Know the facts around the new data protection and notification-requirement law and protect your business.
Data breaches continue to impact organizations and individuals alike, and now New York legislators are doing something about it.
To better protect businesses and consumers Governor Cuomo signed the so-called SHIELD Act into law. The act not only introduces new requirements with regard to administrative, technical, and physical safeguards but also addresses new data breach notification requirements and the possible consequences of failed notification.
Which businesses have to comply with the Shield Act?
The law, which goes into effect in March 2020, applies to any entity that handles the computerized data which includes private information of New York residents, regardless of whether that entity does business in New York State. Any organization holding such private information will be required by law to develop, implement and maintain reasonable safeguards to ensure its confidentiality.
What is considered private information under the Shield Act?
Unlike other state data breach notification laws, the NY Shield Act includes definitions for both personal information and private information.
The definition of PII might require a case-by-case assessment, but personal information generally refers to any information that can be used to trace a person’s identity. Personal information defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier can be used to identify such natural person.”
The SHIELD Act expands the definition of personal information and dictates that “private information” includes:
(i) Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted or is encrypted with an encryption key that has also been accessed or acquired:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account;
- account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR
(ii) a username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Any unauthorized access, acquisition, use, or disclosure of unsecured private information which compromised the security or privacy of that information is considered a data breach.
When is data considered “unsecured” and what are reasonable and appropriate safeguards for my business?
The phrase “reasonable safeguards” is rather vague, but the act lists examples of what it considers best practices:
- designate a person, or persons, to coordinate your data security program,
- provide ongoing employee cyber security training,
- regularly test and monitor the effectiveness of data controls, systems, and procedures,
- assess risks in your network and software design, and in the way, you process, transmit and store information,
- create an incident response plan that includes policies and procedures regarding detection and prevention of cyberattacks, and guidelines on how to best respond to attacks, intrusions, and system failures,
- make it a best practice to promptly dispose of private information that is no longer needed, and
- only work with vendors that are not only capable of maintaining appropriate safeguards, but who also have this promise as part of their contract with you.
These examples suggest the kinds of safeguards businesses should be adopting, but they are not the only administrative, technical, and physical safeguards companies should be adopting. Performing a risk analysis will determine which data security requirements are appropriate for your organization. Things to keep in mind are the size and complexity of your business, the nature and scope of your business activities, and the sensitivity of the personal information you collect.
What qualifies as a security breach under the new law?
The previous New York data protection law interpreted a data breach as: “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.”
The SHIELD Act revises how the New York State data breach law interprets a security breach, broadening the term to include any access of private information. In other words, under the SHIELD Act, the simple act of viewing private information by an unauthorized individual may qualify as a “breach of the security of the system” and require a company to provide notice of such data breach.
Factors indicating if access could be considered a security breach include whether or not “the information was viewed, communicated with, used, or altered without valid authorization or by an unauthorized person.”
What are the consequences of a data breach?
Although the SHIELD Act does not authorize a private right of action, the Attorney General may pursue civil penalties.
If it has been determined that a data breach could cause significant risk of financial, reputational, or other harm then all affected individuals need to be notified “in the most expedient time possible and without unreasonable delay” (data breach notification requirement). In some cases, notices will also need to be sent to the New York attorney general, NYS DOS, local police department, and consumer reporting agencies.
For breaches that are not reckless or knowing the courts may award damages for costs of actual losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation.
What are the requirements of proper data breach notification?
A data breach notice to affected individuals must not only contain the contact information for the person or business making the notification, but it must also include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
In the event that more than five thousand New York residents are to be notified at one time, the person or business must also notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Such notice must be made without delaying notice to affected New York residents.
Are there exceptions to the breach notification requirements?
Yes, there are “Good Faith” exceptions to the breach notification requirements.
It’s disproportionate, and expensive, to expect companies to report every single potential data breach. This is especially the case for small businesses. So, the SHIELD Act contains a special exemption clause.
Basically, if an employee accidentally views information they shouldn’t see, but they don’t share it or use it, there’s no data breach. It’s known as the “good faith” exception.
To fall under the exception, you must show there’s been:
- An honest mistake (the “good faith” idea),
- Undertaken in the course of the employee’s normal business,
- That hasn’t resulted in someone’s private data being shared anywhere else
Examples make this clearer. Say an employee accidentally emails the wrong colleague. The email contains sensitive information about a client. The email recipient deletes the email right away and tells the sender. No harm is done.
You don’t need to report data breaches like these to customers because their personal privacy remains unaffected. However, you do need to keep a write up an incident report and store it for five years.
You also need to tell the State Attorney General within 10 days if there’s an accidental data breach and it affects more than 500 people, even if it’s an accident. They will decide if any further investigations are necessary.
Basically, unless the breach falls under the exception category, you must report it.
Wrapping Things Up
The SHIELD Act has far-reaching effects. Any business that holds a NY resident’s private information – regardless of whether that organization does business in New York – is required to comply. Although the cost of a violation might not seem all that significant to some businesses, it could put smaller firms out of business.
If you have questions, would like more information, or need help improving the information security side of your organization, reach out to us directly at (845) 237-2117. We have helped Hudson Valley businesses implement a cyber security program that is appropriate for their individual organization.
