Even though we haven’t passed the green flags of Thanksgiving, it’s beginning to look a lot like Christmas—at least for cybersecurity advocates. In this edition of “Someone’s Actually Paying attention,” New York State Attorney General Eric Schneiderman has introduced a bill that expands the definition of a breach in his state.
The bill is called the Stop Hacks and Improve Electronic Security Act, or the SHIELD Act for short, and it already has the support of two members of the state legislature.
First of all, I agree with Schneiderman’s statement that, “New York’s data security laws are weak and outdated.”
Previously in New York, compromise was defined as the acquisition of data, which required evidence that information had been extracted by hackers. The new expanded law will include any unauthorized access to information. In other words, if someone is caught looking, that counts.
Additionally, the possession and compromise of Social Security numbers no longer forms the trigger requiring an entity to report a cyber event to the attorney general’s office.
“The SHIELD Act also expands the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data. The bill also provides companies with a strong incentive to go beyond the bare minimum, and obtain independent certification that their data security measures meet the highest standards; companies that do so would receive safe harbor from state enforcement action.”
There is more in the SHIELD statement worth reading about. You can find it here.