Following up on our post from June 7, Governor Cuomo has now signed the SHIELD Act into law. New section 899-bb of the General Business Law, which creates substantive security obligations for all persons or businesses that own or license the defined “private information” of New Yorkers, goes into effect in 240 days, with the rest of the law taking effect within 90 days.
Cybersecurity law moves quickly and what may have been dead in one legislative session can come back in another to change the regulatory landscape in unexpected ways. Case in point, the NY SHIELD Act, S5575A, which passed in the New York Senate this week.
This fall, I have the pleasure of teaching a course on Information Security Policy and Law at the Rochester Institute of Technology Golisano College of Computing and Information Sciences. When I was asked to teach, I welcomed the opportunity, because the course is directed at graduate level cybersecurity students, who don’t often get exposure to the legal and regulatory side of the cybersecurity equation.
In an interesting IAPP article, Kelce Wilson, InfraGard General Counsel, describes how bad actors without any hacking expertise can potentially inject themselves into the middle of a data breach notification effort and engage in widespread identity theft. The other unanticipated consequence of data breach notification is this: with the trend toward public disclosure of data breach notification letters and statistics, more and more information is in the public domain about the types of data our organizations collect and whether or not we encrypt that data. Case in point, Massachusetts, where yearly Data Breach Notification Reports are available on-line. The 2018 Report shows data breaches reported to Massachusetts authorities this year.
As cybersecurity regulatory frameworks mature, the move has been toward risk-adjusted security requirements rather than prescriptive controls mandated by a legislature or administrative agency. This makes sense, of course, for two primary reasons.