New York recently enacted a law governing employee monitoring. The law applies to New York employers who monitor employees through electronic devices. This includes monitoring of telephone, emails, and internet access or usage. The law takes effect May 7, 2022.
Continue Reading New York Imposes New Requirements for Employee Monitoring
New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may impact retailers, restaurants, and entertainment venues in the city that use security cameras with facial-recognition technology or otherwise collect biometric identifiers from their customers. Continue Reading New York City Biometric Ordinance Effective July 9, Are You Ready?
The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach. The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach. Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in. Continue Reading New York and Others Settle with CafePress Over 2019 Data Breach
As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019. Continue Reading New York SHIELD Act Expands Breach Notice Requirements Starting in October
New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions. Continue Reading Preparing for New York’s New Data Security Requirements
In a recent letter, the New York Department of Financial Services provided guidance for insurers who use third party data to help with their underwriting decisions. The letter was drafted in response to reports that insurers are getting information about potential insureds from many “unconventional” data sources, including those that contain predictive models and algorithms. These sources are used to supplement medical underwriting, and include information that isn’t necessarily related to a person’s medical condition, but might impact an insurer’s decision. While these sources could improve the market, according to NYDFS (e.g., by simplifying and expediting life insurance sales and making pricing more accurate) the sources themselves are not uniformly reliable. NYDFS had two specific concerns about these sources: first, that the algorithms they use may have a negative impact on consumers; and second, that these sources are often used without the consumers’ knowledge. Continue Reading New York Department of Financial Services Releases Letter Regarding Third Party Data Sources
In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing company), and Moosejaw (an active outdoor retailer)—and against a marketing company named NaviStone. NaviStone offers computer code that allows e-commerce retailers to determine the identities of consumers who visit their websites and track their online behavior. The plaintiff alleged that the code offered by NaviStone, and embedded in the retailers’ websites, functioned as an illegal wiretap enabling the retailers and NaviStone to “spy” on website visitors in real time as they browse. The lawsuits alleged violations under the federal Electronic Communications Privacy Act (ECPA), the federal Stored Communications Act (SCA), and New York General Business law (NYGBL). Continue Reading New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers
The recent $575,000 settlement with EmblemHealth signals a push from AG Schneiderman “for stronger security laws and hold[ing] businesses accountable for protecting their customers’ personal data.” Noting New York’s “weak and outdated” security laws, AG Scheiderman used the settlement to urge for the swift passage of the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) introduced by his office in November 2017, which would make New York one of the most protective states in terms of data privacy and security. Continue Reading New York Settles EmblemHealth Breach for $575,000
In the latest installment of what has become a quickening trend, a New York federal court recently dismissed another yet putative FACTA class action for lack of Article III standing. On her fourth (and final) attempt, the court in the case (Fullwood v. Wolfgang’s Steakhouse, Inc.) held the plaintiff once again failed to plead a concrete injury against a New York City steakhouse that provided her with a receipt displaying the full expiration date of her credit card in 2013. Continue Reading New York Court Scraps Another FACTA Receipt Class Action for Lack of Standing
In late December, New York State’s Department of Financial Services (“DFS”) released its revised proposed cybersecurity regulation (the “DFS Rule”). While the revisions pare back some of the DFS Rule’s original requirements and add some much needed flexibility, the regulation will still impose many new obligations upon a wide array of financial institutions doing business in New York. The DFS Rule will become effective on March 1, 2017.