What Hudson Valley Business Owners Need To Know

As more and more of us face the daunting task of having to deal with a data breach, we should all become intimately familiar with the new SHIELD ACT notification requirements.

The SHIELD was signed into effect in order to protect the digital private information of New York State residents. It not only defines safeguards that all businesses will be required to put into place to protect the confidentiality and integrity of this data, but it also lists notification requirements in case this private data gets breached.

What are the new notification rules?

First, we have to define what constitutes a data breach under the new act.

Anytime unprotected data is improperly accessed or acquired by an unauthorized person it is considered to have been breached. Which, if you think about it, is a very low threshold that encompasses actions such as viewing, using or altering private information without valid authorization. As such, moving forward, it is very likely that a much wider range of data breach incidents will trigger notice obligations.

Do all data breaches have to be reported?

A breach needs to be reported and affected individuals need to be notified in a timely manner if it has been established that the exposure of the data “will likely result in misuse of the information, or result in financial harm to the affected persons or cause emotional harm (in the case of unknown disclosure of online credentials)”.

In other words, not all data breaches require notification.  If for example, you as the owner of your business (authorized) accidentally sent PII of a New York state resident to the wrong email address (unauthorized access) but it can be determined that doing so will not result in financial or emotional harm to the person whose private information was disclosed in the email, no notification will be necessary.

However, situations like this will have to be noted and reports of these or similar incidents will have to be kept on file for a minimum of 5 years.

How do you know when a breach requires notification?

As soon as you become aware of a potential breach incident you need to find out what happened and why. Conducting a risk assessment, no matter how small or insignificant the situation might seem, is a first step in remediation and protection. It will (hopefully) help to prevent the same thing from happening again in the future.

You should assess:

  1. Whether PII was indeed accessed,
  2. The nature and the extent of the PII involved (breached social security numbers or passwords are more likely to cause financial and/or emotional harm than a first or last name exposure),
  3. The identity of the unauthorized person(s) who accessed the PII and/or to whom the disclosure was made, and
  4. The extent to which the breach has the potential to harm (see #2).

Who should be notified, how and when?

Should it be determined that the incident was indeed caused by an unauthorized person(s) and is likely to result in harm, the SHIELD Act requires you to notify three types of entities:

  • Affected individuals,
  • regulators – the Attorney General, police department, and the department of state. If the breach affected 5000 or more state residents, consumer reporting agencies need to be notified, as well as
  • the media (in some cases)

The breached organization must disclose the cyber incident “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the integrity of the system”.

What exactly does that mean?

I wish I could give you a timeframe that could be considered “reasonable”, but I can’t. The expectation is that all entities holding or leasing digital information on NY state residents have written policies and procedures in place regarding breach notification.

Having processes and procedures in place that describe how you plan on handling a breach, that lay out the timeline for a risk assessment and the elements that are going to be needed to notify all required parties will not only shorten but also simplify the process. Believe me, dealing with a data breach is stressful and you will be glad you invested the time before the incident happened.

As for how all parties need to be notified….

The notifications can be sent via written notice, electronic notice, phone notification or other notification methods such as email, a conspicuous posting on your website or other public posting or an announcement via statewide media.

The notifications need to include the following:

  • Your contact information,
  • Phone numbers and websites of the relevant state and federal agencies that provide information regarding security breach and response and identity theft prevention and detection services, and
  • A description of the types of information involved in the breach.

How to avoid the risk and the hassle?

By implementing the SHIELD Act’s “reasonable safeguards” you will greatly reduce the risk to your business. Security experts agree that it is no longer a question of IF an organization will be breached, but really more a question of WHEN.

Deciding which of the listed safeguards to implement requires time and consideration. The SHIELD guidelines are not very specific, but they do stress that the security measures you employ should be in line with the size and nature of your business and the type of PII that you collect.

One sure way to prevent a reportable data breach though is to render all digital PII unreadable and unusable to third parties through encryption. Doing this will not prevent a breach from happening, but it will substantially lower the risk of having to face the new notification obligations.

Those who neglect the notification and safeguard obligations could end up facing hefty fines, lawsuits, and damaged reputations. Familiarize yourself with the new law. It could prevent your business from going out of business.

For more information on the SHIELD Act:

The SHIELD Act; What You Need To Know.

Is Your Company Ready for the SHIELD Act?

New York Identity Theft Prevention and Mitigation Services Act – What To Do After a Data Breach