requirements they must meet. Experienced legal counsel is a must for companies to ensure they comply with all applicable laws.

What Cybersecurity and Privacy Laws Apply to Companies Doing Businesses in New York?

New York broadly applies its data security and breach notification laws to any person or entity that holds New York residents’ private information regardless of whether the person or entity is based in New York. Accordingly, a wide variety of businesses operating outside the state must understand how these rules affect them.


Under the New York Information Security Breach and Notification Act as amended by the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, New York residents have the right to be notified when their private information is revealed in a breach. This law’s requirements include the following obligations:

  • Companies must notify New York residents if their private information was exposed in a data breach. In addition, companies must notify the New York State Attorney General; the New York State Division of State Police; and the New York Department of State’s Division of Consumer Protection.
  • Notice must be given without delay, provide a description of the types of information exposed as a result of the breach, and include the contact information of the state and federal agencies that provide information on identity theft detection and prevention and security breach response.
  • Entities that collect private information about New York residents must implement reasonable administrative, technical, and physical security measures that meet certain standards. The law provides a list of protections businesses should follow such as assessing safeguards, training employees, testing, and monitoring.
  • Consumers cannot sue a company for failing to comply with the Act, but the New York Attorney General can bring an action against a business, as well as impose stiff penalties.
What Rules Apply Specifically to Financial Institutions Doing Business in New York?

The financial industry is subject to additional federal and state regulations regarding cybersecurity and privacy.

New York Department of Financial Services (NYDFS) Cybersecurity Regulation

In New York, covered financial institutions must have cybersecurity policies and protections that meet certain standards as provided in the NYDFS Cybersecurity Regulation. The law applies to all financial institutions operating under NYDFS licensure and to these institutions’ third-party service providers. Examples of covered institutions include state-chartered banks, insurance companies, lenders, mortgage companies and private bankers. Institutions must have a cybersecurity policy and incident response plan that includes written procedures and standards for security and testing, audit trails, security controls and data retention policies. They must also assess third-party service providers and require that they meet cybersecurity standards. Notably, many non-financial businesses are obligated to comply with these standards because the law applies to third-party service providers of covered financial institutions.

Gramm-Leach-Bliley Act (GLB Act)

The GLB Act is a federal law which requires that financial institutions provide consumers with “clear, conspicuous and accurate statements” about what personally identifiable financial information they collect and how it is shared and protected. In addition, financial institutions must have certain security measures in place to ensure the security and confidentiality of consumer records and information, protect customer records against any anticipated security threats and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

What Laws Apply to New York Businesses Doing Business in Other States?

As in New York, there are other states that protect the private information of their state residents such that a business located outside the state must comply with their laws.

California Consumer Privacy Act (CCPA)

As in New York, there are other states that protect the private information of their state residents such that a business located outside the state must comply with their laws.

The CCPA gives California residents the right to control how businesses use their personal information. A business must honor requests by state residents to access, delete and opt out of sharing or selling their private information. Entities also must meet specific privacy policy and procedure requirements, including providing notice of their privacy policy and of a consumer’s rights under the CCPA. In addition, they must notify consumers of a data breach in accordance with the law.

The law applies to entities that hold or collect private information of California residents, do business in the state and meet at least one of the following thresholds:

  • Annual gross revenues larger than $25 million
  • Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
  • Make 50 percent or greater annual revenue from selling California residents’ personal information.
Illinois Biometric Information Privacy Act (“BIPA”)

The BIPA imposes certain requirements on how “private entities” collect, use and share “biometric data” and what security standards they must meet. Biometric information includes retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry. Entities subject to the law must have written data retention policies, obtain informed consent from consumers and use reasonable care in securing the data that meets industry standards and is at least as protective as what is used for other types of private information. In addition, entities cannot sell or otherwise profit from the data. Consumers have the right to sue for violations of the law.

Are New York Businesses Subject to International Laws?

The General Data Protection Regulation (GDPR) protects the privacy of residents of the European Union. The GDPR replaced the former system of individual EU member states implementing local legislation in line with a “Data Directive.” The GDPR also implemented a sanctions regime for non-compliant businesses. Any entity which collects or processes the personal data of residents of the EU must comply with the GDPR regardless of where they are based in the world. The law applies to companies directly using the data as well as third-party processors of data (often referred to as “sub-processors”). As a result, businesses cannot outsource their data processing in an effort to avoid the GDPR.

As with the CCPA, EU residents have the right to know what information an entity has about them, request that their information be deleted, and opt-out of sharing or selling of their private information. Entities also must meet certain privacy and security standards and provide notification of data breaches.


Businesses may be subject to a wide range of state, federal, and international laws and non-compliance can result in significant liability.  It does not matter whether you intentionally target consumers in other jurisdictions, only that you in fact have or collect personal data on them.  As a result, before collecting any personal information, consult an experienced attorney regarding your obligations.