Businesses could soon be faced with stricter standards on breach notification and data security, thanks to a bill that the State Legislature recently passed.
If signed into law by Gov. Andrew M. Cuomo, the Stop Hacks and Improve Electronic Data Security Act, also called the SHIELD Act, would expand the scope of information that could trigger a breach notification to affected consumers, and it would require businesses to have reasonable data security safeguards in place.
Experts expect the law to be signed but say, in any case, data protection should be a top priority for companies.
“Data’s one of the highest valued assets a business has in the 21st century,” says Shari Claire Lewis, a partner in privacy, data and cyber law at Rivkin Radler in Uniondale. “They have to protect it as they would any other business asset.”
NYS had laws governing data breach notification, but the new statute would expand them and cover any business handling the private information of state residents whether or not the business is located here, Lewis says.
It also spells out the safeguards companies should take to protect data from being hacked, which wasn’t the case in the past unless the business was part of a “regulated industry” such as financing or health care, she says. Specifically, it lays out reasonable administrative, technical and physical safeguards companies should follow.
This can be helpful, she says, considering companies often don’t know where to begin to “provide necessary cybersecurity in proportion” to their business risk. Still, they will likely feel the burden of compliance costs to implement safeguards.
Safeguards laid out include designating one or more employees to coordinate the security program; selecting service providers capable of maintaining appropriate safeguards; and training employees in security program practices, says Bonnie Yeomans, special privacy counsel at Proskauer Rose LLP in Manhattan.
Notably, there are accommodations for small businesses, she says: Those that have fewer than 50 employees and fall within a certain revenue/asset threshold may craft a program appropriate to their size and complexity and the amount and type of private information they have. .
This legislation “is a big change, but it’s not surprising,” Yeomans says, as other states have taken similar measures.
For instance, like laws that Illinois, Colorado and Arizona have passed, the SHIELD Act includes in the details that would trigger a breach such biometric information as a fingerprint or retina image. It also expands, she adds, the definition of a breach from unauthorized acquisition of private information to unauthorized access to such. This could include viewing private information.
For more on the SHIELD Act (bill S5575B), see legislation.nysenate.gov.
This law is long overdue, according to Mark Grabowski, a communications professor specializing in internet law at Adelphi University in Garden City.
He feels it’s not as strong as California's or the European Union’s data privacy laws, but it’s an improvement over existing law.
“These are basic measures that should have been implemented long ago, but New York is ahead of many other states at this point,” he says, and he adds SHIELD has a good chance of being signed into law.
Cuomo’s office didn’t comment but said, “We will review the bill.”
Nicole Della Ragione, a member of the cybersecurity and data privacy practice at Ruskin Moscou Faltischek PC in Uniondale, says this legislation is a step in the right direction. She encourages businesses, as a best practice, to take stock of what kind of data they have and where and who holds it (the company itself or third-party vendor).
And regardless of the law, she says, companies should have a policy that includes employee training on information security and cyber best practices — plus an incident response plan.
“It pays off in the long run.”
Penalties for failure to comply with the stricter breach notification requirements would increase from a cap of $150,000 under current breach notification law to $250,000 under the SHIELD Act.
Source: Nicole Della Ragione—Ruskin Moscou Faltischek