Aiming to protect New Yorkers from unwelcome breaches of their personal information, The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. It is hoped that this Act with ensure that those affected will be notified when such breaches are incurred.
Sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), the program bill is intended to strenthen protections for New York residents without placing an unnecessary burden on companies.
The introduction of the SHIELD Act comes in the aftermath the Equifax data breach which affected more than 8 million New Yorkers. In 2016, more than 1,300 PHI breaches were filed to the New York attorney general’s office – a 60% increase in breaches from those experienced in 2016.
The Attorney General explained that New York’s data security laws are “weak and outdated” and need to be updated. While federal laws require some organizations to adapt data security controls, in New York, there are no legal obligations for businesses to adapt safeguards to secure the personal identifying information of New Yorker residents if the data held on those people does not include a Social Security number.
The SHIELD Act will legally oblige all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical safeguards for if they have the sensitive private data of New Yorker residents. The privacy laws will also apply if entities do not do business inside the state of New York.
While many states have brought in official data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be warned of the hacking incidents, in New York, there are no such legal requirements. The Shield Act will amend that and bring state laws in parallel with many other U.S. states.
Legal Breach notification obligations will be updated to include breaches of username/password combos, biometric data, and protected health information as stated in HIPAA laws. Breach notifications will be required if unauthorized people are discovered to have obtained personal information as well as in cases of data theft.
Attorney General Schneiderman is pleasing with businesses to go above and beyond the requirements of the SHIRLD Act and receive independent certification of their security tactics to make sure they exceed the minimum required standards.
A flexible standard is being brought in for small businesses to lessen the regulatory burden. Safeguards can be appropriate to the organization’s size for businesses employing less than 50 members of staff if gross revenue is under $3 million or they have less than $5 million in actual assets.
HIPAA-covered groups, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS regulations will be decreed to already be compliant with the data security obligations of the SHIELD Act.
The failure to adhere to the provisions of the SHIELD Act will be rules to be a violation of General Business Law (GBL § 349) and will allow the state attorney general to begin legal proceeding and seek civil penalties under GBL § 350(d).