The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data.

The bill expands the definition of “Breach of the security of the system” by adding the wording “access to” data. The original regulation contemplated the acquisition of data. As stated in the past, acquisition of data would exempt an organization from reporting a ransomware event, since ransomware leaves data in place. The new wording in the law makes any unauthorized access of private information a reportable event. This is specifically denoted in a commentary by one legal authority.

The bill, codified as part of the general business law, states that if you conduct business, and you hold personal information of a New York State resident, you are a covered entity under this bill.  This broad territorial reach is similar to that found in both the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), whereby, it is the residency of the consumer that matters, not the domicile of the business. The bill is highly reminiscent of the NYS DFS regulation (23 NYCRR Part 500), including all the risk-based requirements of that bill to apply to businesses that conduct business with New York residents.

The SHIELD Act expands the notification requirements, and it also expands the time limits that a person has to seek remedies for damage caused by a breach event. The law also raises the penalties previously defined in the general business law.

One of the most shocking parts of the bill is the deletion of the word “reasonable” when describing the return of system (Read more...)