A MoFo Privacy Minute Q&A: New York’s Court Officers Get Privacy Rights Under New Judicial Security Act

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.

Question: The New York Judicial Security Act just came into effect in July 2024. What are my business’ compliance requirements?

Answer: New York recently became the latest state to pass a law seeking to protect the privacy of members of the judiciary and their families—named the New York Judicial Security Act (“JSA”). Several such laws have been passed and proposed in other states and at the national level in response to increased threats and acts of violence against public officials, including the 2020 murder of Daniel Anderl, son of New Jersey District Judge Esther Salas. New York’s law was passed this year amid a wave of online criticism of New York judges that was sparked by former President Donald Trump’s trials in Manhattan. The law went into effect on July 19 of this year.

The law gives the right to judges and former judges to request public and private organizations to remove their personal information and the personal information of their family members from public channels. Organizations have 72 hours to comply with requests.

Under the JSA, current and former employers serve as the conduit for privacy requests. Judges and former judges do not have the right to make requests directly to the organizations which are being asked to take down the personal information, but rather must submit their requests to a current or former employer, who then must notify the targeted organizations within five business days. For purposes of the JSA, “employers” and “former employers” are any public or private entities that currently employ or previously employed individuals who are current or former judges. Accordingly, organizations across the public and private sectors should be aware of their potential obligations under the JSA.

Here are the JSA’s key provisions:

• Protected Individuals: The JSA protects current or former New York and federal judges and their immediate family members. This is in contrast to laws such as New Jersey’s Daniel’s Law, which in addition to judges covers groups such as law enforcement officials and prosecutors, and members of their households.
• Protected Information: The personal information that a judge or former judge can request to be made private are their home address(es), personal phone numbers and email addresses, social security number, driver’s license number, license plate number, marital status, spouse and child identity, name and address of family members’ schools or day care facilities, bank account number(s), credit or debit card number(s), and personal identification number (PIN).
• Process to Exercise Rights:
• A judge or former judge may make a written request to their employer or former employer specifying the information to be taken down and the person, business, association, or public or private agency to which they are directing the ultimate request.
• The current or former employer must notify the target entities of the request within five business days of the judge’s request.
• Entities to which the requests are targeted must, within 72 hours, comply by:
• (A) deleting, redacting, or otherwise removing any existing posting on the internet and any display or publication in any medium accessible to the public containing the personal information and ceasing sharing, trading, or transferring the personal information, and
• (B) making reasonable efforts to ensure that the personal information is not made available on any website or subsidiary website controlled by the entity.
• Private Right of Action: The JSA allows a judge or former judge to seek an injunction or declaratory relief against their employer or former employer for failing to timely comply with their notification obligations upon receiving a written request for take-down of personal information under this law.
• Exceptions:
• Excepted Practices: The New York Judicial Security Act does not apply to:
• (A) display of the personal information of an eligible individual if such information is relevant to and displayed as part of a news story, commentary, editorial, or other speech on a matter of public concern;
• (B) personal information that the eligible individual voluntarily publishes after the effective date of this law;
• (C) personal information received from a public agency or from an agency of the federal government; and
• (D) permissible uses of personal information pursuant to the Driver’s Privacy Protection Act (18 U.S.C. § 2721 et seq.), with some exceptions.
• Excepted Entities: Entities that engage in the following activities are excluded from complying with requests under the JSA:
• (i) reporting, news gathering, speaking, or other activity intended to inform the public on matters of public interest or public concern;
• (ii) using personal information internally, providing access to businesses under common ownership or affiliated by corporate control, or selling or providing data for transaction or service requested by or concerning the individual whose personal information is being transferred;
• (iii) providing publicly available information via real-time or near real-time alert services for health or safety purposes;
• (iv) any activity where the commercial entity is a consumer reporting agency subject to the Fair Credit Reporting Act (15 U.S.C. 1681, et seq.);
• (v) any activity where the commercial entity is a financial institution subject to the Gramm-Leach-Bliley Act (Public Law 106-102) and regulations implementing that Act;
• (vi) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
• (vii) any activity where the commercial entity is subject to the privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320-d note); and
• (viii) the collection and sale or licensing of personal information incidental to conducting the activities described in these exceptions.