Cybersecurity law moves quickly and what may have been dead in one legislative session can come back in another to change the regulatory landscape in unexpected ways. Case in point, the NY SHIELD Act, S5575A, which passed in the New York Senate this week.
The Act still must pass in the Assembly before it makes its way to the governor for signature. Followers of this may remember the 2017 eponymous bill, S6933, which died in committee.
The two acts are nearly identical, and update New York’s data breach notification law, N.Y. Gen. Bus. Law § 899-aa to: (i) broaden the definition of “private information” under the statute, which increases the circumstances under which notification is required; and (ii) add a new § 899-bb that requires “reasonable” cybersecurity efforts in relation to the storage and processing of private information, under the new, broader definition. The new Act (just like the old Act) removes the restriction under § 899-aa that limited that statute to entities “conduct[ing] business in New York State,” expanding the statute’s reach to any “person or business which owns or licenses . . . private information” concerning a New Yorker. If this passes, New York will join a growing number of states, such as Massachusetts and Florida, whose data breach notification laws potentially reach around the world to cover anyone in possession of protected data concerning a resident of the state. It remains to be seen how far states can go in expanding their breach notification laws in this regard, but few wise organizations want to lead the test case (or be the guinea pig) to challenge them.
On the substantive security front, the SHIELD Act joins other states, such as Delaware recently, that require “reasonable” cybersecurity efforts under the circumstances. Although the term “reasonable” can be maddening to an information security professional—because it is always determined in the eye of the beholder—the SHIELD Act does provide a caveat that if the organization is covered by a regulatory scheme such as HIPAA or GLBA, and can show that it is compliant with that scheme, it is also compliant with the requirements of the SHIELD Act. The problem here, of course, is that there is no vehicle for certifying compliance with these other regulatory schemes and the very occurrence of a reportable breach under § 899-aa is likely a sign that compliance may have been lacking. Famously, Ellen Richey, Visa’s former Chief Enterprise Risk Officer, said—against the backdrop of the Heartland breach—that “[n]o compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.” Because compliance is a process, not an end state, few may be the entities that, in light of a reportable breach under § 899-aa, may be able to show that their security efforts were reasonable or subject to an exception arising in relation to other regulatory schemes.
When and if the SHIELD Act passes, organizations will scramble, as they did in relation to the Department of Financial Services Cybersecurity Regulations, 23 N.Y.C.R.R. Part 500—to get their security houses in order. The real effect of the SHIELD Act will be seen in enforcement, however, as court decisions and consent decrees define with more accuracy what it means to be “reasonable” in relation to cybersecurity under the circumstances.