Transcript:
Bill Tolson:
Welcome to the Information Management 360 Podcast. This week's episode is titled The State of Consumer Privacy and Security Legislation. A conversation with New York State Senator Kevin Thomas. My name is Bill Tolson, and I'm the Vice President of Compliance and E-discovery at Archive 360. Joining me today is New York State Senator Kevin Thomas, author of the New York Privacy Act. Senator, welcome and thanks for taking the time from your busy schedules to be with us today. Can you tell me how long have you been in the New York Senate?
Kevin Thomas:
So, first of all, thank you for inviting me. This is, as you know, a very, very important topic. It is an honor for me to be on this show to just talk about data privacy.
Kevin Thomas:
I've been in the Senate for four years, and I've been working on this piece of legislation for four years.
Bill Tolson:
I have a later question that I think references back maybe to a 2019 version of your bill, but I'll wait a little bit for that. So for the four years that you've been working on this, was there a single, or was there a couple of driving factors that really pushed you into championing this idea of data privacy for New York citizens?
Kevin Thomas:
I was a legal services attorney before getting into politics. I did not have any background in this field whatsoever, but what I kept seeing were reports from various journals about how our data was being collected, and processed, and manipulated to make us do something. The 2016 elections was a form of manipulation by Cambridge Analytica by using Facebook profiles and the likes to push people to do one thing over another, or like a candidate or dislike a candidate with certain information.
Kevin Thomas:
So that kept me in the loop as to, all right, this area needs regulation. How do we do it? And what exactly are they up to? How are they getting this data on us and then using it to make a profit, or use it in a way to manipulate the decision that we are going to make later on? So that's how this idea of changing policy here in New York formed. Also, the fact that I looked into whether the federal government would act, but knowing them, given what's happening right now, I don't think any of them would even agree that the sun will rise tomorrow. States have to act.
Bill Tolson:
I notice in researching this, and I've been working on privacy regulations for a while, I've talked to various state legislators and we've done podcasts with them, but I noticed that two of the bills in the senate, federal senate, one by Senator Gillibrand and one by Senator Jerry Moran, I think of Kansas, stick pretty closely to what many of the state bills and some of the past laws have been too. But when I ask people, "Will they be passed in the next year or two?" I haven't run across anybody who has said yes. And that's a shame. It really is.
Bill Tolson:
I noticed another story that said that the French data protection organizations basically ruled that the way that Facebook is transferring data back to their corporate headquarters from the EU, they're transferring back to the United States, is breaking all the GDPR laws and they're going to fine Facebook. And Facebook has basically said, "Well, we'll just have to shut down all our systems in Europe." Like that's a real threat.
Kevin Thomas:
They used the same threat on me in 2019.
Bill Tolson:
Did they?
Kevin Thomas:
When I introduced the bill saying, "Oh, we would have to shut down our practices here, our operations here in New York, and I was like, "Okay." Is this the same line that you take from the playbook?
Bill Tolson:
So I think the EU is calling their bluff as well, saying, "We would be better off without you." So it's going to be interesting over the next several years as all the various states... I'm in Colorado and we have the Colorado Privacy Act that was passed last year, and Virginia and California, I think in the first month of this year they were... including your bill, by the way, I think in the first week of January you introduced it, or reintroduced it. There was 20-odd states that put forth new privacy bills. Obviously, I think that's going to even more accelerate as we go through the year, so this is not a passing fad, obviously.
Kevin Thomas:
No, it definitely isn't, because more and more states and legislators, they are finding out what exactly is going on. You know, California was the first, we've got European Union with their privacy legislation, but more and more people are slowly finding out that it is not a good idea to give away your privacy for some convenience.
Bill Tolson:
Exactly. And people are getting educated on that, slowly, but they are. And when you were putting together your bill starting four years ago, what kind of concerns did you get from New York citizens about how their data was being used or misused?
Kevin Thomas:
Well, one is control. Give me control over my data. I would like to say no to the sharing of data when I'm given that option. Not everyone wants to give away information about them. They also want to know where it's going, who is getting this information. I've had some constituents call and say there is incorrect information about, and I reach out to these companies and they're not taking it down. How do I delete this information? So these are the kind of feedback that we get constantly about what they've been experiencing. I know many of us do give away our personal information on an app, but that app is then selling that information.
Bill Tolson:
And they do it willingly, but the thing is they don't understand what that personal data actually means by giving it to somebody else, and the risk and the liability, and the reliability of it. Based on what you just said, and I think it's one of the really interesting concepts in your bill, and I've read the Colorado, and the Virginia, and the California. Even the bills, the current bills, are different from yours in that you have written in the need for data subjects to opt in versus opting out. That's very important because the opt out thing, it's in two point type in a 500 page user agreement that no one will ever get to, and they don't understand what that means anyway. But you saying that specific data subjects have to knowingly opt in before their data can be used, I think is really, really important.
Kevin Thomas:
Yes. Listen, we got a lot of pushback for putting in that specific revision because they've seen how we liked to go through webpages really quickly without reading. So if you were going to opt out and something came up, you might not read it completely and let whatever it is be. But if you want to opt in, you're going to have to actually understand what it is that you're giving up here. So that's one of the reasoning, for me at least, to add that specific opt in provision in my bill versus everyone else.
Bill Tolson:
I know there's certain laws being passed around this actual use, but many of these companies will use, what do they call them? Dark pages or dark forms, which basically is an opt out or an opt in that's put together so that you're fooling whoever is trying to figure out what to do with the obvious use of tricking them into giving you the ability to use their data when they maybe don't think they're going to, and that's been an industry issue as well.
Kevin Thomas:
This issue with dark patterns, you could look at the terms and conditions that most people don't read and call them dark patterns as well because there's a lot of information there that consumers do not actually comprehend. Even an attorney like myself, or even someone who is an expert at this can go through this. It will take them at least an hour or so, given how long the term the conditions are, and still not be able to tell you where your data is being harvested and-
Bill Tolson:
And who have you given what rights to your data.
Kevin Thomas:
Exactly.
Bill Tolson:
Boy, that's a shame. I've talked to Minnesota representative, state representative. Elkins. Virginia Senator Marsden. I've had off-the-side discussions with Colorado State Senator Lundeen. And I've asked him the same question. When you were constructing your bill going back four years, did you work with any other states or look at any of the other state bills like California's, like Washington State's, Virginia's, Colorado's to design your bill or was it-?
Kevin Thomas:
We did. We did a lot of research on this. We spoke to players from all sides. When I first introduced this, in that very year, we had hearings on this. We've had round tables because this was a very, very hot topic issue. Especially when the state Democrats had just flipped the state senate blue. They knew that, "Hey, the Chair of Consumer Protection...," Which is me, "...is serious about this." So we put together panels, we had experts, we had privacy advocates all come together, sit down and give us ideas, tell us, "All right, the bill as is, it could be better. Or, this is bad. You got to understand industrial a little bit more." And again, I explained to them, "I'm not trying to put anyone out of business. Privacy is actually good for business, and I'm here to empower consumers with this bill. So we need to balance both." I see right now in New York, businesses have more of a say in consumers' personal data than consumers do, so I want to balance that out, and that's what this whole thing is about.
Bill Tolson:
That's fantastic. And you said you looked at other states' bills, and it's funny, I talked to Virginia, Colorado, Minnesota, and one other and they all said the first thing when I asked them about, "Did you work or look at any other states?" they all said, we looked at Washington State's first. That one hasn't passed yet, by the way, but they thought it was so good and they got some great assistance from the Washington people. Now, the privacy rights that you've written into your bill, what are they at a very high level?
Kevin Thomas:
So it's basically what I touched on before. It's consumers having notice, a right to notice, consumers have a right to be informed about the collection and use of their personal data and the purpose for such processing. A right to access. Consumers have the right to access the categories of personal data processed by third parties, for example. A right to appeal. Consumers have a right to appeal decisions made by automated processes. For example, when you go to the doctor's office and the doctor says, "Hey, you need this procedure done and we got to run it by your insurance, and your insurance denies it saying, "Oh, you don't really need it." But that's an AI making the decision, and not a human being behind that medical decision.
Bill Tolson:
Okay.
Kevin Thomas:
Right to delete. Just like I said, I had constituents call saying, "Hey, they've got incorrect information about me. What can be done here to change this?" Or, these companies just holding on to all this personal information about you. That's what hackers like. They know certain companies hold onto information for a very long time, so they hack and they get that information and use it to their advantage.
Bill Tolson:
The new versions of extortionware is really going after that. It's really, really dangerous. You said the right to delete, which there's an interesting question. You may not know this, but the right to delete. Say, I call up a company and say, "I want to know what you have on me," and they come back within a certain amount of time and say, "Well, let's see. We've got this, and this, and this, and this." And then you can say, probably through a form, "I want you to get rid of it."
Bill Tolson:
In your mind, does that imply an unrecoverable deletion, meaning that data can never be recovered again? And I say that, I apologize, it's a little nerdy, but in the IT realm you could delete a file and it's not really deleted. The first letter of the file name, and any child in Third Grade now can go back, using Norton Recovery or something, and in 10 seconds recover the file. Which means you're not really meeting that requirement for deletion. And in my mind, it's starting with the GDPR, but with California, and Colorado, and the rest of them, if you're asked to delete information it basically requires an unrecoverable deletion. Would you agree with that?
Kevin Thomas:
Yeah. In theory. In theory, I would agree with that.
Bill Tolson:
Okay. Yeah. And I've asked the same thing of many and they basically say the same thing like you just did. I mean, especially for in the United States, deletion is deletion. If a company is going to make the point to underhandedly hide the fact that they can recover the data, that's one issue, but most companies are not going to roll the dice because you can always come back and cause issues.
Bill Tolson:
But you know, that comes into another question. Your bill mentions the need for organizations to conduct regular impact assessments by independent third parties on the use of automated decision-making processes, like using machine learning or AI. Some other states, and even moreso the EU GDPR, basically has written into their law that says that companies must do data protection assessments regularly for any company that's collecting and using PII. Some third party comes and looks at their infrastructure and says, "Yeah, they have adequate security," and you pass for the next year, versus a company just not having given much thought about actual data security.
Kevin Thomas:
Yes. So here's my thinking on this. When we had the market crash a decade ago, with the banks, now what the federal government does is they go and do a stress test on the bank to see whether, "Hey, if this happens again, will they be able to withstand?" Similarly, with these companies that hold so much personal information on us, and the way they use it, it's an annual risk assessment to make sure that they have those reasonable safeguards to protect consumers' personal information. It limits use and retention of data to what is necessary to provide the service, or for the use and period of time agreed to by the consumer at opt in, trying to make sure that they're actually doing the right thing here.
Bill Tolson:
I think it's a great possible provision in future bills to say, whether it's self done or whether you have a third party consultant do it, you have to certify certain things, that you've taken your responsibility seriously. That brings up a follow on question. Do you foresee in the future, especially around the states, the state privacy acts, the need to get more prescriptive in demanding specific safeguards for PII? For example, all PII must be encrypted while it's being stored. Something like that.
Kevin Thomas:
Companies are slowly figuring out that privacy is good for business.
Bill Tolson:
Yes.
Kevin Thomas:
Having a company out there that is hacked every day, or a company that's out there that is known to sell data without giving the consumer a right to say yes or no, or to know who they're giving it to, it's bad for business. Some of them are slowly finding out that this is the way that it needs to go in order to keep customers with them. They believe this is the right way. It's just that it's hard for them to let go of all that profit.
Bill Tolson:
Oh yeah. Oh yeah.
Kevin Thomas:
Problem having so much privacy [inaudible 00:18:03] too.
Bill Tolson:
I've talked to companies, forward thinking companies, that when I ask them the same question. "You keep all this personally identifiable information, no matter what you're using it for, you're a target for cyber theft. You're a target for ransomware and extortionware. Would you consider moving the next step in security, maybe zero trust architectures, but encryption, for example?" They've all said, yes, we're moving that way because it will lower our cyber liability insurance costs, which makes sense.
Bill Tolson:
I've talked to the insurance companies as well and they'll say, "Yeah, the more that companies do to take the next step and secure the information, the lower their rates are going to be," and those rates are not low right now. It's pretty bad.
Bill Tolson:
Your bill, and I've read your previous ones too, did you consider any kind of different or novel requirements, security or privacy requirements, your newer bill, that the other bills, that the other laws, haven't included? I'll give you an example. California's first one, the CCPA, lays out the idea of presumed damages, and they also consider look back. But presumed damages is, if a system is breached, then the California Attorney General can assume that the data was accessed and will be used in a bad manner. Therefore, the citizens who are affected can actually turn around and sue. Assuming there's going to be a damage.
Kevin Thomas:
We have something similar to that that I passed in 2019 called The Shield Act, which tells all companies that operate in New York that hold X amount of customer data, that if there's a breach that they have to let the AG know. If it's over X amount of people's information, then they all get credit reporting services free of charge. There's already a law here in New York for that through me.
Bill Tolson:
Okay. You include private right of action, correct?
Kevin Thomas:
Mm-hmm (affirmative).
Bill Tolson:
I'll tell you what the other states that I've talked to, not California by the way, but the other ones I've talked to. They've all said that's a no go for us because we would never get the bill passed if we included that so they shy away from that. I sort of understand it, but I also like it. Then California also included the idea that they're creating a specific data, a protection organization or department, versus relying on the AG, which is interesting, but California does some pretty interesting things. I know we're almost at time here, but I noticed some of your previous bills, and I think it was the 2019 version, but you included the concept of data fiduciary.
Kevin Thomas:
We call it something different now. We call it a duty of loyalty and care.
Kevin Thomas:
So here's the thing. The concept dawned on me from other professions. I'm an attorney, I've got a fiduciary relationship with my client when I was practicing. Banks, for example, they have a fiduciary relationship with their customers and the money and the transactions. Doctors, will have a fiduciary duty to their patient. So you have these companies that are holding such personal private information about you, and they should also operate under this duty of loyalty and care. They should not be always putting profits over people. There needs to be a balance here.
Bill Tolson:
And that's included in your current version of your bill?
Kevin Thomas:
Yes.
Bill Tolson:
Wow. Okay, and I think you're the only state that has approached that topic, correct?
Kevin Thomas:
Yes.
Bill Tolson:
That's really interesting. I like that. Well, I know we're coming up to the top of the hour, senator. I think we can wrap up this edition of the Information Management 360 Podcast. I really want to thank you for a really insightful, and actually enjoyable, discussion today around data privacy and what you, specifically, and what your state, New York, is doing about it.
Bill Tolson:
If anyone has any questions on this topic, any of our listeners, or would like to talk to a subject matter expert, please send an email mentioning this podcast and Senator Thomas to info@archive360.com and we'll get back to you as soon as possible. Also, check back on our Archive 360's resources page. Also, these podcasts will be published on iTunes, and Spotify, and Google and other places, but you can check back on our resources page for regular update podcasts. I am, in the very near future, going to be speaking with Colorado State Senator Paul Lundeen, the co-author the Colorado Privacy Act, as a podcast guest.
Bill Tolson:
But Senator Thomas, this was great, and I really think that your bill differs pretty interestingly, and I think pretty nicely, from some of the other ones. I think when you get this bill passed, other states will probably be following much of the stuff that you did.
Kevin Thomas:
I'm hoping so, because that's how the big companies operate now. They take the best bill out there and comply with it nationwide.
Bill Tolson:
Yeah. Kind of the high watermark type of thing. Well, thank you, senator, again. Hopefully we'll talk in the future.
Kevin Thomas:
Thank you so much for inviting me.
Bill Tolson:
Thank you.
.png)
%20(1)-2.jpeg)
