Data Breach Legislation
As cyber threats evolve and grow, it’s not a matter of if a cyberattack will occur but when – or worse, has it already happened, and you just don’t know it? As a result of the ever-changing technology landscape and the increasing frequency of breaches, the New York State legislature is taking a stand to increase protections for consumers by holding companies more accountable should a data breach occur.
What is the SHIELD Act?
On July 25, 2019, New York Governor Andrew Cuomo, signed the Stop Hacks and Improve Electronic Data Security, or “SHIELD Act.” The law imposes stronger obligations for businesses handling private computerized data, saying that they “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” It also requires businesses to provide proper notification to affected consumers regarding the data that “was or is reasonably believed to have been, accessed or acquired by a person without valid authorization.” The Governor signed further legislation requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
The SHIELD Act includes a breach definition, similar to that in the Health Insurance Portability and Accountability Act (HIPAA), where a breach of data can include unauthorized access, e.g. ransomware. According to the law, a cybersecurity incident qualifies as a breach unless it’s a result of inadvertent disclosure by persons authorized to access private information, and the organization reasonably (via a documented risk assessment) determines such exposure will not likely result in misuse of such information or financial or emotional harm to the affected persons. The rule states that if an organization is required to report a regulatory breach of another rule (such as HIPAA and other laws), the breach MUST also be communicated to the attorney general within 10 days of reporting it to the required federal or state regulatory agency.
Additionally, the law adds requirements for protection of user name, email addresses, passwords, biometrics and other information for all residents of New York State providing their personal information to any U.S. business.
What should businesses do next?
Compliance with these new regulations is required by March of next year and will impact almost every business and resident in New York State, as well as those businesses outside of the state with New York resident data.
One advantage in the law is the “SHIELD” provision that states if a business already complies with HIPAA, GLBA and 23NYCRR500 it may also already “comply” with this new legislation. Furthermore, it states that “SHIELD” can be applied to other data privacy/security laws and regulations. But be cautious – other standards (e.g. NIST, PCI DSS, ISO27001/2, etc.) are not specifically called out as an acceptable “SHIELD.”
Cybersecurity is a journey, not a destination, and the rules and regulations are consistently changing. The Bonadio Group and FoxPointe’s cybersecurity teams already have a program built and tested to meet all the compliance requirements that the law requires. If you have any questions about how this may impact your business practices or the steps you should be taking to remain compliant, please reach out to me at ccadregari@foxpointesolutions.com or visit www.foxpointesolutions.com/contact.
You can read more about the new legislation here.