The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires all covered entities to provide a Data Breach Notice to New York residents in the event of a data breach that exposes their private information.
The SHIELD Act contains specific rules about what to include in your Data Breach Notice, how you must distribute it, and who you must provide it to.
Here's a detailed look at everything the SHIELD Act requires if you suffer a data breach.
Who Has to Comply With the SHIELD Act?
The SHIELD Act applies to any person or business (including sole proprietorships, non-profits, public bodies, etc) that "owns or licenses computerized data" that includes the private information of New York State residents.
This means that businesses of any size, based anywhere in the world, can be affected by the SHIELD Act.
There is a partial exemption for small businesses regarding the SHIELD Act's Data Security Program. However, this small business exemption does not apply in respect of the Data Breach Notice requirement.
Requirements for Service Providers
The SHIELD Act's Data Breach Notice requirements also partially apply to any person or business that "maintains" the private information of New York residents, rather than owning or licensing it.
This section of the SHIELD Act is likely to be relevant to service providers who maintain personal information on behalf of other businesses, such as cloud storage services or Customer Relationship Management (CRM) providers.
Such businesses are not required to provide notice to affected persons or notice to the authorities in the event of a data breach. Instead, they must immediately notify the business that owns or licenses the information.
Partial Exemption for Compliant Regulated Entities
Certain entities that are regulated by other cybersecurity laws, known as "Compliant Regulated Entities," have a partial exemption from the Data Breach Notice requirements of the SHIELD Act.
This partial exemption applies to companies that are already regulated by and compliant with one or more of the following regulations:
- Title V of the Gramm-Leach-Bliley Act (15 USC 6801 to 6809, available here)
- The "Privacy Rule" of the Health Insurance Portability and Accountability Act (HIPAA) (45 CFR parts 160 and 164, available here)
- The NYDFS Cybersecurity Regulation (23 NYCRR 500, available here)
- Any other federal or New York State cybersecurity law
Compliant Regulated Entities do not have to provide notice to affected persons in the event of a data breach. However, they must still provide notice to the authorities and notice to Consumer Reporting Agencies.
What is Private Information?
You must provide a Data Breach Notice in the event of a breach of the "private information" of New York residents.
The SHIELD Act defines two types of private information, which we're calling "type I" and "type II" private information.
Type I Private Information
The first type of private information defined in the SHIELD Act is a data set that consists of:
- Personal information (column A)
- A data element (column B)
- That is either unencrypted or has been compromised (column C)
|A. Personal information
||B. Data element
||C. Encryption status
Any information can identify a natural person (living individual), including:
- Personal mark
- Other identifiers
One of more of the following:
- Social security number
- Driver's license number or non-driver ID card number
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account
- Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprint, voiceprint, retina or iris image, other unique physical representation or digital representation of biometric data which is used to authenticate or ascertain the individual's identity
The data element or the combination of both the personal information and the data element must be:
- Not encrypted, or
- Encrypted, but with an encryption key that has been accessed or acquired
Note that if your business takes care to encrypt the data of New York residents, and you ensure that the encryption key is kept safe, you can avoid being in possession of private information and thus escape many SHIELD Act obligations.
Type II Private Information
Type II private information is "a user name or email address in combination with a password or security question and answer that would permit access to an online account" (login details).
What is a Data Breach?
The SHIELD Act calls a data breach a "breach of the security of the system." Here's the definition provided in the Act:
There are several components to this definition. A data breach occurs when:
- Computerized data is accessed or acquired,
- Without authorization or without valid authorization,
- In such a way as to compromise the security, confidentiality, or integrity of private information
Determining Whether a Data Breach Has Occurred
The SHIELD Act provides three examples of indications that a data breach may have occurred:
In other words, there may have been a data breach if one of the following sorts of activities occurs:
- An employee loses a device
- A device is stolen
- Someone copies or downloads information from a device, server, or cloud storage drive without authorization
- Someone notices fraudulent activity on their account
If you have good reason to believe that you have suffered a data breach, you must provide Data Breach Notice.
"Good Faith" Exception
There's an exception to the data breach rule: a data breach does not occur if an employee or agent of your business accesses the information:
- In good faith,
- For the purposes of your business, and
- Without disclosing the information (unless they are authorized to do so)
This might occur if an employee accidentally accesses a private area of your system without valid authorization. So long as they do not disclose any of the information they access, you might not have to provide a Data Breach Notice.
"Reasonable Determination" Partial Exception
There's another, more limited exception. You do not need to provide Data Breach Notice if:
If you make such a determination, you must keep a written record of it. If the breach affects more than 500 New York residents, you must submit this written record to the New York Attorney General within ten days of creating it.
How to Provide Data Breach Notice
If you discover a data breach or receive notification of a data breach, you must provide Data Breach Notice to any New York residents that have been affected, certain New York State authorities, and, under certain conditions, Consumer Reporting Agencies.
What Your Data Breach Notice Should Contain
The SHIELD Act requires that you include the following information in your Data Breach Notice:
Here are some examples of real Data Breach Notices that comply with these requirements.
Here's how Educational Enrichment Systems provides its contact information:
Here's how Wawa provides contact information for New York state agencies to find out more information regarding data breach response and prevention:
Here's how Checkers explains which categories of information were exposed in its data breach:
Although it isn't mandatory under the SHIELD Act, you should also:
- Reassure your customers that you are taking the breach seriously
- Let them know the actions you have taken to try to contain the breach
- Advise them of any measures they can take to protect themselves (e.g. changing passwords)
Here's some advice from the Federal Trade Commission (FTC) outlining the information businesses should provide following a data breach:
Here's an example from Rooster Teeth's Data Breach Notice:
Following a data breach that affected consumers' payment details, Rooster Teeth advised its customers to check their account statements, and it offered one year's free credit monitoring with credit-rating agency Experian.
How Soon to Provide Notice to New York Residents
The SHIELD Act doesn't provide a clear deadline in terms of hours or days for providing Data Breach Notice to New York residents.
Upon discovering or receiving notification of a data breach, you must provide Data Breach Notice to New York residents "in the most expedient time possible and without unreasonable delay."
There are two caveats. You may delay notification:
- If a law enforcement agency determines that providing Data Breach Notice would impede a criminal investigation. In this case, you must wait until the law enforcement agency tells you that you can proceed with providing notice.
- To take any measure necessary to determine the scope of the breach and restore the integrity of the system.
Methods for Providing Notice to New York Residents
You can use one of the following methods to provide Data Breach Notice to New York residents:
- Written notice
Electronic notice, if:
- The recipient has consented to receive Data Breach Notice in electronic form,
- You have not made consent a prerequisite of providing any service or transaction, and
- You keep a log of each notice sent
- Telephone notice, if you keep a log of each notice sent
The SHIELD Act provides a method of providing "substitute notice" that requires fewer resources than providing Data Breach Notice via one of the above methods.
You may only provide substitute notice if you can demonstrate to the New York Attorney General that:
- Providing (non-substitute) notice would cost more than $250,000, or
- More than 500,000 New York residents have been affected, or
- You do not have contact details for the affected New York residents
Substitute notice involves providing Data Breach Notice via all of the following methods:
Email notice (if you have email addresses for the affected New York residents),
- You cannot provide email notice if the breach involved type II private information (login details). In this case, you must provide "clear and conspicuous" notice via the affected person's account when the person logs into their account from a known IP address or location.
- Conspicuous notice on your website (if you have one), and
- Notification of state-wide media
Providing Notice to the Authorities
In addition to providing Data Breach Notice to New York residents, you must also notify the authorities of what has occurred. This must not cause any delay to providing notice to New York residents.
Specifically, the SHIELD Act requires that you inform:
You must let these authorities know:
- When you gave notice
- What the notice contained
- How you distributed your notice
- How many people were affected by the breach (approximately)
You must also provide a copy of your Data Breach Notice.
Providing Notice to Consumer Reporting Agencies
If more than 5,000 New York residents were affected by the breach, you must also provide Data Breach Notice to Consumer Reporting Agencies. Again, this must not cause you to delay providing notice to New York residents.
The New York Attorney General is responsible for compiling a list of Consumer Reporting Agencies and will provide this on request.
You must inform the Consumer Reporting Agencies of the same information you provided to the authorities. However, you do not need to provide them with a copy of your Data Breach Notice.
Additional Requirement for HIPAA and HITECH Act-Regulated Entities
There is an additional Data Breach Notice requirement for entities regulated by HIPAA or the Health Information Technology for Economic and Clinical Health Act (HITECH Act, available here).
Here's the relevant section of the SHIELD Act:
Businesses regulated by these laws must give notice to the Secretary of Health and Human Services in the event of a breach of certain health information.
If this occurs, the SHIELD Act requires that they also give notice to the New York State Attorney General within five business days of notifying the Secretary of Health and Human Services.
Penalties for Failing to Provide Notice
There's no "private right of action" under the SHIELD Act, so New York residents cannot sue you for failing to protect their private information or failing to provide Data Breach Notice.
However, the New York Attorney General can take your company to court if you don't provide Data Breach Notice.
This might mean that you may have to pay:
The Attorney General must act within three years of becoming aware of the breach, or six years of the date of the breach itself (unless you tried to cover it up, in which case they have longer).
Providing SHIELD Act-Compliant Data Breach Notice
A data breach can cause legal trouble, penalties, and reputational damage.
Your business can take the following steps to prepare:
- Identify whether you own, license, or maintain the private information of New York residents.
- Learn how to recognize a data breach.
Your Data Breach Notice must contain:
- Your contact details
- Contact details for state and federal ID-theft protection agencies
- Information about what data has been compromised
You can distribute your Data Breach Notice:
- By phone
- Electronically (if you have consent)
- In writing
- Via substitute notice methods (under certain conditions)
You must send your Data Breach Notice:
- WIthout delay
- To affected New York residents
- To certain New York State authorities
- To Consumer Reporting Agencies (if over 5,000 New York residents are affected)