New York by Attorney General Eric T. Schneiderman has introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) which targets securing New Yorkers from unnecessary violations breaches of their personal information and see that ensure they are alerted when violations do happen.
The Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan) sponsored program bill aims to bolster protections for New York residents without placing a heavier burden on businesses.
The implementation of the SHIELD Act comes shortly after the announcement of the Equifax data breach which affected in excess of eight million New Yorkers. In 2016, more than 1,300 data breaches were made known to the New York attorney general’s office – a 60% rise in breaches from 2015.
Attorney General Schneiderman commented that New York’s data security legislation are “weak and outdated” and require an urgent modernization. While federal laws require some organizations to establish data security protocols, in New York there are no requirements for businesses to put in place safeguards to secure the personal identifying data if the data held on New York residents does not include a Social Security number.
The SHIELD Act will obligatee all businesses, regardless of where they are located, to adopt reasonable administrative, physical, and technical protocols if they hold the sensitive data of New York residents. The laws will also apply if entities do not do business in the state of New York but are located in the state.
While many states have established data breach notification laws that obligate individuals affected by breaches of information such as username/password combos and biometric data to be alerted of these violations incidents, in New York, there are no such legal mandates. The Shield Act will amend that and bring state laws in line with many other U.S. states.
Breach notification requirements will be amended to include breaches of username/password combos, biometric data, and protected health information included in HIPAA laws. Breach notifications will be rnecessary if unauthorized individuals are found to have gained access to personal details as well as in cases of data theft.
Attorney General Schneiderman is asking businesses to go the extra mile in relation to requirements of the SHIELD Act and receive independent certification of their security measure to make sure they exceed the minimum required obligations.
A flexible standard is being brought in for small businesses to ease the regulatory strain. Safeguards can be necessary to the organization’s size for businesses with less that than 50 members of staff if gross revenue is below $3 million or they have less than $5 million in assets.
HIPAA-covered groups, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS regulations will be ruled to already be adhering with the data security requirements of the SHIELD Act.
The failure to adhere with the provisions of the SHIELD Act will be ruled to be a violation of General Business Law (GBL § 349) and will lead to the state attorney general bringing a suit and seek civil penalties under GBL § 350(d).