Personal information has been a treasure trove for data miners, aggregators and marketing firms. The practice of scraping, bundling, repackaging and reselling that data is big business in the United States. An increasing number of states, however, are starting to regulate and restrict this collection and resale of personal information — particularly where that information includes biometric data.
All 50 states have their own breach notification statutes; and, while the SolarWinds Orion data breach has caused Congress to again beat the drum for a national breach notification law, at present, if a New Jersey business were to experience a data breach that compromised the personal information of only New Jersey residents, the business would have a reporting obligation not only to the state, but to the impacted individuals, too. And failure to give timely notice of a breach will trigger fines. If that same business experienced a breach compromising the personal data of individuals in multiple states, the entity would need to timely notify several states’ agencies and the impacted individuals, with each jurisdiction prescribing its own definition of timeliness.
Further, if that same business has employees and customers that are New York residents, then under the NY SHIELD Act, that business already has an affirmative duty to take reasonable measures to protect the personal information it maintains and processes. Failure to do so can result in fines from regulators, regardless of whether a breach has occurred.
New York Biometric Privacy Act on the horizon
Now, New York is looking to follow Illinois, Washington state, Texas, Arkansas and California with its proposed Biometric Privacy Act — NY BPA — which would require a business to give notice prior to collecting any biometric information about an employee or customer, to secure consent prior to that collection and not to sell that information without the person’s consent. Unlike the NY SHIELD Act, this draft legislation would afford impacted individuals a private cause of action for violations. For “mere” negligence, the damages would be $1,000 or actual damages (whichever is greater) plus attorneys’ fees; and, for willful violations, the fine can be as high as $5,000 or actual damages (again, whichever is greater plus attorneys’ fees).
Consider the settlement announced in the Facebook litigation for $650 million to settle suits that had been pending, in part, under the Illinois’ Biometric Information Privacy Act. Granted, many businesses do not keep the same number of persons’ data as Facebook, but those same businesses are unlikely to weather an award of only 1% of that figure.
Few businesses operate only in one jurisdiction, and, with recently remotely working staff, businesses with offices only in New Jersey are likely already subject to multiple jurisdictions’ data breach notification laws and several jurisdictions’ proactive legislation requiring reasonable measures to protect personal information processed by or on behalf of the business.
Tips and proactive measures for businesses
“Processing” in this context should be broadly interpreted to include collecting, storing, accessing, managing, sharing, selling, transmitting, transferring and deleting personal information. Businesses must also consider the third-party vendors they use to process personal information. As we have read in the last several weeks, federal agencies, accounting and law firms, retailers, health care providers and restaurants have been victims of data breaches due to either their own practices or those of their third-party vendors.
Proactive measures should include, without limitation:
- Adoption and implementation of an information security program;
- Inventory data and the assets “processing” that data;
- Undertake a risk assessment, identify vulnerabilities and take steps to mitigate and/or remediate those vulnerabilities;
- Deploy technology to prevent and detect compromises;
- Train personnel;
- Secure physical locations that process personal information;
- Vet vendors that process personal information;
- Review internal policies and external facing privacy policies to confirm they comply with the mandates of the jurisdiction(s) and laws to which the business is subject;
- If biometric information is being gathered, clear prior notice should be provided, and informed consent should be secured (at least where jurisdiction(s) mandate);
- Carefully consider the laws to which the business is subject before personal information is sold;
- Review your upstream and downstream contractual relationships to understand your obligations, and your ability to recover from a third-party vendor in the event of a data breach or violation of proactive privacy laws;
- Purchase cyberinsurance and crime coverage that provide meaningful coverage, including for a remote workforce (and the remote workforce of your vendors).
These undertakings are not a “one and done,” but instead should be part of an annual exercise.
For small businesses (less than $35 million in annual revenues), the New Jersey Small Business Development Center offers webinars at no cost and counseling services at a reduced rate addressing these and other related issues. The New Jersey Cybersecurity and Communications Integration Cell also provides resources for free on a variety of topics. Finally, Cybercrime Support Network, a not-for-profit organization, provides free resources for small business that have experienced a data breach.
The time for a business of any size to say “I am not a target” has long since passed. Do not wait to become the next headline.
Michelle A. Schaap is a member with Chiesa Shahinian & Giantomasi P.C. and is the founder of the firm’s Privacy & Data Security Group.