NYS SHIELD Act: Updates to PII, Data Security, and Breach Notification  

After the devastating Equifax incident, the New York State legislature introduced the Stop Hacks and Improve Electronic Data Security or SHIELD Act in order to update the  existing  breach rules. Last month, SHIELD finally became law, and NYS now has some of the toughest security and breach notification language at the state-level. We blogged about the SHIELD Act when it was first introduced back in 2017, and most of what we wrote then has made its way into the law.

Let’s go over the most significant changes.

SHIELD Extends Definition of Personally Identifiable Information

All US states now have some form of a breach notification law. There are, thankfully, commonalities among the legal requirements for notification. For more details, check out our awesome Data Breach Definition by State post, which breaks down the breach reporting rules.

Until recently, the definition of personally identifiable information (PII) for many states was based on vanilla legacy identifiers — name, home address, phone number, driver’s license, social security and credit card/account numbers. There are states — California, Washington, Oregon, and others — that are modernizing their definitions to include internet-era handles, such as email addresses, online handles, and passwords.

The Empire State now joins this group with its newly updated breach notification law. For the record, SHIELD’s “personal information”, their term for PII,  now covers:

• Social security number
• Driver’s license number or non-driver identification card number
• Account number, credit, or debit card number in combination with other identifiable data
• Biometric information such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation
• User name or email address in combination with a password or security question

This is about as good as it gets for PII in state breach laws. It should be noted that the California Consumer Privacy Act (CCPA) along with a slew of other state privacy laws in the works have an even broader list of identifiers in their PII lists. Some even cover information that can “probably” be related back to an individual!

Will these separate state privacy and breach notification laws eventually converge in their definitions, as they do in the EU’s GDPR ? For now, we need to keep mind that the definition of PII in state privacy laws for sharing or deleting (“right to be forgotten”) data is trending toward covering far more information that the PII in state breach reporting laws. Confusing, but that’s the way it is.

SHIELD Tweaks Breach Notification Criteria:  Access Alone Counts

Another confusing point about breach rules is whether exfiltrating the PII or merely accessing the data is breach-worthy. This is an important distinction because ransomware or destructive attacks access the PII without the attackers necessarily acquiring it. Breach laws that have a data acquisition threshold therefore would not require a notification to be filed with a regulatory agency or sent to affected individual in the case of ransomware.

It’s such a significant point that we wrote an illuminating white paper on this very subject to help you decide when to report a ransomware attack under various state, federal, and international laws.

With the SHIELD changes, New York joins a handful of other states that consider access alone to be a breach. Here’s the actual language:

“Breach of the security of the system shall mean unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] private information maintained by a business.”

SHIELD simply amended the existing breach law with the inclusion of the word “or” between access and acquisition. Small change, big implications.

SHIELD does have exceptions for good faith access by employees. Overall, intentional unauthorized access whether by employees or through outside attackers is most definitely a breach.

However, SHIELD also amended NYS’s existing breach law to allow companies to conduct a risk-of-harm analysis in deciding whether the breach should be reported: the analysis must take into account whether potential misuse of PII impacts consumers either emotionally or financially.

If the analysis indicates there’s no potential of harm, then the consumer does not have to be notified. At a minimum, though, the organization would have to document the incident and their risk-of-harm analysis for its internal records. If more than 500 NY residents are affected, then the harm analysis also has to be filed with the NY Attorney General.

On the other hand, if a breach notification is required, the existing law tells us it must be sent “without unreasonable delay” to consumers by either mail, telephone, or electronic means; the NY AG would have to be told as well. All this has remained the same with the SHIELD updates. The Hunton Privacy blog has a great summary of NYS breach law after the SHIELD change.

SHIELD’s Extraterritorial Coverage

SHIELD has more surprises in store for businesses outside of NYS. It removes the phrase “conducts business in NY state” in defining which entities (see below) are covered.  Like the EU General Data Protection Regulation (GDPR), NY’s updated breach law has an extraterritorial reach:  any company in the US that “owns or licenses” PII of NYS residents would fall under the law. It effectively extends the NYS breach rules across the US!

Unregulated e-commerce companies, in particular, would have to follow NYS’s notification rules and the new security rules (see next section) added to protect this data.

SHIELD Adds New Data Security Requirements

SHIELD adds another significant update to the NYS breach law with a new list of requirements involving data protection. SHIELD calls for “reasonable security requirement”,  and in language that we often see in federal laws, asks companies to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data”.

Here are the key safeguards organized into broader security control areas:

Risk Identification and Assessment

• Identifies reasonably foreseeable internal and external risks
• Assesses the sufficiency of safeguards in place to control the identified risks
• Trains and manages employees in the security program practices and procedures
• Adjusts the security program in light of business changes or new circumstances

Monitoring and Response

• Detects, prevents and responds to attacks or system failures
• Regularly tests and monitors the effectiveness of key controls, systems and procedure

Retention

• Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

If you’ve read our series of posts about DatAdvantage and compliance, you know how typical data security frameworks are structured. The above breakdown of controls should not be too much of a surprise. With that in mind, SHIELD does not offer prescriptive security controls. In fact, if a NY business is covered by other federal data security laws, say HIPAA or Gramm-Leach-Bliley (GLBA), or even by the NY Department of Financial Services’ very prescriptive regulation for financial companies, then these federal or more specific NY state rules would take precedent.

In short, the SHIELD updates set a low-bar for data security compliance. But as I pointed out above, e-retailers, which generally don’t fall under any minimum security rules, would need to take note even if they’re not located in New York!

More SHIELD Details and Closing Thoughts

The security requirements discussed in the last section go into effect on March 21, 2020. The rest of the provisions covering PII and breach notification take effect on October 23, 2019. By the way, small businesses — less than 50 employees or under $3 million dollars in revenue — are given more leeway when it comes to following the new law.

Much depends on how the State Attorney General interprets and enforces the new breach and data security requirements. The AG is the only one who can bring actions since there’s no private right of action in this law to file class lawsuits. We’ll keep you posted on new security guidelines and other significant decisions.

As we’ve been pointing out in the IOS blog, the data security legal landscape is changing with the states currently leading the charge. Minimum data security, broader definition of PII, and tougher breach notification requirements at the state level will be the new baseline rather than the exception.

Want to learn how Varonis can help your company meet New York’s new data security and breach rules? Ask for a demo today!