How NY SHIELD Will Affect Your Data Breach Notices
New York's Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act mandates that businesses must inform their users if there's a data breach. You need to issue what's called a Data Breach Notice, and there's a particular format you need to follow.
But before we get into Data Breach Notices in any detail, we need to be clear what kind of information is actually covered by the rules. It's not just any data, but what's known as personal data, or private information. Let's be clear about what that means.
- 1. What is Personal Data?
- 2. What is NY SHIELD?
- 3. Goals of the NY SHIELD Act
- 4. Who the Act Applies to
- 5. What is a Data Breach?
- 5.1. The Good Faith Exception
- 6. The NY SHIELD and Data Breaches
- 7. How to Comply with NY SHIELD
- 7.1. The Data Breach Notice
- 7.2. Who Else to Notify
- 8. What Happens if I Don't Comply?
- 9. Conclusion
What is Personal Data?
Personal data is straightforward. It's just any information, whether it's a name, home address or biodata that can be used to identify a specific person.
Under the SHIELD Act, private information is defined as:
"Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person"
Personal information is also protected under the SHIELD Act. When private information is hacked, it can be used to identify someone. It's defined as:
"Either: (I) personal information consisting of any information in combination with any one or more of the following data elements, when either the DATA ELEMENT OR THE COMBINATION OF personal information [or] PLUS the data element is not encrypted, or IS encrypted with an encryption key that has also been ACCESSED OR acquired:"
So, if someone hacks a customer's account details, it's a data breach. For our purposes, the distinction between private and personal data isn't all that important. What matters is how you handle a data breach if it arises, and how you issue Data Breach Notices.
Is it really likely that you'll face a data breach, though? Absolutely. Why? Because the reality is that no data is 100% safe. Data breaches do happen, and you need to be ready for them.
Most importantly, you need to know when and how you'll communicate breaches to affected persons. But before we get into that, let's be clear on what NY SHIELD is, whether it affects you, and why the Act matters.
What is NY SHIELD?
NY SHIELD is a data privacy law. It's designed to keep New York residents safe when they shop online or create accounts.
Essentially, the SHIELD Act is one of the world's most significant privacy laws, and not just because it protects such a large number of people. It's important because it places fairly heavy requirements on many businesses.
In short? From the second someone lands on your website until the moment you delete their data, it's on you to protect their private information. And it's not enough just to install some antivirus or antimalware programs on your computers, either. You need what's known as a "Data Security Program."
Put simply, a Data Security Program is your cybersecurity strategy. It's the procedures you put in place to keep customer data safe at all times. Don't worry, though. No one expects a smaller business to have the same Data Security Program as a global retailer. It's all relative, and the SHIELD Act allows for this.
Although Data Security Programs matter, it's not our focus for this article. We're more concerned with data breaches themselves. But for now, just know you can find out more about Data Security Programs in NY SHIELD section 6:
So we know what the SHIELD Act does. But what's the point of it? Why are data breaches such a big issue? Let's take a look.
Goals of the NY SHIELD Act
Every Act has specific goals. The Shield Act is no exception.
Here's a brief summary of the Act's most important aims beyond simple data protection.
- It promotes better cybersecurity practices within businesses, and there's a greater degree of clarity around what happens to someone's data when they share it online.
- The Act is all about proactive data protection. So, passive risk mitigation isn't enough. It's on every company to actively protect data from unauthorised access.
- Since customers feel like their data is safe, the SHIELD Act increases customer confidence. If you comply with the SHIELD Act, you'll build a better reputation with your client base.
Basically, NY SHIELD brings New York data protection law in line with other major privacy laws around the world, like the EU's General Data Protection Regulation (GDPR).
Who the Act Applies to
The NY SHIELD Act protects New York residents, but does it apply to every business? Or does it just apply to businesses based in New York? The answer's simple.
NY SHIELD applies to your business if you own, store, or license private data belonging to a New York resident.
- It doesn't matter if your business is located in New York, Australia, or Spain. All that matters is you're handling New York residents' data.
- The Act doesn't apply to information that's publicly available e.g. census data. Why? Because this data is in free circulation already.
You can find the exemption clause about publicly available information in section 7:
"Private information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records."
Unless you only ever handle publicly available data, like the government records mentioned above, it's best to comply with the Act. Even if you're not already handling New York data, you might in the future, so it's best to build a compliance strategy now.
We've talked a lot about the SHIELD Act and who it applies to. Now, let's focus on your most important obligation under the Act: Reporting data breaches and how to comply.
What is a Data Breach?
"Data breach" is a pretty broad term. What does it mean? We can find a definition in section 2 of the SHIELD Act:
"Breach of the security of the system" shall mean unauthorized ACCESS TO OR acquisition OF, or ACCESS TO OR acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business. Good faith ACCESS TO, OR acquisition of [personal], PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure."
Essentially, it's a data breach when:
- Someone accesses private information without proper authorization
- This unauthorised access compromises the safety of the affected data
Examples of a data breach include:
- Criminals hacking your system
- An employee falling for a phishing scam and hackers capturing data
- Leaving hard copies of sensitive data lying around somewhere that unauthorized people can see it
The Good Faith Exception
It's disproportionate, and expensive, to expect companies to report every single potential data breach. This is especially the case for small businesses. So, the SHIELD Act contains a special exemption clause.
Basically if an employee accidentally views information they shouldn't see, but they don't share it or use it, there's no data breach. It's known as the "good faith" exception.
To fall under the exception, you must show there's been:
- An honest mistake (the "good faith" idea),
- Undertaken in the course of the employee's normal business,
- That doesn't result in someone's private data being shared anywhere else
Examples make this clearer. Say an employee accidentally emails the wrong colleague. The email contains sensitive information about a client. The email recipient deletes the email right away and tells the sender. No harm is done.
Or maybe an employee accidentally accesses a database they shouldn't have access to. They see sensitive information but they don't do anything with it. Again, there's no harm done.
You don't need to report data breaches like these to customers because their personal privacy remains unaffected. However, you still need to keep a written record of the incident and store it for five years.
You also need to tell the State Attorney General within 10 days if there's an accidental data breach and it affects more than 500 people, even if it's an accident. They'll decide if any further investigations are necessary.
Basically unless the breach falls under the exception category, you must report it. So, how does data breach reporting work?
The NY SHIELD and Data Breaches
To comply with the SHIELD Act, you must do two things:
- Roll out a data security program with appropriate safeguards
- Notify users when it's likely that an unauthorized person accessed their data
We touched on safeguards earlier, but why do they matter in the context of data breach reporting? Well, because if you don't have the right measures in place to protect data, you could be subject to stricter penalties.
In other words, even if you get your data breach notices right, you'll still fall short of your obligations under the SHIELD Act, and you may be penalized for it.
So before you start collecting personal data, make sure you have these safeguards in place.
The safeguards you implement depend on the size and complexity of your business, but at minimum you need three types of safeguards:
- Administrative: Risk assessment, cybersecurity policies, staff training
- Technical: Firewalls, network security, deep scans
- Physical:Secure cloud storage, locked rooms, intrusion detection
Smaller businesses typically need less safeguards than, say, healthcare companies or banks. That being said, if you're a small accountancy firm, you handle very sensitive data, and you'll need stronger safeguards than a larger company handling less sensitive information.
So say there has been a data breach. You've done everything you can, rolled out the best safeguards you can afford, but the worst happens anyway. How do you report the incident, and how much time do you have?
Here's a rundown.
How to Comply with NY SHIELD
NY SHIELD reporting requirements are all about expediency. You should contact people as soon as possible after discovering the potential breach. Why? Because the quicker you contact people, the easier it is for them to protect themselves e.g. cancel affected credit cards.
Of course, you might need to wait to report an incident if there's a legal investigation ongoing, but the law allows for that. But if there's a delay in contacting your customers, and there's no good reason, it's your responsibility to justify it:
So if you have any reason to believe there's been a data breach, and it puts someone's privacy at risk, you must report it immediately.
But what do you do? Is it okay just to email a customer and tell them there's a data breach? No. Data Breach Notices must follow a specific format.
The Data Breach Notice
According to section 4, subsection 5 of the SHIELD Act, you can give notice:
- Through email
- In writing
- By telephone
Written notice is always acceptable. But if you notify someone by telephone, you need to keep a clear log of communications.
You can't email someone unless they've consented to receive notification by electronic means. Otherwise, there's a risk they won't get the message. And again, you need to keep a record of Data Breach Notices sent by email.
If you can prove it costs more than $250,000 to send the notice, or over 500,000 people are affected, you can send a Substitute Notice instead. This means sending an email, putting notice on your website, and sending out a national broadcast.
What the Notice Should Contain
It's not a valid Data Breach Notice unless it includes a few specific details:
- Your business contact information
- At least one telephone number or email address for an official agency that helps with identity theft
- A description of the information put at risk e.g. whether it's personal or private, and how sensitive it is
Here's an example of a Data Breach Notice from Magellan Health.
First, the company sets out what actually happened. The company suffered a ransomware attack. The information affected includes personal names and, potentially, health data and Social Security Numbers:
The notice also gives contact information for companies people can contact for advice on identity theft:
It's not essential, but Magellan Health helpfully included some information on what it's doing to combat the data breach. This is a good idea because it shows that you take data protection seriously, and you're keen to ensure it doesn't happen again:
Finally, the company also leaves its own contact information for customers to reach out to:
There's no need for a long notice. All you need is to include the key details.
Who Else to Notify
Aside from telling affected people, you must also notify the following in the state of New York:
- State Police
- Attorney General
- Department of State
- Consumer Reporting Agencies, if more that 5,000 people are affected
- Secretary of Health and Human Services, if you hold healthcare data
Tell them when you sent the Data Breach Notice and what you said. They also need to know what's happened and how many people the breach affects. You should send them a copy of your Data Breach Notice as part of the case.
What Happens if I Don't Comply?
If there's one point you take from this article, it's this: Don't underestimate the cost of non-compliance to your business.
Here's what could happen if you don't comply with the SHIELD Act and there's a data breach affecting your customers:
- The Attorney General can impose a fine between $10 and $20 for each forgotten notification
- You might have to pay for the real losses someone suffers because of your negligence
- For serious, deliberate breaches or repeat offenders, there's a maximum penalty of $250,000
So although individuals can't sue you for losing their data, the Attorney General can.
If you're responsible for personal or private data belonging to New York residents, you must issue a Data Breach Notice if there's a data leak.
The Data Notice must contain:
- Details of what happened and what information is affected
- Your contact details
- Information about identity theft
You need to send the Notice without unreasonable delay. You can only send an email if customers are happy with this. If over 500,000 people are affected, you need to tell the Consumer Protection Agencies, too.
If you don't comply with your obligations, you can be fined up to $250,000.