The New York legislature has yet been unsuccessful in passing the NYPA: the New York Privacy Act. Presently, there is no overarching state mandate governing privacy, however the NYPA may be passed in the not-too-distant future. In the meantime, the SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act) was recently signed into effect by Governor Andrew Cuomo. The SHIELD Act, which went into effect on March 21, 2020, revamped New York’s data breach notification law and imposed updated preventative data security obligations.
Is My Business Covered by the SHIELD Act?
The SHIELD Act pertains to any person or business which owns, licenses or acts as a custodian of electronic records that include private information of New York residents. The legislation covers anyone that possesses data concerning those residing in New York regardless of their geographic location—conducting business in New York is not required to be bound by the new mandate. A similar extra-territorial application isn’t foreign to New York businesses when it comes to data protection: the recent California Consumer Privacy Act and the European General Data protection Regulation also implement a similar applicability.
What Exactly is Private Information?
As set out in the New York General Business Law (GBL) §899-aa and New York State Technology Law (STT) §208, private information is defined as personal information and a data element when either the data element or the combination of personal information and the data element is not encrypted, or, if encrypted, the unauthorized access granted the user access to the encryption key. The definition for personal information is broadly constructed as it describes “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” When it comes to data elements, there are numerous qualifying identifiers, including:
- Social Security Number
- Driver’s License Number
- Financial Account Information
- Biometric Data (Retina Imagery, Fingerprints, etc.)
Username and email addresses are also considered private information when combined with a password or security question which would enable a hacker to access privileged data. Public information that is legally disclosed per federal, state or municipal government records.
When is Notification Required?
The SHIELD Act applies in instances of unauthorized access to or wrongful attainment of any electronic records containing the private information of New Yorkers that “compromises the security, confidentiality, or integrity of private information maintained by a business.” Although there is no standardized risk assessment protocol for discovering if the private information was accessed or “reasonably believed to have been accessed by an unauthorized person,” a small business may take into account if any of the following occurrences are applicable to the situation in making the determination of whether or not to provide notification:
- If a computer or other device storing such information was stolen
- If records were downloaded or copied
- If there is evidence of identify theft or fraudulent accounts
Additionally, the notification obligation exists even if the private information was viewed but not physically obtained by an unauthorized entity. If any of these conditions exist, New York small businesses and any other individual or corporation falling under the purview of the SHIELD Act must provide disclosure of the incident “in the most expedient time possible and without unreasonable delay” via the standardized notification form provided on the New York Office of Information Technology Services website.
It is not necessary to provide duplicate notification if the private information wrongfully obtained was also covered by the Graham-Leach-Bliley Act or New York’s regulations for financial service companies, HIPAA, HITECH or any additional federal or state agency data security statutes, rules or regulations. Note, however, that in these duplication instances the breach has to be forwarded to the State Attorney General, Department of State, State Police and consumer reporting agencies. In standard breach situations, the business has to provide notification to the Attorney General, the State Police and the Division of the Consumer Protection.
If your business is merely a custodian of private information—meaning you are not the actual owner—then there is no public or regulatory agency notification requirement; however, the owner or licensee of the data must be immediately notified upon the discovery or suspicion of a hack. If a covered entity inadvertently publicly discloses private information covered by the SHIELD Act, it does not have to be disclosed if the entity reasonably believes that the data will not likely be misappropriated to inflict emotional or financial harm to the New York citizens the data belongs to. If a business makes such a determination, they must document it and maintain records pertaining to the incident for five years. If the inadvertent disclosure impacts over 500 New York residents, the entity is afforded ten days to offer evidence of its determination not to issue notification to the New York’s Attorney General.
How Do I Provide Notification?
If the clients provide consent to electronic notification, the form may be sent via email. Alternatively, businesses may distribute notification by regular mail. In either instance, the business must maintain records of all communications sent. If the breach was significant—affecting over 500,000 individuals or if it would cost the entity over $250,000 to provide notice—or if there is not adequate contact information, the entity may request that the Attorney General would consent to an alternative notification method such as posting an announcement on the entity’s webpage or a media outlet.
Prevention is Key
When it comes to data security, implementing a proactive security program to prevent any potential instances of unauthorized access is an essential component of any small businesses’ long-term planning. Per the statutory language, a small business is defined as one that has under 50 employees, grosses less than $3 million annually for the last three years or has under $5 million in assets. These entities are considered compliant when it comes to data security protocol if it “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about customers.” Small businesses that are also regulated and demonstrated their compliance with GLB, HIPAA/HITECH or New York’s regulations for financial service corporations, or any other federal or New York agency data security laws are deemed compliant with the SHIELD Act provisions. Here are some pointers when it comes to developing a data security plan for your business:
- Task one or more employees responsible for coordinating the security protocol
- Identify reasonably foreseeable internal and external vulnerabilities
- Adjust the security measures as your business expands
- Routinely update and test technical safeguards and network/software security
- Develop reliable disposal protocol for private information so that it is not retained beyond a reasonable time after it is no longer required for business purposes