Cybersecurity is a concern for the government, businesses, and private citizens alike. As Cybersecurity becomes a growing concern, states have rushed to implement legislation dealing with a broad range of cybersecurity issues. In 2017 alone 42 states have introduced over 240 bills or resolutions targeting cybersecurity, and 27 states have enacted legislation. This new legislation has focused on improving government security practices, funding cybersecurity programs and initiatives, targeting computer crimes, and restricting public disclosure of sensitive security information.
What would this new legislation mean for New Yorkers? The SHIELD Act is aimed at updating our current data security laws to adapt to changes in technology and better protect New Yorkers. The following outlines what will change if the SHIELD Act is passed:
Under Current Law:
- “Breach notification requirements” demand that persons or businesses that conduct business in New York must notify consumers if certain types of data breaches occur that may affect their personal information
- Companies are not obligated to meet any data security requirements if the identifying information in their possession does not include a social security number
- The trigger for reporting a breach to the Attorney General is “acquisition” of private information, or data theft.
The New Law:
- Increases the companies covered by breach notification requirements from solely businesses conducting business in New York, to anyone holding private information of New Yorkers
- Expands the data breach notification obligations beyond social security numbers to new data elements including: notifications for username-password combination, biometric data (like the fingerprint application used to unlock an iPhone), and HIPAA-covered health data breaches
- Adds a new trigger for reporting a breach to the Attorney General –“access to” private information, rather than just “acquisition” of private information.
- Requires covered business to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data with a more flexible standard for small businesses “appropriate to their size and complexity”
- Creates incentives to meet high standards of security, providing a safe harbor for companies that go above-and-beyond the minimum security measures.
- Creates a violation under General Business Law § 349 for inadequate security and allows the Attorney General to bring a lawsuit for civil penalties for the same.
This bill recognizes that private citizens are not always in control of protecting their own private information through private choices and instead puts the onus on companies to protect consumers. The bill now sits in committee. If passed, the bill will heighten data security requirements for businesses and, hopefully, better protect New Yorkers from data breaches without unduly burdening small businesses.