In 2019, the New York Legislature strengthened its commitment to keeping New Yorkers’ personal information safe and secure. That year, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act became law. This new consumer privacy law was put in place to protect New Yorkers’ private data and strengthen the state’s data breach notification policies, bringing them in line with states like Massachusetts and California.
New York’s expansive and protective legislation came shortly after the announcement of a $650 million settlement between Equifax credit reporting agency and several U.S. states and federal agencies. The settlement was the result of a data breach that compromised the personal information of nearly 150 million Americans.
To Whom Does the SHIELD Law Apply?
The SHIELD law applies to individuals, businesses, and any other types of entities that own, license or maintain personal information in the State of New York or for New York Residents. Nearly every New York business that maintains an email list or keeps more than one piece of client information in a customer database may find themselves subject to the SHIELD law if they are hacked.
Certain entities may be exempted from certain provisions of the law (or may be exempt entirely).
What Kind of Information Must Be Exposed to Constitute a Breach?
If your systems are hacked and some combination of personal and private customer information is exposed, you may need to notify both the individuals and businesses whose data was exposed as well as law enforcement. The kinds of data at issue includes any information that can be used to identify a person (like their name, username, or email address), in combination with one or more of the following kinds of unencrypted data:
- Social Security number, driver’s license number, or non-driver ID number;
- Account number, credit or debit card number, or any passcode or personal identification number; or
- Identifying biometric information.
While not explicitly included in the list of information, information that could reasonably provide an answer to a password or security question like, “Name of first pet” could also, in some circumstances, be considered personal or private information. Be sure you understand what information your customers are asking you to provide. You should also know exactly why you are keeping all the data you have about your customers and how securely you are maintaining it.
Remember, this law applies only to unencrypted data. If your data was encrypted and was accessed without you or anyone on your staff providing or leaking an encryption key, you may fall within the law’s safe harbor provisions. Be sure to speak with counsel if you have questions about the exceptions and complexities associated with encryption and safe harbors.
What Is a Risk of Harm Analysis and Does It Apply to Me?
If you think that a breach was an inadvertent disclosure and the people who accessed the information were authorized to view it, then you may want to conduct a risk of harm analysis instead of immediately moving to notify law enforcement and affected individuals of the breach. If, after a review, you are reasonably able to determine the breach will not likely result in misuse of the information, or financial or emotional harm to the affected individuals, then you should document the results of your investigation in writing.
Your determination must be documented in writing and maintained for at least five years. However, if the breach affected more than 500 individuals, then you must also provide the written results of your investigation to the New York State Attorney General within ten days after making your determination.
Are There Other Data Breach Protections Companies Must Comply With?
If your business is itself a credit reporting agency or is affiliated with a credit reporting agency, you may need to offer identity theft services to New Yorkers in the event of a data breach.
Who Do I Need to Notify and How?
If a breach occurs and you need to notify others, you will need to do so as expediently as possible. You will want to make notifications to customers and stakeholders in a way most likely to reach them. The New York State Department of State provides a helpful fact sheet and model notification to assist businesses in communicating with those who may have been affected by a company data breach. However, if you have reason to believe it will cost more than $250,000 or you will need to notify more than 500,000 people, you should notify the State Attorney General’s office, as you may qualify for alternative means of notice.