Know the facts around the new notification-requirement law to protect your business, and yourself as a business owner
Data breaches continue to impact organizations and individuals alike, and now New York legislators are doing something about it.
To better protect businesses and consumers Governor Cuomo signed the so-called SHIELD Act into law. The act introduces new requirements for issuing notifications to individuals whose electronic protected information was exposed in a security breach. The hope is that early data-breach notification will result in fewer losses. These new regulations will impact every business holding NY residents’ private information.
What information is protected?
Unlike other state data breach notification laws, New York’s data breach notification law includes definitions for both personal information and private information.
The definition of PII might require a case-by-case assessment, but personal information generally refers to any information that can be used to trace a specific person’s identity, either by itself or in combination with other information.
The Act defines Private Information as Personal information consisting of any information in combination with any of the following:
- Social security number,
- Driver’s license number or non-driver identification card number,
- Account numbers, credit or debit card number in combination with security codes, access codes or passwords that allow access to the person’s account,
- Biometric information, and
- Username or email address in combination with password or security questions and answer that would permit access to an online account.
Any unauthorized access, acquisition, use or disclosure of unsecured private information which compromised the security or privacy of that information is considered a breach.
Does the SHIELD Act apply to me?
The law, which goes into effect in March 2020, applies to any entity that handles digital private information of New York residents, regardless of whether that entity does business in New York State. Any organization holding digital data of NYS residents will be required by law to develop, implement and maintain reasonable safeguards to ensure confidentiality of that information.
What does this mean for my business?
The phrase “reasonable safeguards” is rather vague, but the act does list examples of what it considers best practices. Depending on the size and complexity of your business, the nature and scope of your business activities and the sensitivity of the personal information you collect you need to consider the following guidelines:
- designate a person, or persons, to coordinate your security program,
- provide ongoing employee security training,
- regularly test and monitor the effectiveness of data controls, systems, and procedures,
- assess risks in your network and software design, and in the way, you process, transmit and store information,
- create an incident response plan that includes policies and procedures regarding detection and prevention of attacks, and guidelines on how to best respond to attacks, intrusions and system failures,
- make it a best practice to promptly dispose of private information that it is no longer needed, and
- only work with vendors that are not only capable of maintaining appropriate safeguards, but who also have this promise as part of their contract with you.
What are the consequences of a breach?
If it has been determined that a breach could cause significant risk of financial, reputational or other harm than all affected individuals need to be notified “in the most expedient time possible and without unreasonable delay”. In some cases, notices will also need to be sent to the NYS attorney general, NYS DOS, local police department and consumer reporting agencies.
The attorney general may enforce consequences of a data breach of an NYS resident. For breaches that are not reckless or knowing the courts may award damages for costs of actual losses incurred, including consequential financial losses. For knowing and reckless violations, the court impose penalties up to $250,000.
Wrapping Things Up
The SHIELD Act has far-reaching effects. Any business that holds a NY resident’s private information - regardless of whether that organization does business in New York – is required to comply. Although the cost of a violation might not seem all that significant to some businesses, it could put smaller firms out of business.
Right now the guidelines of the Act might seem vague and easy to dismiss, but I am sure this will change over time. We saw this when the NYDFS Cyber Security Regulations first came out, but over the past two years, the guidelines have become more and more specific. At this point financial institutions and organizations covered by HIPAA and the Gramm-Leach-Bliley Act are already being held accountable for their security policies and it is only a matter of time until every business everywhere will have to adhere to these or similar guidelines. The SHIELD Act is a step in the right direction to keep your company, your data and your customer protected from harm.
The protection of personal information should not be optional. The identity saved could be your own.