Preliminary thoughts on the proposed New York Data Security Act (also known as the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act):

NIST Framework Unbound. I've often quipped that, although the NIST Cybersecurity Framework is supposedly voluntary, it's feeling more and more obligatory. This proposed law would continue the trend. It creates an exemption for companies that comply with the NIST Cybersecurity Framework and obtain an annual, independent audit of their compliance. That means that they wouldn't have to comply with the default security requirements built into the proposed law. So in practice, although the proposed law wouldn't technically require NIST Cybersecurity Framework compliance, it would strongly encourage it. (The proposed law would offer a few alternatives: You could also comply with ISO27002, Gramm-Leach-Bliley standards, or HIPAA standards.)

Ms. Scarlet in the server room with the USB stick? The fact is, it's often a guessing game to figure out if a hacker's gotten ahold of sensitive data. It can be hard enough to figure out whether notification is required by New York's current law, which requires companies to tell data subjects when their protected information is "acquired," which roughly means "downloaded" or "copied" under the law. The proposed changes would expand notification to situations where information is merely "accessed," which roughly means... actually, I'm not sure what that's supposed to mean in the context of sophisticated computing systems. Anyway, this could be a major headache for businesses. First, many computer systems aren't designed or configured to keep logs for mere access. So you'll often be left guessing whether a hacker has "accessed" data. Second, even if you can tell that a hacker has "accessed" some trove of data, you often can't tell whether the hacker has accessed any particular subset of that data. Business databases usually contain hundreds or thousands of different data tables, some of which will contain innocuous data and some of which will contain extremely sensitive data. Third, even if you can you can see that a hacker has accessed some particular set of data, you might not know whether the set of data contains anything sensitive. Email archives are the best example. You can bet that the email account of a doctor or financial planner will contain protected information, but what about the email account of a salesperson for an electrician, or the office manager of a regional restaurant chain? Do you have to search through every email to look for protected information that might give rise to a notification obligation?

Nobody expects the New York Data Security Act! The stated effective date of the proposed law is January 1, 2018. That doesn't leave an awful lot of time for businesses to get into compliance.

Full text of the law here; press release here.