New York State Proposes Stricter Data Protection Laws Post Equifax
4.11.2017 securityweek Cyber
New York State Attorney General Eric T. Schneiderman introduced new legislation Thursday, designed to protect New Yorkers from corporate data breaches like the recent Equifax breach that affected more than 145 million Americans, including 8 million New York residents. Its purpose is to increase the security of private information in a business-friendly manner.
Called the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), it was introduced by Schneiderman as a program bill, and is sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh. "It's clear that New York's data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl," said Schneiderman.
It is worth noting that Schneiderman's SHIELD Act is not the same as Senator Markey's proposed Cyber Shield Act. A draft (PDF) of Markey's bill coincidentally became available last week. While Markey's proposal is to bake security into IoT devices, Schneiderman's proposal is to bring security to businesses by through reasonable security safeguards with new controls over breach disclosure backed by financial sanctions.
Under current New York law, companies can compile personally identifiable information (PII), but are not required to meet any data security requirements if that PII does not include a social security number -- for example, the current law does not require companies to report data breaches of username-and-password combinations, or biometric data like the fingerprint used to unlock an iPhone. The changes will be achieved through amendments to the existing General Business Law and the State Technology Law.
The SHIELD Act requires businesses to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data. Its scope covers any business that holds New Yorkers' sensitive data rather than simply conducts business within New York. It expands the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data.
Penalties for violation are increased. It allows the attorney general to seek civil penalties and injunctions if businesses do not provide adequate security for PII. This could be $5,000 for each violation, or up to $20 for each instance of failed notification (up to a total of $250,000).
The attempt by Schneiderman is to protect New Yorkers' personal data just as the European General Data Protection Regulation (GDPR) seeks to protect European's personal information. Schneiderman, however, tries to be more business-friendly. Firstly, the penalties are much lower. Secondly, the required breach disclosure timeline is more flexible. "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..."
Thirdly, there is an explicit encryption exemption. PII is only classified as PII "when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been ACCESSED OR acquired."
Fourthly, it provides a safe harbor against attorney general enforcement for companies already compliant with the NYS DFS, Gramm-Leach-Bliley, and HIPAA regulations; and those with independent certification of compliance with ISO and NIST standards. And fifthly, it provides a flexible approach for small businesses provided they "implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business."
David Zetoony, the leader of Bryan Cave's consumer protection practice, commented, "Providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique, and friendly to business. It rewards businesses that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation. It also does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country."
Despite these exemptions and flexibility, the Shield Act will enforce stronger personal data protection than has so far been required outside of the regulated New York financial institutions. The definition of a data breach is broadened to include an unauthorized person gaining access to information, while the reach of the law has been widened from companies that do business in New York to companies that hold personal information of New Yorkers.
"While the federal government drags their feet we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for NY and the rest of the nation to follow to keep Americans safe," said co-sponsor Senator David Carlucci.