By Ryan Bilbrey, Managing Director
Since I last wrote about New York’s Cybersecurity rules back in April, news reports of data breaches and major cyber events have shown no signs of slowing down. The City of Baltimore experienced a major ransomware attack from which it is still recovering. Capital One was breached by a hacker who gained access to over 100 million customer accounts and credit card applications. British Airways had a breach that exposed credit card information and logins for 500,000 customers.
In the meantime, New York has taken steps to protect the private data of its residents. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was passed by the New York Legislature in July 2019 and was signed into law by Governor Andrew Cuomo on July 25, 2019. The bill, which amends the State’s current data breach notification law, imposes expanded security and data breach notification requirements on companies, in hopes of better protecting New York residents from breaches of their private data.
The SHIELD Act takes effect on March 21, 2020, extending and expanding on New York’s existing law in three main ways:
- It expands the definition of private information.
- It requires any person or business that collects the private information of New York residents to implement reasonable safeguards to protect such data.
- It revises the 2005 law’s data breach notification requirements to include unauthorized access of information (not just unauthorized acquisition); it also requires individuals and businesses to comply with these breach notification requirements even if they do not actually conduct business in New York.
New York is following the precedents set by Colorado, Massachusetts, and, most recently, California, and in doing so it is changing the game for entities that choose to hold the private data of New Yorkers, significantly expanding the list of who is covered. However, the state may find itself running into enforcement challenges, particularly of the requirement for companies and individuals to develop, implement and maintain data security policies and procedures. It is not clear how the state would monitor or review the data security practices of a company based, say, in Arizona and selling goods or services to New York customers. There exists a further question as to whether New York has the right to try to do so.
The SHIELD Act adds to the already existing complicated and tangled web of state laws. This once again hammers home the point that the Federal Government needs to establish governance over national data security and data breach law so that companies are not required to navigate the myriad laws and regulations around the country.
Although this new law may seem a bit far-reaching, we refer to the words of Alexander Hamilton on this one: “Vigor of government is essential to the security of liberty.”
If your company is affected by New York’s new cybersecurity law (and it’s hard to imagine that you’re not!), remember as always to act deliberately: Have a plan, execute that plan and ask for help if you don’t have the internal expertise to handle the development of security protocols or to respond to a data breach. Don’t take away from your core competencies to put resources into something you don’t know how to do. Getting the right people involved early on infinitely increases your chances for success.
As with the recent New York Department of Financial Services cybersecurity regulation, the SHIELD Act is an issue of awareness more than anything else. Documenting data security policies will, at the very least, make businesses more conscious of cybersecurity precautions and thus will lead to more individual understanding, training and established protocols. The SHIELD Act will not be enough to stop data theft, but it is certainly a step in the right direction.
Want to learn more about BIA’s Data Breach DiscoveryTM services? Contact us.