New York bill aims to 'shield' consumer data

New York Attorney General Eric T. Schneiderman unveiled proposed legislation Nov. 2, 2017, designed to address a data breach epidemic that has roiled New York businesses and consumers. Noting weaknesses in existing state guidelines and infrastructure, Schneiderman said The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) would update laws and security practices and certify companies that meet exemplary service levels.

Sponsored by Senator David Carlucci and Assembly member Brian Kavanagh, the measure is receiving bipartisan support from public and private sectors, including the security community, New York Chapter of AARP and Partnership for New York City.

David Zetoony, leader of Bryan Cave, a global data security and privacy firm, described SHIELD as an innovative way to encourage companies to go the extra mile because "it does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications."

Kathryn S. Wylde, President and Chief Executive Officer of the Partnership for New York City, said data security is equally important for consumers and businesses, noting "both are victims when there is a cyberattack."

Beth Finkel, New York State Director of AARP, added, "Identity theft is no longer a vague worry that might impact someone we know; the Equifax scandal has made it a threat to each of us."

New requirements, certifications

If passed, SHIELD supporters said, the bill would not be a one-size-fits-all approach to security. It would instead adjust requirements to each business, according to its size and number of employees, as well as offer additional protections and incentives to SHIELD-certified companies.

The bill proposes the following enhancements to existing state law:

• Require companies that collect consumer data to meet basic security requirements and report any data security breaches involving sensitive data and personally identifying information.

• Expand the types of data included in SHIELD's reporting requirements to include username-password combinations, biometric data, and HIPAA-covered health data.

• Establish a minimum required standard for technical, administrative and physical safeguards. It would reduce the standard for small businesses with fewer than 50 employees, with gross receipts of under $3 million or with assets below $5 million, and require these entities to meet reasonable safeguards, appropriate to their business size and complexity.

• Incentivize companies to go beyond the minimum required standard by becoming certified by the State of New York to confirm their data security measures meet the highest standards, which would make them eligible for further safe harbor protections.

• Designate "compliant regulated entities" by identifying companies that meet the existing or future minimum required standard and comply with New York State, federal and HIPAA regulations, deeming them compliant with the law's reasonable security requirement.

• Create punitive measures for inadequate security measures, permitting the attorney general to bring suit and seek civil penalties.
• Broaden requirements for data breach reporting to include unauthorized access of private information of any specified data type, including username-password combination, biometric data, and HIPAA-covered health data. These notifications would apply to any individual or organization holding private information of New Yorkers, regardless of whether they currently conduct business in New York State.

Escalating threats

Schneiderman said the Office of the Attorney General of the State of New York received 1,300 data breach notifications in 2016, reflecting a 60 percent increase over 2015. The program bill addresses escalating threats, which were thrown into sharp relief by the recent data breach of credit reporting bureau Equifax Inc. A forensic study by Mandiant found the Equifax breach affected more than 145 million U.S. consumers. Schneiderman estimates more than 8 million Equifax victims are New Yorkers.

"It's clear that New York's data security laws are weak and outdated," Schneiderman stated. "The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl."

Carlucci added, "Recent data breaches have put New Yorkers at risk. We are woefully unprepared to protect against cyberattacks, putting America's economy in peril. While the federal government drags their feet, we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for New York and the rest of the nation to follow to keep Americans safe."

Brian Kavanagh, who serves as Assembly Consumer Affairs and Protection Committee Chair, said, "In this technological age, we cannot allow companies to be careless with our personal information. I look forward to working with Senator Carlucci and our colleagues in the legislature to enact this bill into law."

The SHIELD bill is open for public commentary. Questions and comments can be posted at (i>ag.ny.gov/questions-comments-attorney-general-eric-t-schneiderman .

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.