Security news that informs and inspires

New York Considers Its Own GDPR-Style Data Law


New York’s lawmakers are on the brink of passing a data security law that will give New Yorkers more information about how their data is being used and when it has been compromised.

The Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act would update the state’s existing data breach notification law to expand protection over more pieces of personal information and require organizations to disclose ransomware infections. Currently under debate, the bill would cover any business entity that holds sensitive data of New York residents—and not just firms that do business in the state.

“I want to capture as many businesses as possible,” the bill’s sponsor State Senator Kevin Thomas told Cyberscoop. “To just limit it to people who do business here doesn’t really suffice.”

The bill’s scope echoes how European Union’s General Data Protection Regulation (GDPR) requires organizations to disclose breaches affecting EU citizens, even if the entity didn’t have operations in that country. GDPR gives organizations a mere 72 hours to disclose the breach, but the SHIELD Act is a bit more lenient with the notification period. The language in the bill said affected individuals need to be notified “without unreasonable delay,” and that notification window is likely about 30 days, and for large enough breaches, media reports could be considered a form of notification, according to Cyberscoop.

The bill defines personal information as “any information concerning a natural person, which because of name, number, personal mark or other identifier, can be used to identify such a natural person.” This includes biometrics and any piece of information that can be used with a social security number, driver’s license number, username, or email address that would give someone unauthorized access to an account. Health information protected under Health Insurance Portability and Accountability Act (HIPAA) is also included.

The bill also changes the reporting requirement: organizations have to disclose all incidents of unauthorized access or viewing of personal information—even if the data isn’t actually stolen.

The SHIELD Act requires all businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data. Businesses would be required to identify internal and external risks as part of a formal risk assessments program, appoint an employee to oversee a data protection program, assess service providers to ensure they are also protecting the data, and train employees. The bill’s technical prescriptions are based on the state’s Department of Financial Services’ cybersecurity regulation. Requirements including assessing risks in software, network design, and in how data is processed, transmitted stored, and disposed. Businesses need to have controls in place to detect, prevent, and respond to unauthorized access, security incidents and system failures.

Patchwork of State Laws

Many states are passing their own data security laws because of lagging efforts on the federal level. California passed its own GDPR-style law, and Colorado and Massachusetts have similar laws already on the books.

“While there is a pressing need to protect consumer privacy, the patchwork of regulations, both proposed and enacted, increases the complexity of proper compliance,” said Tim Mackey, principal security strategist CyRC at Synopsys. “Given that privacy and security are both sides of a coin representing the trust a consumer has in an organization and its data handling practices, more complexity isn’t something technology providers need when looking to properly secure our digital lives.”

The former Attorney General Eric Schneiderman introduced the SHIELD Act with state Senator David Carlucci and former Assemblyman Matthew Titone as sponsors back in 2017, but it failed to get traction.

Things are different now, with data breaches being reported almost every day, and the state senate’s consumer protection committee is expected to debate and approve the bill. There is about a month left before the session goes on break, but the bill is expected to pass the entire legislature if it comes up for a full vote. Gov. Andrew Cuomo urged for such laws and regulations after the data breach at Equifax. The law could go into effect as early as next year.

Once passed, NY’s SHIELD Act would likely be among the strictest laws in the country. Not complying with the law could result in fines of $5,000 per violation or $20 per notification failure, with a maximum penalty of $250,000. There is a safe harbor provision for organizations compliant with standards or regulations such as the ISO 27001 information security management standard, NIST 800-53, HIPAA, and New York’s Department of Financial Services’ cybersecurity regulation. They would not be prosecuted by the Attorney General in case of a breach, unless there is evidence of willful misconduct, bad faith, or gross negligence.

New York lawmakers aren’t just focusing on the SHIELD Act to improve consumer data privacy and security. The Right to Know Act to strengthen consumer data privacy rights is also currently in the consumer protection committee. This bill would require that businesses that retain “a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.” Personal information is defined as anything identifying or referencing a person or electronic device, such as name, alias, address, telephone number, email and IP addresses, account names, Social Security number, driver’s license number, passport number, and any other unique identifiers. It also covers sexual information “including, but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression.” Consumers would know the types of information being shared, and the contact information of all the third parties that received the data within thirty days.

Unlike GDPR, the SHIELD Act doesn’t address user consent or whether the business legitimately needs to be collecting the information in the first place. The Right to Know Act also falls in the same trap. The assumption is that the business collecting the data is operating in the best interest of its users and within societal expectations. That assumption is a hard one to make, considering the consumer backlash and pushbackthat comes when consumers find out how companies are using their information.

One unfortunate aspect of proposals such as the SHEILD Act is the focus placed on data breaches rather than the underlying security posture of organizations collecting and processing personal data or rationale for collecting the data in the first place.

“Given that malicious actors define their targets and will tend to look to attack weaker organizations with valuable data, it behooves all businesses to implement strong security governance and create accurate and up-to-date threat models for all data they collect and process,” Mackey said.