Poor Richard does get his hoped-for trip to New York today, but not, as many others hoped a few months ago, to examine a new comprehensive privacy law that outdoes the CCPA with the first enactment of the concept of data fiduciary responsibility for businesses and other innovations. No, instead of unsheathing that sword, the New York legislature chose the SHIELD Act, which updates its general breach law to incorporate the innovations of many other states, SHIELD also creates a general affirmative duty of reasonable security beyond the financial, health and other regulated sectors, a requirement more prescriptive than many but still risk-based (and less prescriptive than Massachusetts’ 201 CMR 17.00) and in the great tradition of such reasonable security requirements since Section 1798.81.5 of the California Civil Code was first enacted in 2004.
Between SHIELD and the tougher requirements on financial institutions of 23 NYCRR 500, New York firmly establishes itself as one of the high-bar states for breach notification and general security, yet it does so in SHIELD through a law that does not require any sea changes in security programs that comply with other laws except in the one case noted below. In those senses, Poor Richard approves of SHIELD as a well-drafted law that brings New York to the forefront but does not establish an untested, new bleeding edge, while satisfying both the tech industry and Consumer Reports.
SHIELD’s Most Important Provisions
1. New, demanding “harm” standard – The one area in which SHIELD significantly departs from precedent is the new harm standard, which draws on innovations such as Florida’s, but goes beyond them in several ways:
“Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials as found in subparagraph (ii) of paragraph (b) of subdivision one of this section. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination.”
This provision is probably the reason that savvy observers like Justin Brookman of Consumer Reports say SHIELD is good law, with its (a) allowing a “risk-of-harm” exception only in the context of inadvertent disclosures by authorized personnel, (b) specifically establishing “emotional harm” as a standard, and (c) requiring that determinations of no harm in large breaches go to the AG in 10 days. Poor Richard is not quite as happy about this provision for our clients, but knows how we will deal with it and what we will begin to share with the New York AG that the Legislature may have missed. We will even tell you about it toward the end of this post.
2. Expansion of notice-triggering information:
a. Like a minority of other states following the Yahoo and LinkedIn breaches, New York now includes credentials (password or security question and answer) that would permit access to such online (non-financial) accounts.
b. New York joins the growing number of states that include biometric information.
c. New York also joins a minority of other states in treating account number or payment card number as notice-triggering if they could be used to access a financial account without an access code or other additional information.
3. An “access or acquisition” state: New York joins the minority of states that defines breach in terms of both unauthorized access and unauthorized acquisition of notice-triggering information.
4. Tell the AG about HIPAA breaches. Many breaches of PHI are not breaches under state law, but in New York you will need to tell the AG about them.
5. Reasonable, risk-based security standards: The standards, while comprehensive, are all reasonable and based on risk assessments. They include a scalability provision for small businesses, but even medium-sized businesses can use their risk-basis as grounds for scalability. The comprehensiveness of the standards, however will no doubt push both small and medium-sized businesses more quickly into the more secure cloud offerings.
Kill Chains for the New Harm Standard
Like anyone worth their salt in incident response, Poor Richard has been using the ideas generated by the concept of the “kill chain” to prevent harm precisely in attacks by malicious outsiders and insiders, i.e., exactly those incidents that may not even be eligible for a determination of “no harm” under SHIELD, which in effect prevents such a determination if there is malice such that the disclosure is not entirely “inadvertent.” As Clarke and Knake recently observed, the kill chain turns the advantage from the attacker to the defender because the many steps the attacker must take each become a focus for disruption. Disrupting a necessary step in the chain prevents harm. Productive conversations with the New York Attorney General’s Office to follow.
Punctuated Equilibria or Stasis?
New York went with a relatively conservative security/privacy law rather than bleeding edge law, providing more evidence, as Poor Richard has been saying in his other posts, that the talk of comprehensive privacy laws sweeping the states and at the federal level is mostly hype. But Poor Richard is not betting on continued stasis or gradual evolution of the breach notification/reasonable security regime that has been with us since 2004; he is still betting on punctuated equilibria. Stay tuned.
