In the wake of the Equifax data breach, New York Attorney General Eric T. Schneiderman introduced a new measure to “close major gaps” in the state’s “weak and outdated” data security laws.
The credit reporting company disclosed in September that up to 143 million Americans had their personal information—including names, Social Security numbers, birth dates, addresses and driver’s license numbers—revealed when hackers gained unauthorized access between May and July 2017.
Seeking to avoid another major data breach, Schneiderman recently announced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The measure would impose a legal responsibility for businesses to adopt “reasonable” administrative, technical and physical safeguards for sensitive data, applicable to any company that holds sensitive data of New York residents (whether or not it conducts business in the state).
Small businesses—defined as those with less than 50 employees and under $3 million in gross revenue or less than $5 million in assets—would face a standard of reasonable safeguards “appropriate to” the company’s “size and complexity.”
The SHIELD Act would expand the types of data that trigger reporting requirements in the event of a breach (adding username and password combinations and biometric data, for example), and expand the requirement of reporting a breach to encompass incidents when hackers gain “access to” private information, on top of the current “acquisition” standard.
Importantly for businesses, the proposal carves out space for “compliant regulated entities,” or those already regulated by—and compliant with—existing or future regulations of any federal or state government entity, such as New York’s Department of Financial Services, Health Insurance Portability and Accountability Act, or Gramm-Leach-Bliley Act regulations. These businesses will be deemed compliant with the reasonable security requirement.
In addition, the SHIELD Act would establish a safe harbor for compliant regulated entities that obtain independent certification of their compliance with the applicable government data security regulations. Such “certified complaint entities” would be free from AG enforcement actions under the proposed law.
Violations of the measure would be subject to an action by the AG’s Office with the potential of up to $5,000 per violation or $20 per failed disclosure, up to $250,000.
Why it matters: Cybersecurity problems are not going away, Attorney General Schneiderman noted, citing a record 1,300 data breach notifications received by his office in 2016 alone—a 60 percent increase over the prior year. “It’s clear that New York’s data security laws are weak and outdated,” he said in a press release about the proposed legislation. “The SHIELD Act would help ensure these hacks never happen in the first place.”