New York Attorney General Eric Schneiderman has introduced a bill that would expand that state’s existing data breach laws. This proposed legislation, called the Stop Hacks and Improve Electronic Data Security Act, or the SHIELD Act, is sponsored by two Democratic members of the state legislature (Senator David Carlucci and Assembly member Brian Kavanagh). Schneiderman stated in a press release: “It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”

The SHIELD Act would:

  • Expand the requirement for a breach that must be reported to the Attorney General. Currently, a breach is defined as the unauthorized acquisition of certain private information. The SHIELD Act would expand this to include any unauthorized access to the information. This means that the unauthorized viewing of private information would be considered a breach, even if there is no evidence that the data was actually extracted.
  • Expand the type of private information that triggers a breach notification. Currently, companies are not required to meet data security requirements if the information they possess and store does not include Social Security numbers. The new law includes HIPAA-covered health data, biometric information, and user name and password combinations.
  • Require that a company give notice to the Attorney General of a breach if the business owns or licenses data with private information pertaining to New York residents. Currently, the notification law only applies to companies conducting business within the state.

The law would allow the AG’s Office to seek penalties of either $5,000 or, alternatively, $20 per failed notification. The latter penalty option is capped at $250,000, an increase from the current $150,000 cap. The law includes a safe harbor provision for companies that receive an annual certification of their data security compliance by an independent third-party organization. The law would have a less demanding standard for small businesses with less than $3 million in annual gross revenue and fewer than 50 employees.  Entities that are already regulated by existing New York and federal data security requirements (including regulations under the Gramm-Leach-Bliley Act) are considered compliant with the SHIELD Act’s security requirements.

The bill is currently in committee. Troutman Sanders will continue to monitor the bill’s progress through the New York state legislature.