Legislation pending in New York state may grant broader rights to consumers after breaches expose their personal information.

If passed and co-sponsored in the New York State Assembly and signed by Governor Cuomo, Bill S8641 that is pending before the New York State Senate will position New York state as a leader, surpassing even California in terms of granting rights to data subjects for breaches of their identifying information.

The current version of New York’s Fair Credit Reporting Act is set forth in the General Business Law § 380. That law currently regulates the way organizations (primarily credit reporting agencies) may share and use protected private information, but it does not address the issue of a data breach that exposes someone’s identifying information.

The proposed amendment is significant for:
• Expanding the definition of identifying information
• Creating a private cause of action for aggrieved data subjects
• Extending that right of action to other types of organizations that keep this type of data.
• Imposing essentially strict liability for any organization that suffers a breach revealing the data subject’s identifying information

The text of the proposed amendment is below:

§ 380-mm. Civil liability for breach of a consumer’s identifying information.

1. for purposes of this section the term “identifying information” means an individual’s:
(a) social security number;
(b) driver’s license number;
(c) bank account number;
(d) credit or debit card number;
(e) personal identification number (PIN);
(f) automated or electronic signature;
(g) unique biometric data;
(h) account passwords; or
(i) any other piece of information that can be used to access an individual’s financial accounts or to obtain goods or services.

2. A consumer reporting agency, or other user of information, in possession of a consumer’s identifying information when such identifying information is impermissibly obtained by an unauthorized third party, is liable to such consumer in an amount equal to the sum of:
(a) ten-thousand dollars;
(b) any actual damages sustained by the consumer as a result of such breach of identifying information; and
(c) in the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorney’s fees as determined by the court.
§ 2. This act shall take effect immediately.

This law is similar to the Illinois Biometric Information Privacy Act in that it provides for liquidated damages. But it is much broader in scope. If brought as a class action following a substantial breach, the consequences could be terminal for many organizations. The law also extends section 380 beyond credit reporting agencies to organizations that use this type of information.

There would be a considerable incentive to bring an action under this new amendment. In addition to the recovery to the greater of actual damages or $10,000 per data subject, the proposed amendment allows for the unilateral award of costs and attorney fees for the data subjects. In addition, there are no defenses permissible under this amendment; so once a breach is proven that exposes the information protected by this regulation, the litigation would quickly pivot to a damages calculation.

Since this is not a law, organizations potentially impacted by this amendment may want to assess the risk this would have to their operations and either take steps to reduce the likelihood by reducing the chances of a breach or seek to address issues they may have with this law.

To conduct a risk assessment and review of your cybersecurity practices in advance of this legislation, please contact Alan M. Winchester or the attorney with whom you usually work.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.