New York State introduces the SHIELD data protection legislation

An increase in data breaches has prompted New York State Attorney General Eric T. Schneiderman to introduce new legislation aiming to protect New Yorkers’ personal data. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in legislature this week. SHIELD addresses major gaps in New York’s cybersecurity regulations, hopefully without putting undue burden on businesses that might not have the resources for robust cybersecurity measures.

Sponsored by Senator David Carlucci and Assembly member Brian Kavanagh, SHIELD will impose fines of up to $5,000 per violation or $20 per instance of failed notification, not to exceed $250,000.

In New York State, there was a 60% increase in reported data breaches from 2015–16, and a record number of nearly 1,300 reported cyber crime incidents in 2016. The breaches involved the personal records of 1.6 million New Yorkers in 2016, mostly Social Security numbers and financial account information.

Schneiderman said: “It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”

A brief history of NYS cybersecurity practices

In 2005, New York State began recording data breach information after introducing section 899-aa to the New York State Business Law, which requires businesses to report all cyber crimes involving private consumer data to the Office of the Attorney General.

Currently, companies are not required to meet any cybersecurity requirements for personal information unless that data includes a Social Security number. The existing law also does not require organizations to report data breaches where usernames and passwords, or other authentication methods, are used. Because of this, organizations are able to compile large amounts of sensitive data without being held accountable.

Since the Equifax data breach – which affected 145.5 million US citizens – states across the nation have been forced to consider how they can protect their residents from major data breaches. In NYS, extra measures are being taken to protect private information, such as requiring organizations to take greater accountability for the data they carry.

SHIELD updates the existing law and addresses existing technologies, products, and practices that are used in data management, e.g. collection and storage.

It requires organizations that maintain and process the data of New Yorkers, whether or not they conduct business in New York, to put in place administrative, technical, and physical information security measures. The standards are practical, and correspond to how sensitive the data is, and the size and complexity of the business.

Smaller organizations will not be penalized or punished as harshly if they keep good information security management practices, especially if the costs of annual data security audits and certifications are unaffordable. SHIELD will also be more flexible for companies with no more than 50 employees and less than $3 million in gross revenue; or less than $5 million in assets.

SHIELD will also:

Define “compliant regulated entities” – any organization that adheres to existing or future laws of any federal or NYS government entity, e.g. NYS DFS cybersecurity law, Gramm–Leach–Bliley, and HIPAA, will be covered by this law. Certified compliant entities, which hold independent certification of compliance with the aforementioned entities, or with ISO/NIST standards, receive safe harbor from AG enforcement actions under SHIELD.

Call for punitive action wherever there is inadequate cybersecurity – SHIELD brings applicable organizations under New York State General Business Law section 349. The attorney general may bring suit and seek civil penalties under section 350(d).

Update terms to existing laws – the breach notification legislation will now include new stipulations:

  • “Access to” (e.g. viewing of) private info (in addition to the current trigger for “acquisition”) will now require notification to the attorney general
  • Businesses will also need to notify the attorney general if “additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data” is accessed or otherwise breached

Furthermore, any person or entity holding the private info of New Yorkers will now be held accountable. Previously, the law only applied to organizations that “conduct business” in New York State.

Are you a business that is impacted by NYS cybersecurity law?

The Cybersecurity Requirements for Financial Services Companies issued by New York State’s Department of Financial Services (NYDFS) were released on March 1, 2017. All financial services companies that fall under the NYDFS Requirements must implement security policies and strategies to protect themselves against cyberattacks.

On August 28, New York State required that businesses and organizations covered under the Cybersecurity Requirements become compliant. SHIELD will make New York State businesses more secure with residents’ data. If you are a business that maintains private information, you must meet the deadlines of the NYDFS Requirements.

Implementing the international standard ISO 27001 is one way to achieve this. Download this report to learn how this globally recognized standard can help to mitigate risk and manage cybersecurity threats.