Marvel has the Avengers and S.H.I.E.L.D. to protect its universe. The State of New York just has SHIELD. On Wednesday, the New York legislature closed its session by passing the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). The legal bill, having strong support from the New York Attorney General’s Office, is pending review from the governor’s office.
In its passing, New York will join the growing list of states that require reasonable data security protections, while minimizing excessive costs to small businesses and without imposing duplicate obligations under federal or state security regulations.
New York’s data breach law, enacted in 2005, is codified under the “New York State Information Security Breach and Notification Act.” The Act states that:
“…State entities, persons, or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to any NY residents (State entities must also notify non-residents) whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.”
The Effect of the New Bill
The SHIELD Act would amend NY’s current data security law in five ways.
First, the Act will extend the class of protected individuals. Specifically, SHIELD will reach out to any person or business that collects private information associated with a New York resident. Consequently, it would also remove the current requirement, requiring that the data collector conduct business within the State of New York for the law to apply.
Second, the Act will expand the types of data that is considered “private information.”
Third, the Act would impose new requirements for individuals and businesses collecting private information, to implement reasonable security measures to protect and/or dispose of that data.
Lastly, the 2005’s data breach law would be revised with respect to data breach disclosure provisions.
Breaking Down the Effects
What is “Private Information?”
Under New York’s 2005 Breach Notification Act, data was categorized slightly differently than states have described it in recent years.
Under the Breach Notification Act, “personal information” is defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
The act goes on to list three (3) enumerated categories of data elements that are considered to fall under “personal information”—
- Social security number
- Driver’s license number or non-driver ID card number or account number, and/or
- An account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Under SHIELD, three more categories would be added to the list, bringing it closer to resembling Massachusetts’ information security statute—
- Account numbers and credit or debit card numbers, if circumstances exist wherein such number(s) could be used to access an individual’s financial account without additional identifying information, security code, access code, or password and
- Biometric information data generated from electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identify.
- User names or email addresses in combination with passwords, or security questions and answers, which would permit access to an online account.
It is important to note that while SHIELD’s additional data elements are helping expand New York’s data security laws, states like California, Colorado, and North Carolina’s data security laws are much broader in defining “personal information,” begging the question of whether SHIELD is really expanding New York’s current law or clarifying it.
For example, California’s information security act goes on to identify “medical and health insurance information” as personal information that a business must take reasonable steps to secure.
Colorado’s security law includes a government passport number, an employee identification number (EIN), and financial transaction devices as personal information.
North Carolina’s law includes digital signatures, parent’s legal surnames, and any other numbers that can be used to access a person’s financial resources as personal information data collectors must secure.
What are “Reasonable Security Measures” Required to be Implemented?
Perhaps the most crucial component of SHIELD relates to the type of protected information involved:
- HIPAA-protected information
- GLBA-protected information
For those businesses that are not already covered by industry-specific regulations as the ones above, they must implement a data security program that contains reasonable administrative, technical, and physical safeguards.
Amendments to Data Breach Notification Provisions
Currently, New York’s law only applies to instances of unauthorized acquisition. Once SHIELD is enacted, the definition of a “data breach” would be expanded to include instances in which there was unauthorized access to computerized data.
The purpose of this would significantly lower the threshold for incidents to qualify as “data breaches.” It is worth mentioning that the deadline in which to notify affected individual’s is still “in the most expedient time possible and without unreasonable delay.”
The bill is now heading to the Governor for review and consideration.