The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data. The bill expands the definition of “Breach of the security of the system” by adding the wording “access to” data. The original regulation contemplated the acquisition of data.
The SHIELD Act expands the notification requirements, and it also expands the time limits that a person has to seek remedies for damage caused by a breach event. The law also raises the penalties previously defined in general business law.
The bill is highly reminiscent of the NYS DFS regulation (23 NYCRR Part 500), including all the risk-based requirements of that bill to apply to businesses that conduct business with New York residents. If enacted, the bill would add New York to the minority of states in which unauthorized “access” to data systems is sufficient to constitute a breach, regardless of whether any private information is actually “acquired” (or “exfiltrated”). This distinction could be especially significant in the ransomware context in which private information may not be stolen but nonetheless may be accessed in a way that would now constitute a data breach and may trigger notification obligations.
- widens the definition of “private information” to include biometric data, a username or email address, and a password, or security questions and answers that would permit access to an online account;
- expands the definition of “data breach” to include unauthorized access to private information on a data system, even if such private information is not stolen;
- extends the breach notification requirement to include any person or entity that owns or licenses computerized data that includes private information, even in the absence of a New York business enterprise;
- updates the notification procedures following a data breach; and
- enacts “reasonable” data security safeguard requirements, including the designation of cybersecurity personnel, sufficient data protection controls, and employee training on cybersecurity practices and procedures.
Failure to comply would result in fines of $5,000 per violation, or $20 per notification failure (up from $10), for a total of up to $250,000 (up from $150,000).
The bill is now pending the signature of Governor Andrew Cuomo.