New York Becomes Fifth State to Define a Breach to Include “Access” to Information
Daniel De Zayas, a legal intern at ZwillGen, writes:
New York has updated its breach notification and data security law, expanding the definition of a data breach and imposing detailed reasonable security requirements, among other changes. The amendment also adds a number of new data elements to the definition of “private information.” On July 25, 2019, Governor Cuomo signed S5575B, with the breach notification amendments taking effect on October 23, 2019, and the security requirements taking effect on March 21, 2020.
Notably, S5575B expands the definition of a “breach of the security of the system” to include unauthorized access to private information in addition to unauthorized acquisition. In assessing whether private data has been accessed without authorization, the amended law says businesses “may consider” factors such as indications that the information was viewed, communicated with, used, or altered without authorization. S5575B is the first state law to attempt to frame “access,” but it blurs the distinction between access and acquisition (e.g., unauthorized use is already mentioned as a factor to consider in assessing whether unauthorized acquisition has occurred).
Read more on Law Across the Wire and Into the Cloud.