Last week, the first part of a new state law went into effect that will have consequences for local consumers and businesses. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act updates New York’s laws governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.
“The SHIELD Act is now the law of the land and provides better protections for consumers’ private information,” said Attorney General Letitia James in a press release after the bill became law this past summer. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”
A data breach is any unauthorized access to or acquisition of computerized data that compromises the security, confidentiality or integrity of consumers’ private information. Recent cases this year include Capital One, when hackers gained access to tens of thousands of customers’ social security numbers, bank accounts, names, addresses, credit scores and balance information; Facebook, when hundreds of millions of users’ Facebook IDs and phone numbers were stored on an unprotected server; and the food delivery company Door Dash, when hackers stole customers’ names, emails and phone numbers, as well as delivery workers’ driver’s license information.
But big companies aren’t the only targets and sources of data breaches. According to Verizon’s most recent data breach investigation report, an annual collaboration with partners such as the FBI and the Department of Homeland Security, 43 percent of the incidents in 2018 involved small businesses.
“Data breaches remain a serious threat to any business that uses technology to handle customers’ private data, said Sen. Kevin Thomas, a Democrat from Long Island and a co-sponsor of the law. “The consequences of a data breach can be devastating for both the business and the consumer.”
While the most immediate impact of the SHIELD Act may be to hold huge companies accountable for the security of New Yorkers’ private information, the law also applies to businesses on Main Street, Elm Street and Clinton Street.
So, as a small local business, what do you need to know about the new law to ensure you’re in compliance?
Do you have customers who live in New York state?
The SHIELD Act is written specifically to protect customers who reside in New York, which means any company – no matter where its home base is – can be held accountable. But obviously, if you’re a local business, the vast majority of your customers are going to be New Yorkers.
Do you own, license or maintain computerized data that includes private information about these customers?
The SHIELD Act clearly defines what “private information” means:
• Personal information (a person’s name, for example) combined with other personal data such as a social security number, a driver’s license or other identification card number, a financial account number (along with the password or security code), or biometric information like fingerprints, voice print or retina image.
• An email address along with a password or security question that permits access to an online account.
What do you need to do in the event of a breach?
First and foremost, you need to inform your New York customers who are affected “in the most expedient time possible and without unreasonable delay.” A specific timeframe (such as “within 24 hours”) isn’t written into the law because, according to the office of the Attorney General, there are many different factors that will affect how quickly a business can communicate with customers.
When you do inform your customers of the breach, it must be in one of the following ways:
• Written notice (like a letter)
• Telephone (be sure to keep a log of all calls)
However, if contacting affected customers by letter or by phone will cost more than $250,000, or if you’ll need to contact more than 500,000 customers, or if you don’t have the right contact information (and you can demonstrate any of these circumstances to the Attorney General’s office), you may notify customers in one of these other ways:
• Email (as along as each customer’s email information hasn’t been affected by the breach)
• A conspicuous and obvious announcement on your website
• Notifying statewide media outlets
Regardless of how you notify customers, you must provide the following information:
• Contact info for you or your business.
• Telephone numbers and websites for the relevant state and federal agencies that can provide information regarding security breach response and identity theft prevention and protection information.
• A description of the information that was breached.
In addition to notifying customers, you’ll need to notify the New York Attorney General, the Department of State and the State Police about how you communicated with customers and the approximate number of customers affected. If you have more than 5,000 New York customers affected by the breach, you’ll also need to get this same information to consumer reporting agencies.
Are you already required to report a data breach to affected customers under a different law, such as the Health Insurance Portability and Accountability Act (HIPAA)?
Then there’s no additional notification requirements for you under the SHIELD Act.
This is just the first part of the SHIELD Act. What’s the second part?
In March 2020, the SHIELD Act will require every business to have a data security plan that conforms to specific expectations laid out in the law. More on this in a future story.
Do you still have questions about the SHIELD Act and what it means for you?
You can read the full law (S5575B) on the New York Senate’s website.
It’s also recommended that you contact your business lawyer or trade group for more guidance.