Ready for the New York SHIELD Act?New Law Expands Consumer Protections and Give AG Additional Oversight
While California's Consumer Privacy Act has gotten the lion's share of headlines over the past several months when it comes to state privacy laws, enterprises should also pay close attention to New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which is bound to have far-reaching implications for CISOs from Wall Street to Upstate.
The law, signed by New York Democratic Gov. Andrew Cuomo on July 25, will go into full effect on March 21, 2020. The bill updates the state's current cybersecurity laws when it comes to breaches and notifications to residents. In addition, the bill provides more protections for consumers who have had their personal data compromised.
The SHIELD Act also gives the New York Attorney General's Office greater oversight when it comes to data breaches that affect the state's residents and how victims are notified. "This bill is an important step forward providing greater protection for consumer's private information and holding companies accountable for securing that data," Attorney General Letitia James noted when the bill passed in July.
For financial institutions and other Wall Street firms, that's an important difference from other state-level privacy laws since the New York Attorney General's Office already has broad powers to investigate banks and other firms headquartered in the state.
In July, for instance, James' office announced its own investigation into the data breach at Capital One, even through the FBI and U.S. Justice Department were already investigating and arrested a suspect in the case. Although the incident happened before the SHIELD Act went into effect, it shows how far reaching New York's Attorney General's Office can push a criminal cybersecurity investigation (see: NY Attorney General Investigates Capital One; Lawsuits Loom).
Besides Capital One, the New York AG's office also played a lead role in the Equifax settlement announced in July.
These types of investigations are important to note, as the SHIELD Act will now allow the Attorney General's office to issue fines of up to $250,000 for each incident - an increase from the $150,000 penalty allowed under older laws. An analysis by PwC finds that New York's AG has already issued over $600 million in fines related to breach and other cyber incidents as of August of this year.
That's a number that will likely to go up once the SHIELD Act goes into full effect in March.
Updating NY Privacy Laws
In addition to expanding the enforcement capabilities of the Attorney General's office, the SHIELD Act expands what is meant by "private information" under New York law. If this type of data is exposed during a breach, it can trigger a breach notification from the company or state law enforcement to customers.
In addition to covering data such as Social Security numbers, the law now includes a driver's license number, credit or debit card number, financial account number - with or without security code – and username or e-mail address with a password that permits access to an online account as part of that expanded definition of private information.
The SHIELD Act also makes biometric data, which can include fingerprint, voice print, retina or iris image, as part of the private information definition.
Besides an expanded definition of what private information means, the SHIELD Act also includes a broader meaning of what a data breach entails to include unauthorized "access" to private information, according to a summary from the New York Attorney General's Office This differs from current law, which uses the term "acquired" to define a breach.
This change means that under the SHIELD Act, an attacker only needs to access private personal data, not necessarily remove or steal it, for the incident to be considered a breach.
Finally, the SHIELD Act expands the notification process to not only include businesses operating in New York State, but also organizations and companies located elsewhere, but that hold this type of private personal data on New York residents.
These new definitions and requirements will likely mean that many different companies working in New York State will rethink some of their security procedures and what private data they may have collected, says Chris Pierson, CEO of the cybersecurity company BlackCloak.
Some organizations, such as the larger financial institutions and healthcare companies, are likely prepared since these organizations are already following federal statutes such as Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA), Pierson says.
"The NY SHIELD Act may cause some previously uncovered companies to need to examine the state law, perform a gap assessment, and implement additional controls to their existing programs or build a new program to cover employee data," Pierson tells Information Security Media Group. "However, most organizations that deal with personally identifiable information will already be compliant with this act as its requirements are very basic."
SHIELD and CCPA
While it might be easy to compare the SHIELD Act to CCPA, the New York law actually focuses more on data security, while the California bill is more concerned with consumer privacy, which is a distinction that businesses and security professionals should know, says Ronald Raether of the law firm Troutman Sanders.
"The SHIELD Act is focused on data security - it amends NY’s data breach notification law while also imposing new data security requirements on covered businesses," Raether tells ISMG. "The CCPA, in contrast, focuses more so on data privacy and requires covered businesses to be more transparent in their data collection and sharing practices. It also gives consumers certain rights over their personal information."
Raether adds that New York is now one of only a few states to define what it means for companies to have "reasonable security measures", which can then help CISOs better define what measures they need to take to ensure compliance.
"SHIELD lists out various administrative, technical, and physical controls which, if implemented, may be sufficient to demonstrate that the business implemented and maintained 'reasonable safeguards to protect the security, confidentiality and integrity' of personal information," Raether says.
Change of a Federal Law?
The New York SHIELD Act, along with CCPA in California, as well as a number of other state laws designed to increase consumer privacy and hold companies more accountable, have many wondering if Congress will impose a federal law that will supersede this patchwork of local laws.
Currently, the House Energy & Commerce Committee is circulating a preliminary draft of a bipartisan consumer privacy bill and is seeking comments from the public and privacy experts. Attorneys and security professionals told ISMG that this proposed bill is not likely to become a law anytime soon due to different priorities from Democrats and Republicans in Congress (see: Will the US Get a Federal Privacy Law?).
What is clear is that the states are not waiting for federal lawmakers to come up with an overarching solution, Pierson notes.
"The SHIELD Act and the various state cybersecurity and privacy laws - not breach notice laws - that are being implemented continue to illustrate that the states are not waiting for the federal government to take action on omnibus cybersecurity requirements and will implement their own protective requirements, even if basic," Pierson says.