New Yorkers could soon have clearer insight into when, where and how their data has been compromised under the terms of a bill expected to pass this week in the state’s legislature.
The state’s lawmakers are debating whether to approve a bill that would update the state’s data breach notification law to cover more personal information and force firms to disclose ransomware infections, among other measures.
The Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act also would cover any business that holds sensitive data of New York residents, rather than only firms that do business in the state. It’s an important detail cribbed from the European Union’s General Data Protection Regulation (GDPR), which compels organizations to report breaches affecting EU citizens, no matter where the hacked company is located, to regulators within 72 hours.
The SHIELD Act requires notification to affected individuals “without unreasonable delay,” a time period that typically means 30 days, according to state Sen. Kevin Thomas, who re-introduced the bill after a failed attempt to do so in 2017.
“I want to capture as many businesses as possible,” he said Wednesday. “To just limit it to people who do business here doesn’t really suffice.”
Notification can come in the form of media reports if the breach costs more than $250,000, Thomas told CyberScoop. If passed, the law could go into effect next year.
The state senate’s consumer protection committee is scheduled to debate and likely pass the bill on Thursday, Thomas said. From there, he predicted it will be passed by the entire state legislature and become law following signature from Gov. Andrew Cuomo, who has called for such regulation in the past.
Meanwhile, New York Attorney General Letitia James signaled her willingness to enforce data security law by opening an investigation last month into Facebook’s data collection practices.
The SHIELD Act goes further than most state data breach legislation because it also pulls from the state’s Department of Financial Services’ cybersecurity regulation. Most state laws require businesses to have “reasonable” security programs, vague legalese that typically satisfies business and consumer advocacy groups. New York’s SHIELD Act is more specific, prescribing risk assessments, the appointment of an employee to oversee a data protection program, employee training and other requirements.
“If this passes it will be one of the strictest laws in the country,” said Kenneth Rashbaum, a partner specializing in cybersecurity at the New York law firm Barton, adding that Colorado and Massachusetts have similar rules.
“I would be very surprised if anything here is not aggressively pursued. This one is going to be interesting,” Rashbaum said.
You can read the full bill below.