New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.
After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.
This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents. Schneiderman says that the update is needed.
The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.
Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.
Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.
The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000. Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.
For small businesses of less than 50 employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.
The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions. This is a great incentive to conduct annual cyber risk assessments.
The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data. If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity. So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.
Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.
Information for this post came from Law.com.
The text of the bill can be found here.