June 24, 2021

Volume XI, Number 175

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

A.G. Schneiderman Announces SHIELD Act to Protect New Yorkers

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in the New York legislature in early November and would amend New York’s state breach notification law.  The bill was announced after the release of a New York Office of the Attorney General report found a nearly 60% hike in data breaches affecting state residents in 2016 and following the Equifax breach in September, which A.G. Schneiderman is investigating.

Among other things, the SHIELD Act would:

  • Require reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentive to businesses that certify security compliance and provides clear examples of safeguards (e.g., technical, administrative, and physical measures).

  • Carve out “compliant regulated entities,” which are defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS cybersecurity regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law’s reasonable security requirement.

  • Provide safe harbor from AG enforcement actions under this law for “certified compliant entities,” (those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards).

  • Provide a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards “appropriate to the [small business’s] size and complexity.

The proposed legislation broadens the current breach notification law in several ways.  For example, it would apply to anyone holding private information of New Yorkers, rather than just those who “conduct business” in New York.  In addition, it broadens the requirements for reporting a breach to the Attorney General to those who “access” private information in addition to those who “acquire” private information.  Finally, the proposed legislation would require notification for breaches of additional data types, including username-and-password combination, biometric data, and HIPAA-covered health data.

This legislation follows a trend at the state level as states refine their data security and breach notification statutes as the cyber landscape evolves. For example, the California Attorney General in 2016 refined California’s information security statute requiring the implementation of “reasonable security procedures and practices appropriate to the nature of the information” (see Cal. Civ. Code §1798.81.5(b)) by issuing guidance in its 2016 Data Breach Report recommending that this standard would be met with the implementation of the Center for Internet Security’s 20-item list of Security Controls.  See https://www.cisecurity.org/controls/.

© 2021 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VII, Number 319
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Kenneth Dort, Drinker Biddle Law Firm, Intellectual Property and Data Security Attorney, Chicago
Partner

Kenneth K. Dort counsels clients on information technology and intellectual property law issues—specifically, software development and licensing, systems development and integration, data security and privacy, trade secret protection and patent/copyright/trademark licensing and protection. He is chair of the firm’s Technology Committee.

Ken is CIPP/US, CIPP/E and CIPP/C certified and advises clients throughout the United States, the European Union and Canada on their data security and privacy practices and compliance needs...

312-569-1458
Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

202-230-5674
Advertisement
Advertisement