Cyber-Theft Incidents Require Quick Follow-Up A breakdown of New York State’s Data Breach Notification Statute 6
affected New York residents. A civil penalty of up to $150,000 may be awarded for a knowing or reckless violation. In addition to being aware of the above requirements, franchised new car dealers in New York should enlist a data security professional to help assess their potential weaknesses and to adopt written policies and procedures to be followed in the event of an incident. This article was provided by James Westerlind of Arent Fox, a GNYADA Allied Member.
notification method — such as email or website posting — may be used if the cost of traditional notice would exceed $250,000, the number of recipients exceeds 500,000, or the business lacks contact information. The notice must include: The dealership’s contact information. A description of the data that was, or may have been, wrongfully acquired, including the specific types of personal and private information involved. The New York Attorney General — as well as the Department of State and the Division of State Police — must be notified of the timing, content and distribution of the notices, as well as the approximate number of affected individuals. Failure to notify the AG may result in enforcement of the statute and the seeking of damages on behalf of n n Liz Vladek to run the Department’s new Office of Labor Policy and Standards. We anticipate the DCA will continue recruiting strong labor voices to this division. The DCA has already instituted changes affecting sick leave and limiting background checks, and they have announced that they intend to focus on “low-wage workers,” specifically naming car washes as an industry of interest.
Like most states, New York requires any businesses that store electronic customer data to promptly notify affected individuals whenever that data is stolen or misused. N.Y. Gen. Bus. Law § 899-aa enables those customers to take immediate measures against identify-theft, or mitigate damage that may already be occurring. Since dealerships maintain personal information of both customers and employees, they must follow the statute's notification requirements in case of a breach. The statute specifies unencrypted information that can be used to identify a person, such as their Social Security Number, Driver’s license number, bank or credit card account numbers, etc. If a state resident’s private information is believed to have been stolen, the dealership must notify that person as expediently as possible. Notice must be provided either in writing or by telephone. A substitute The NYC Department of Consumer Affairs is increasing its focus on labor issues. City dealers should consider this a signal that the Department is soon to start looking into wage and hour issues, leave of absence and overtime policies. The Department’s trend toward worker advocacy started two months ago when veteran labor attorney Lorelei Salas was named DCA Commissioner. In August, Salas brought on former union organizer 7
New DCA Commissioner Appointed
While the DCA’s efforts may not result in the creation of new labor laws, dealers in New York City should expect stricter enforcement of existing laws. Moreover, workers now have an additional place to turn to, to voice employment grievances. This topic will be addressed at GNYADA’s Labor Law Seminar on October 18 and 20. To register, contact Phyllis at 718.746.5900 or PhyllisA@gnyada.com.
Greater New York Automobile Dealers Association • www.gnyada.com