What’s Old is New Again - NY SHIELD Act Passes the Senate

Cybersecurity law moves quickly and what may have been dead in one legislative session can come back in another to change the regulatory landscape in unexpected ways.  Case in point, the NY SHIELD Act, S5575A, which passed in the New York Senate this week.

The Act still must pass in the Assembly before it makes its way to the governor for signature.  Followers of this blog may remember the 2017 eponymous bill, S6933, which died in committee.

The two acts are nearly identical, and update New York’s data breach notification law, N.Y. Gen. Bus. Law § 899-aa to: (i) broaden the definition of “private information” under the statute, which increases the circumstances under which notification is required; and (ii) add a new § 899-bb that requires “reasonable” cybersecurity efforts in relation to the storage and processing of private information, under the new, broader definition.  The new Act (just like the old Act) removes the restriction under § 899-aa that limited that statute to entities “conduct[ing] business in New York State,” expanding the statute’s reach to any “person or business which owns or licenses . . . private information” concerning a New Yorker.  If this passes, New York will join a growing number of states, such as Massachusetts and Florida, whose data breach notification laws potentially reach around the world to cover anyone in possession of protected data concerning a resident of the state.  It remains to be seen how far states can go in expanding their breach notification laws in this regard, but few wise organizations want to lead the test case (or be the guinea pig) to challenge them.

On the substantive security front, the SHIELD Act joins other states, such as Delaware recently, that require “reasonable” cybersecurity efforts under the circumstances.  Although the term “reasonable” can be maddening to an information security professional—because it is always determined in the eye of the beholder—the SHIELD Act does provide a caveat that if the organization is covered by a regulatory scheme such as HIPAA or GLBA, and can show that it is compliant with that scheme, it is also compliant with the requirements of the SHIELD Act.  The problem here, of course, is that there is no vehicle for certifying compliance with these other regulatory schemes and the very occurrence of a reportable breach under § 899-aa is likely a sign that compliance may have been lacking.  Famously, Ellen Richey, Visa’s former Chief Enterprise Risk Officer, said—against the backdrop of the Heartland breach—that “[n]o compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”  Because compliance is a process, not an end state, few may be the entities that, in light of a reportable breach under § 899-aa, may be able to show that their security efforts were reasonable or subject to an exception arising in relation to other regulatory schemes.

When and if the SHIELD Act passes, organizations will scramble, as they did in relation to the Department of Financial Services Cybersecurity Regulations, 23 N.Y.C.R.R. Part 500—to get their security houses in order.  The real effect of the SHIELD Act will be seen in enforcement, however, as court decisions and consent decrees define with more accuracy what it means to be “reasonable” in relation to cybersecurity under the circumstances.

Defense Contractors Get Ready: DoD Close to Unveil...
New York Changes Sole Member Rule

Disclaimer

This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.