In Wake of Equifax Hack, New Legislation Would Make NY A Leader In Data Security – Requiring Robust Protections For New Yorkers’ Personal Info; 2016 Alone Saw A 60% Increase In Data Breaches Impacting New ...
New York, NY - November 2, 2017 - Attorney General Eric T. Schneiderman introduced new legislation today to comprehensively protect New Yorkers’ personal information from a growing number of data breaches. In the wake of the Equifax breach, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) - introduced in the legislature this week - would close major gaps in New York’s data security laws, without putting an undue burden on businesses.
“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Schneiderman.
The SHIELD Act was introduced this week by Attorney General Schneiderman as a program bill and is sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh.
Under current law, companies can compile troves of sensitive data about individual New Yorkers – but they are not obligated to meet any data security requirements if the personally identifying information in their possession does not include a social security number. In fact, current law does not even require companies to report data breaches of username-and-password combinations, or biometric data like the fingerprint used to unlock an iPhone.
Under Attorney General Schneiderman’s SHIELD Act, companies would have a legal responsibility to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data; the standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not. The standards are sensible, and commensurate with the sensitivity of the data retained and the size and complexity of the business.
The SHIELD Act also expands the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data. The bill also provides companies with a strong incentive to go beyond the bare minimum, and obtain independent certification that their data security measures meet the highest standards; companies that do so would receive safe harbor from state enforcement action.
“Recent data breaches have put New Yorkers at risk. We are woefully unprepared to protect against cyber attacks, putting America's economy in peril. While the federal government drags their feet we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for NY and the rest of the nation to follow to keep Americans safe,” said Senator David Carlucci.
“Major deficiencies in the data security practices of big businesses have led to massive breaches, putting millions of New Yorkers at risk,” said Assemblymember Brian Kavanagh, who chairs the Assembly Consumer Affairs and Protection Committee. “I am proud to work with Attorney General Schneiderman on this important legislation to require businesses to take appropriate steps to safeguard our data. In this technological age, we cannot allow companies to be careless with our personal information. I look forward to working with Senator Carlucci and our colleagues in the legislature to enact this bill into law.”
“Data security is important for consumers and businesses alike. Both are victims when there is a cyberattack. We look forward to working with the Attorney General on this proposed legislation,” said Kathryn S. Wylde, President and CEO of the Partnership for New York City.
AARP New York State Director Beth Finkel said, “Identity theft is no longer a vague worry that might impact someone we know; the Equifax scandal has made it a threat to each of us. AARP applauds Attorney General Schneiderman for taking a proactive step to protect our personal information from would-be thieves who could literally ruin our lives. We appreciate the support of Senator Carlucci and Assemblyman Kavanagh, and we urge everyone to take advantage of AARP’s Fraud Watch Network for practical information and tips on how to protect yourself.”
David Zetoony, leader of Bryan Cave's global data privacy and security practice, said, “Providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique, and friendly to business. It rewards businesses that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation. It also does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country.”
The SHIELD Act:
Requires reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentive to businesses that certify security compliance. Specifically, the bill:
Carves out “compliant regulated entities,” defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law’s reasonable security requirement. The bill provides that “certified compliant entities,” defined as those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards, receive safe harbor from AG enforcement actions under this law.
Provides a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards “appropriate to the [small business’s] size and complexity”
For all other businesses, requires “reasonable safeguards” and provides clear examples of safeguards (e.g., technical, administrative, and physical measures).
Deems inadequate security a violation of GBL § 349 and permits the Attorney General to bring suit and seek civil penalties under GBL § 350(d).
Broadens the requirements for reporting a breach to the Attorney General by adding as a trigger of required notice:
“Access to” (e.g., viewing of) private info (in addition to current trigger for “acquisition”)
Notification for breaches of additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data
Applies the notice requirement to anyone holding private info of New Yorkers, changing the current requirement that they “conduct business” in New York State.