New York AG Seeks to Require Privacy Violation Notifications

While the law has adapted to the reality of cyberattacks and data breaches, in the wake of recent revelations about Facebook use of personal information, New York’s Attorney General intends to propose legislation to address Privacy Violations — where personal information is obtained or used by organizations in violation of a platform’s terms of service, or the law.

Facebook has recently acknowledged that data analytics firm Cambridge Analytica collected personal information of 50 million Facebook users without their consent as part of a political influence campaign. It was reported that Mark Zuckerberg and other social media executives will testify before Congress.

It was also announced last week that New York State Attorney General Eric Schneiderman intends to propose legislation requiring such platforms to notify his office and New York consumers if their personal information is obtained in violation of the law or the platform’s terms of service. In theory, such legislation would also provide whistleblower status for employees reporting violations of terms of service. Schneiderman has also supported separate legislation to address data breaches, the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) which would require companies to adopt reasonable administrative, technical and physical safeguards for sensitive data with an improved trigger for reporting requirements. Noteworthy, Schneiderman reported that a 2017 data breach study found that 44 percent of reported breaches were the result of hacking.

Reacting to the Facebook debacle, former FCC Commissioner and current President and CEO of the National Cable & Telecommunications Association (NCTA), Michael Powell, stated in a C-SPAN interview that Facebook’s exposure of user information was “inevitable.” Powell opined that “. . . we have seen a series of policies that are quite bent toward focusing only on one narrow part of that Internet sphere, and it isn’t really effectively protecting because it continues to allow the same kinds of behaviors for edge providers or technology companies, whether that’s data or privacy or even net neutrality.” With such attention being given to the Facebook hack by State and Federal government, increased regulation is inevitable, but the focus of such legislation is unclear.