In the closing rush of the legislative session in July, New York adopted a statute that requires all businesses that keep sensitive personal information to maintain appropriate procedures to protect against security breaches. Banks and certain other regulated entities that comply with Gramm Leach Bliley, HIPPA, or NY Department of Financial Services Part 500 requirements are exempt. Other businesses must satisfy a long list of cybersecurity requirements. Even small businesses (less than 50 employees or less than $3 million in annual revenues or less than $5 million in year-end total assets) must maintain reasonable safeguards based on the size and complexity of the company, the nature, and scope of its activities, and the sensitivity of the personal information it collects from or about consumers. The law is effective in March 2020. Private individuals cannot sue if a company does not comply with the statute. Instead, it is enforced by the Attorney General.

Today’s Takeaway? First, make sure that you comply with your federal and statute cybersecurity requirements, because the state exemption applies only if you are compliant. Second, evaluate your exposure to companies that collect personal data, and that means virtually every business. Do you make mortgage loans to coops that have SS#s of their cooperators? How about multi-family loans with tenant security deposits where the landlord collects SS#s. Warehouse lines of credit to car dealers and subprime auto lenders? Any business with employees who provide social security numbers so the employer can issue W-2s? Evaluate whether you want to require them to deliver a cybersecurity policy report, just like you should be doing with your vendors who get sensitive information from you.