The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data.
The bill expands the definition of “Breach of the security of the system” by adding the wording “access to” data. The original regulation contemplated the acquisition of data. As stated in the past, acquisition of data would exempt an organization from reporting a ransomware event, since ransomware leaves data in place.
The new wording in the law makes any unauthorized access of private information a reportable event. This is specifically denoted in a commentary by one legal authority.
The bill, codified as part of the general business law, states that if you conduct business, and you hold personal information of a New York State resident, you are a covered entity under this bill. This broad territorial reach is similar to that found in both the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), whereby, it is the residency of the consumer that matters, not the domicile of the business.
The bill is highly reminiscent of the NYS DFS regulation (23 NYCRR Part 500), including all the risk-based requirements of that bill to apply to businesses that conduct business with New York residents.
The SHIELD Act expands the notification requirements, and it also expands the time limits that a person has to seek remedies for damage caused by a breach event. The law also raises the penalties previously defined in the general business law.
One of the most shocking parts of the bill is the deletion of the word “reasonable” when describing the return of system integrity after a breach. Initially, a compromised system was to be restored to reasonable integrity. Now, the assumption of reasonable objectivity is gone. “Reasonable” is one of those legal words that form the cornerstone of jurisprudence, so it is a broad leap to remove it from a law.
The SHIELD Act notification requirements are inclusive of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the New York State Department of Financial Services cybersecurity law. You may recall that the NYS DFS regulation was a catalyst for many of the cybersecurity laws that have been enacted across the United States.
One confusing part of the legislation is that, in the section that introduces the legislation (section 3), it is stated that notification of a breach is to be made to the affected individuals, as well as the state attorney general, the department of state, and the state police (as well as consumer reporting agencies). However, in section 4, it replaces notification to the state police with notification to the state office of information technology.
The bill is short, so it is worth a read; however, it is a bit confusing in parts. If you cannot tolerate reading the law, the spirit of this law is as many others, to protect and notify affected people if their private data has been accessed. While this law has not yet been signed by New York Governor Andrew Cuomo, it would be unusual if he passed on this legislation.
Since all of these regulations are beginning to look alike, one would hope that the United States Federal government drafts a comprehensive bill that would unify all of these regulations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.