Published on July 11th, 2019 📆 | 3643 Views ⚑
0NY’s New Privacy Bill Aims to Expand Data Breach Law
Marvel has the Avengers and S.H.I.E.L.D. to protect its universe. The State of New York just has SHIELD. On Wednesday, the New York legislature closed its session by passing the Stop Hacks and Improve Electronic Data Security Act (âSHIELD Actâ). The legal bill, having strong support from the New York Attorney Generalâs Office, is pending review from the governorâs office.
In its passing, New York will join the growing list of states that require reasonable data security protections, while minimizing excessive costs to small businesses and without imposing duplicate obligations under federal or state security regulations.
New Yorkâs data breach law, enacted in 2005, is codified under the âNew York State Information Security Breach and Notification Act.â The Act states that:
ââŚState entities, persons, or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to any NY residents (State entities must also notify non-residents) whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.â
The Effect of the New Bill
The SHIELD Act would amend NYâs current data security law in five ways.
First, the Act will extend the class of protected individuals. Specifically, SHIELD will reach out to any person or business that collects private information associated with a New York resident. Consequently, it would also remove the current requirement, requiring that the data collector conduct business within the State of New York for the law to apply.
Second, the Act will expand the types of data that is considered âprivate information.â
Third, the Act would impose new requirements for individuals and businesses collecting private information, to implement reasonable security measures to protect and/or dispose of that data.
Lastly, the 2005âs data breach law would be revised with respect to data breach disclosure provisions.
Breaking Down the Effects
What is âPrivate Information?â
Under New Yorkâs 2005 Breach Notification Act, data was categorized slightly differently than states have described it in recent years.
Under the Breach Notification Act, âpersonal informationâ is defined as âany information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.â
The act goes on to list three (3) enumerated categories of data elements that are considered to fall under âpersonal informationââ
- Social security number
- Driverâs license number or non-driver ID card number or account number, and/or
- An account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individualâs financial account.
Under SHIELD, three more categories would be added to the list, bringing it closer to resembling Massachusettsâ information security statuteâ
- Account numbers and credit or debit card numbers, if circumstances exist wherein such number(s) could be used to access an individualâs financial account without additional identifying information, security code, access code, or password and
- Biometric information data generated from electronic measurements of an individualâs unique physical characteristics used to authenticate or ascertain the individualâs identify.
- User names or email addresses in combination with passwords, or security questions and answers, which would permit access to an online account.
It is important to note that while SHIELDâs additional data elements are helping expand New Yorkâs data security laws, states like California, Colorado, and North Carolinaâs data security laws are much broader in defining âpersonal information,â begging the question of whether SHIELD is really expanding New Yorkâs current law or clarifying it.
For example, Californiaâs information security act goes on to identify âmedical and health insurance informationâ as personal information that a business must take reasonable steps to secure.
Coloradoâs security law includes a government passport number, an employee identification number (EIN), and financial transaction devices as personal information.
North Carolinaâs law includes digital signatures, parentâs legal surnames, and any other numbers that can be used to access a personâs financial resources as personal information data collectors must secure.
-
What are âReasonable Security Measuresâ Required to be Implemented?
Perhaps the most crucial component of SHIELD relates to the type of protected information involved:
- HIPAA-protected information
- GLBA-protected information
For those businesses that are not already covered by industry-specific regulations as the ones above, they must implement a data security program that contains reasonable administrative, technical, and physical safeguards.
-
Amendments to Data Breach Notification Provisions
Currently, New Yorkâs law only applies to instances of unauthorized acquisition. Once SHIELD is enacted, the definition of a âdata breachâ would be expanded to include instances in which there was unauthorized access to computerized data.
The purpose of this would significantly lower the threshold for incidents to qualify as âdata breaches.â It is worth mentioning that the deadline in which to notify affected individualâs is still âin the most expedient time possible and without unreasonable delay.â
The bill is now heading to the Governor for review and consideration.
Gloss