The New York State Legislature last month passed The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which is intended to strengthen the state's data security laws by more explicitly defining when and how businesses must notify the public and attorney general of a data breach incident.
The proposed legislation, introduced by State Senator Kevin Thomas (D) and Assemblymember Michael DenDekker (D), now sits on the desk of Governor Andrew Cuomo, awaiting his signature.
Under current law, businesses must disclose a breach only when it is reasonably believed that an unauthorized person acquires certain personal and private information. But SHIELD would lower the threshold so that the reasonable belief that someone merely accessed the information is enough to require a notification.
"This distinction could be especially significant in the ransomware context in which private information may not be stolen, but nonetheless may be accessed in a way that would now constitute a data breach and may trigger notification obligations," explained Joseph Moreno, a partner in Cadwalader, Wickersham & Taft LLP's White Collar Defense and Investigations Group, in an analysis posted by Mondaq.
Moreover, the new law would vastly expand the pool of companies that must follow these notification regulations. Current law applies only to parties conducting business in New York, but under SHIELD, any entity that deals in private info of New York residents must comply.
SHIELD also would add biometric information, as well as email addresses in combination with corresponding passwords or knowledge-based answers, to the list of private data that would require notification, if accessed alongside users' personal information.
The legislation, which was passed on June 17, also states that "any person of business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information..."
Examples of technical safeguards include solutions that allow individuals or organizations to assess risk in network design, software and data management, and detect, prevent and respond to attacks. Examples of physical safeguards include secure processes for information storage and disposal; intrusion detection, prevention and response; and data disposal.
SHIELD also specifies that small businesses will be held to data security standards that are reasonable based on their size and complexity, the nature of their activities, and the sensitivity of the data they collect.
"Consumers deserve the peace of mind that their private information is secure," said Attorney General Letitia James in a recent press release. "This bill is an important step forward providing greater protection for consumer's private information and holding companies accountable for securing that data."
"It is critical that our laws keep pace with the rapidly changing world of technology," said State Sen. Thomas in the same release. "I am proud to announce the passage of the SHIELD Act... as it will allow for increased accountability and diligence in regards to consumer privacy. Now more than ever, it is important that businesses protect the private information of the consumers they serve."
"This bill will ensure that businesses across the state dutifully guard consumer data and will enable the Attorney General's Office to take the appropriate measures quickly and effectively in case of a breach," added Assemblymember DenDekker in the release. "With the passing of the SHIELD Act, consumers’ private information will be more secure than ever."