New York, New York – The City So Nice, They Regulated It Twice
Not only is New York home to one of the strictest cyber security laws in the country, it may soon become home to one of the strictest privacy laws as well. On January 9, 2019, New York State Senator Brad Hoylman introduced Senate Bill S224 through the Committee on Consumer Protection that would restrict the disclosure of personal information by businesses. The Bill is known as the “Right to Know Act of 2019” and comes at a time when private consumer information is becoming more highly regulated than ever before (see the CCPA and GDPR as examples).
The rate at which companies’ networks are breached increases every month and this inadvertently exposes consumers’ personal information. Although the Right to Know Act will not stop these breaches, it will help ensure that there is far less effect on consumers when these inevitable security breaches do occur.
Like CCPA and GDPR, the main purpose of the Act is to provide more transparency to consumers about how their personal information is being handled by businesses and third-party entities. The Right to Know Act of 2019 will allow consumers to request any or all private information the business holds or has distributed about the consumer. If passed, the Act will afford the personal information of New York consumers the same protections as residents of California and Europe whose private information is being more heavily monitored and protected from malicious data activities.
Although New York already has some cyber security regulations in place (23 NY CRR 500), the proposed Act will provide coverage for the risks that the current laws do not regulate (such as gender, religious affiliation, etc.) and will also authorize users to have access to said information.
As a global hub for financial institutions who handle considerable amounts of private consumer information, it comes as no surprise that New York needs such a privacy law. The Bill is currently waiting to be placed on the floor calendar and if passed, will take effect immediately, likely starting an additional wave of data regulations to come.