It's tough to keep up with the state by state race toward tighter cybersecurity and data privacy regulations.
New York is the latest to pass a significant new law, called the New York SHIELD Act (short for Stop Hacks and Improve Electronic Data Security). Some key details are worth unpacking here.
What are key parts of the New York SHIELD Act?
For answers, we turned to cybersecurity and privacy attorney Jordan Fischer of XPAN Law Group.
[SecureWorld] Jordan, what are the three most important things organizations need to know about the new SHIELD Act in New York?
[Fischer] Here are the top three:
(1) Extraterritorial Reach—the Act applies to all entities that collect and process personal data related to NY data subjects, so even if you are not in NY, the law can apply;
(2) Expanded definition of "security breach"—the Act includes unauthorized “access” to private information, which means that even if a system is accessed, and data is not exfiltrated, it would still constitute a reportable data breach under this expanded definition;
(3) An expanded definition of personally identifiable information (PII)—PII now includes biometric information (e.g., fingerprints) and email address/password combinations that provide account access, including security questions and answers. They are included as data that, if compromised, requires notification.
These three aspects of the Act means that more businesses are impacted by its requirements.
Jordan Fischer will be speaking at the SecureWorld New York conference on September 25th. Don't miss her session, A Survey of U.S. Domestic Security and Privacy Laws: The Evolving Landscape.
Read more about the SHIELD Act in her firm's blog post on the topic. The article points out that New York now puts a bigger focus on reasonable cybersecurity.
"In a nod to generally acceptable best practices, the SHIELD Act requires an organization to develop, implement and maintain administrative, technical and physical safeguards."
What do I need to know about changing privacy and security landscape?
With individual states in the the U.S. taking the lead on privacy, and in many cases on security regulations, organizations face compliance challenges.
We asked Fischer how significant this is.
[SW] In the last year, how many states have made security and privacy law changes?
[Fischer] That is a difficult question to answer; it depends on what you mean by "changes." Almost every state has made changes to their security breach notification laws, and many states (probably 20 - 30) have passed more privacy-oriented laws, or considered privacy-oriented laws, or are in the midst of considering them.
Many states are focusing on industry-specific laws, or data-type specific laws, instead of CCPA- or GDPR-type legislation that basically impacts all industries. But this is a constantly moving target, which keeps those of us at our firm up at night.
This moving target also explains why sessions on this topic have become some of the most popular on SecureWorld regional conference agendas around North America.
National U.S. privacy bill still in the works
One of our favorite quotes on this comes from a Politico story on this slow process:
"We've been talking for what, two years about a privacy bill?" said Republican Louisiana Senator John Kennedy. "Haven’t seen one, don’t know if we’ll ever see one. We need a microwave, not a Crock-Pot here."
Now that's some privacy language we can actually understand.
[RELATED: 10 Quotes on Privacy You Should Read]