In November 2017, New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to the New York State legislature. The bill, sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh, seeks to amend current laws to broaden the definition of protected information and what are reportable data security incidents. As of November 27, 2017, the bill is under review by the Senate Rules Committee.
Under current cybersecurity breach notification laws in New York, the Attorney General’s office reports that it received nearly 1,300 reported data breaches in 2016, a 60 percent increase from the number of breaches reported in the previous year. According to an analysis performed by the Attorney General’s office, much of the information exposed by the reported data breaches consists of New York residents’ Social Security numbers and financial account information.
The SHIELD Act would broaden the types of data that trigger reporting obligations in the event of a breach or unauthorized disclosure, including username and password combinations, biometric data and HIPAA-covered data. The reporting obligations under the SHIELD Act would be triggered by unauthorized “access to” or viewing of private information, rather than the current standard, which triggers New York State law reporting obligations only if there has been actual “acquisition” of certain protected information.
Regardless of whether a particular company conducts business in New York State, the SHIELD Act would require any business that holds sensitive data belonging to a New York resident to adopt “reasonable” measures to safeguard the data. Using a “reasonable” standard means that the SHIELD Act allows the data security standards to be tailored to the size and scope of a business’s operations. For example, there is a particularly flexible standard for small businesses which requires data security standards in proportion to the size and complexity of the business. For other businesses, the SHIELD Act provides specific examples of technical, administrative and physical safeguards that would meet the “reasonable” standard under the SHIELD Act.
Furthermore, there is a safe harbor provision that exempts certain “compliant regulated entities” from enforcement actions by the Attorney General by deeming those entities compliant with the reasonable security standards under the SHIELD Act. “Compliant regulated entities” means those entities that are already regulated by, and compliant with, existing or future regulations by a federal or New York State government entity, such as HIPAA regulations or the New York State Department of Financial Services Cybersecurity Regulation.
The SHIELD Act would deem inadequate data security measures to be a violation of the General Business Law § 349 and would permit the Attorney General to seek civil remedies under General Business Law § 350(d). This would expand the current application of state data security laws.
The SHIELD Act is yet another reminder that businesses should review the data they are holding, how it may need to be protected, and what programs and practices they should have in place to be in the best position to comply with the ever-changing legal landscape of data security and privacy laws.