New York State’s newest law will change our state's entire approach to data breaches, providing consumers with more transparency while also imposing more stringent penalties on companies for Cyber incidents.
The Stop Hacks and Improve Electric Data Security Act, otherwise known as the SHIELD Act -- broadens the definition of a data breach and empowers the Attorney General to bring action over privacy violations. The measure also updates the notification procedures that companies and state entities must follow when there has been a breach of private information.
As states across the country fight to adopt consumer privacy legislation, New York legislators have pushed for some of the strictest bills across the nation. There are only a handful of states that consider personally identifiable information (PII) to include email addresses and passwords. There are even fewer that would require a notification to state regulators when a ransomware attack occurs.
One of the biggest differences? Ransomeware notification.
Many state's notification laws define a breach to be unauthorized access and acquisition of data. Since ransomware only accesses data, and encrypts it, without copying or aquiring data, these attacks would not have to be reported under prevoius law.
New York now joins an elite group of New Jersey, Connecticut, and, North Carolina, who consider aquisition and OR access a breach of information!
By altering the language of this new law, New York's legal definition of a breach will now close the ransomware gap.
The SHIELD act was was created and proposed by former Attorney General Eric Schneiderman two years ago in 2017. This was after the Equifax data breach that reached over 145 million consumers. Since then, large scale breaches have become prevalent, and unfortunatly a huge threat. In recent years, this has forced lawmakers to shift regulatory frameworks to fit the new world of hacks and breaches that has become commonplace in this digital age.
In the two years since it was first proposed, the SHIELD act has gone through a number of revisions, with the current revision surfacing in May. It made its way through the Legislature throughout June, and now just this past Friday, Governor Andrew Cuomo signed it into law.
The legislation expands the legal definition of what counts as personally identifiable information, including biometric data, HIPPA protected health information.
The SHIELD act also requires to inclusion of "reasonable safeguards" to protect consumer data, while also expanding the current breach notification requirement, mandating that any person or organization affected by a breach be notified. Previously, notifications were only required for companies that do business in New York. Essentially, this means the law crosses state boundaries.
In other words, if a digital based company with a brick and mortar office in Washington collects data from NYS residents, then they would be covered by SHIELD, and would have to report, in the event of an exposure or access of PII to NYS authorities.
New York State’s other data security law, geared toward financial institutions, NYS Department of Financial Services, covers banks and financial companies. It also has breach notifications rules.
In short: New York’s financial companies are covered by the NYSDFS regs; for everyone else, the SHIELD Act will apply.
New York's newest law will broaden the oversight and power of the state attorney general to handle the kinds of legal conflicts brought on by mass scale breaches.
However, it won’t allow for an individual to sue companies for breaches outright. Instead, it would give legal authority to the AG, allowing for punitive action by a central authority on behalf of a collective.
“Consumers deserve the peace of mind that their private information is secure,” said current Attorney General Letitia James in a statement, lauding the passage of the bill. “That’s why my office has been working hard this session to modernize our outdated laws governing data breaches. This bill is an important step forward providing greater protection for consumer’s private information and holding companies accountable for securing that data.”
Some still question whether or not this law goes far enough.
Many New Yorker’s feel that the expansion of data breach definitions should be considered a basic measure, and that simply passing power to the Attorney General just won’t cut it. They fear that handing over power of legal recourse to a public official simply won't hold companies accountable.
Further, there is concern when it comes to the clarity of the law as written. Phrases such as “reasonable safeguards” are vague and leave much room to question how to protect your organization properly.
On the whole, many officials have described the legislation as an attempt to adapt to and keep pace with the acceleration of technology, and the many forms of data that come with it.
“Technology is evolving at an ever-increasing pace, and government needs to step up to protect New Yorkers’ privacy and personal data,” said Senate Majority Leader Andrea Stewart-Cousins, in a statement associated with the new legislation. “Consumers deserve the peace of mind of knowing that their personal information isn’t being disseminated without their consent.”
The real effect of the SHIELD Act will be seen in it's enforcement, as court decisions and consent will set the precedent for the real meaning of reasonable cybersecurity standards.
The SHIELD Act passed Friday July 26th 2019.
Are you prepared?
The act will become a law on Thursday October 24th, however, section four will take effect 150 days after that.
LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.