As reported in our blog post from November 6, 2017, the New York State Attorney General announced the release of the proposed Shield Act in early November, 2017. This new legislation (we have some links for you below) would make significant changes to New York’s cybersecurity provisions (primarily under General Business Law §899-aa and its sequential provisions), including the following:
- Expanding the coverage of New York’s data security protections to include any business that holds sensitive data of New York residents.
- Imposing obligations on all such businesses to have “reasonable” safeguards in place to protect that sensitive data (though small businesses would have more flexible standards).
- Changing the notification obligations under the law so that they would apply not only to the acquisition of sensitive information, but also to access to that sensitive information.
- Increasing civil penalties in actions brought by the Attorney General’s office.
This much heralded, proposed legislation was in response to several large data breaches and ransomware attacks impacting New York residents and was often referenced by Attorney General Schneiderman as a critical measure to increase the data security of New York residents.
So, what’s the status of the SHIELD Act? First, we note that New York has been working on changing GBL §899-aa and its sequential provisions for a while. Legislation amending the law (but with different provisions) was proposed by the New York State Department of Law in the 2015 legislative session, but not passed (its last status was in Assembly and Senate committees). The SHIELD Act legislation was proposed by the Attorney General in late October, 2017, with the Assembly version sponsored by then-Assemblyman Kavanagh. Subsequently, he became Senator Kavanagh, and so the Assembly version of the legislation needed a new sponsor, and the bill was picked up by Assemblyman Titone (with nearly identical provisions, save for an amendment to provide for a “rolling” effective date based on when the legislation was passed). The (slightly) amended Assembly bill remains in the Assembly Consumer Protection Committee. The Senate version of the bill, sponsored by Senator Carlucci, was introduced to the Senate Consumer Protection Committee, and was subsequently sent to the Senate Finance Committee. As of this writing, the Assembly and Senate SHIELD Act bills have yet to move out of committee to the floor for a vote, and, therefore, the SHIELD Act is not yet a law. Jackson Lewis’ Government Relations team continues to monitor this legislation.
New York continues to focus on cyber security, however. Some examples of other laws and regulations in process are:
- The Department of Financial Services proposed regulations impacting credit reporting agencies: These proposed regulations would impose registration requirements and detail prohibited practices for credit reporting agencies – and would require credit reporting agencies to comply with DFS’ (first-of-their-kind) cybersecurity regulations for financial institutions.
- The New York Department of State emergency regulations on identity theft prevention and mitigation: These regulations were also implemented on an emergency basis, and would place requirements on consumer credit reporting agencies with respect to marketing identity theft prevention products. They would also empower the Division of Consumer Protection to obtain information from consumer credit reporting agencies, and inform and educate consumers with respect to protecting personal information, preventing identity theft and addressing identity theft when it does occur. These emergency regulations are still active, and expire on May 5, 2018.
- Proposed legislation relating to the New York State Cyber Security Advisory Board, a New York State Cyber Security Action Plan and Periodic Cyber Security Reports: The first bill would establish a cyber security advisory board to be operated within the New York State Department of Homeland Security and Emergency Services (DHSES), to advise the Governor and Legislation on cyber security development, and recommend protective measures. The second bill would have several agencies working together to develop a cyber security action plan for New York. The final bill would have DHSES work with the Office of Information Technology Services, the New York State Police and the President of the Center for Internet Security (which is a private, not-for-profit organization) to do a comprehensive report of all cyber security services in New York State, every five years. These bills are in committee, in committee and in committee, respectively.
In case you would like some more information, below are links to some of our previous blog posts dealing with cyber regulation in New York, and a link to our archived webinar on DFS regulation compliance (helpful to keep up with the continuing obligations under the regulations):