For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD. New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short. This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or business handling New York residents’ computerized private information.
The SHIELD Act first redefines “private information” to include username or e-mail address in combination with a password or security question and answer for online accounts as well as biometric information. It also allows for reporting a breach if an account or credit card number alone (i.e. without an account access code or password) is compromised “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.” Slightly more nuanced, it expands the definition of “breach of security of the system” to include an unauthorized access of private information as well as an unauthorized acquisition. Addition of “access” means the statute will be triggered without an incident having to reach “acquisition,” a term more readily applicable in scenarios impacting control, possession and use of that private information.