Published on July 11th, 2019 📆 | 4951 Views ⚑
0NY’s New Privacy Bill Aims to Expand Data Breach Law
Marvel has the Avengers and S.H.I.E.L.D. to protect its universe. The State of New York just has SHIELD. On Wednesday, the New York legislature closed its session by passing the Stop Hacks and Improve Electronic Data Security Act (āSHIELD Actā). The legal bill, having strong support from the New York Attorney Generalās Office, is pending review from the governorās office.
In its passing, New York will join the growing list of states that require reasonable data security protections, while minimizing excessive costs to small businesses and without imposing duplicate obligations under federal or state security regulations.
New Yorkās data breach law, enacted in 2005, is codified under the āNew York State Information Security Breach and Notification Act.ā The Act states that:
āā¦State entities, persons, or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to any NY residents (State entities must also notify non-residents) whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.ā
The Effect of the New Bill
The SHIELD Act would amend NYās current data security law in five ways.
First, the Act will extend the class of protected individuals. Specifically, SHIELD will reach out to any person or business that collects private information associated with a New York resident. Consequently, it would also remove the current requirement, requiring that the data collector conduct business within the State of New York for the law to apply.
Second, the Act will expand the types of data that is considered āprivate information.ā
Third, the Act would impose new requirements for individuals and businesses collecting private information, to implement reasonable security measures to protect and/or dispose of that data.
Lastly, the 2005ās data breach law would be revised with respect to data breach disclosure provisions.
Breaking Down the Effects
What is āPrivate Information?ā
Under New Yorkās 2005 Breach Notification Act, data was categorized slightly differently than states have described it in recent years.
Under the Breach Notification Act, āpersonal informationā is defined as āany information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.ā
The act goes on to list three (3) enumerated categories of data elements that are considered to fall under āpersonal informationāā
- Social security number
- Driverās license number or non-driver ID card number or account number, and/or
- An account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individualās financial account.
Under SHIELD, three more categories would be added to the list, bringing it closer to resembling Massachusettsā information security statuteā
- Account numbers and credit or debit card numbers, if circumstances exist wherein such number(s) could be used to access an individualās financial account without additional identifying information, security code, access code, or password and
- Biometric information data generated from electronic measurements of an individualās unique physical characteristics used to authenticate or ascertain the individualās identify.
- User names or email addresses in combination with passwords, or security questions and answers, which would permit access to an online account.
It is important to note that while SHIELDās additional data elements are helping expand New Yorkās data security laws, states like California, Colorado, and North Carolinaās data security laws are much broader in defining āpersonal information,ā begging the question of whether SHIELD is really expanding New Yorkās current law or clarifying it.
For example, Californiaās information security act goes on to identify āmedical and health insurance informationā as personal information that a business must take reasonable steps to secure.
Coloradoās security law includes a government passport number, an employee identification number (EIN), and financial transaction devices as personal information.
North Carolinaās law includes digital signatures, parentās legal surnames, and any other numbers that can be used to access a personās financial resources as personal information data collectors must secure.
-
What are āReasonable Security Measuresā Required to be Implemented?
Perhaps the most crucial component of SHIELD relates to the type of protected information involved:
- HIPAA-protected information
- GLBA-protected information
For those businesses that are not already covered by industry-specific regulations as the ones above, they must implement a data security program that contains reasonable administrative, technical, and physical safeguards.
-
Amendments to Data Breach Notification Provisions
Currently, New Yorkās law only applies to instances of unauthorized acquisition. Once SHIELD is enacted, the definition of a ādata breachā would be expanded to include instances in which there was unauthorized access to computerized data.
The purpose of this would significantly lower the threshold for incidents to qualify as ādata breaches.ā It is worth mentioning that the deadline in which to notify affected individualās is still āin the most expedient time possible and without unreasonable delay.ā
The bill is now heading to the Governor for review and consideration.
Gloss