21 April 2020
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires all covered entities to provide a Data Breach Notice to New York residents in the event of a data breach that exposes their private information.
The SHIELD Act contains specific rules about what to include in your Data Breach Notice, how you must distribute it, and who you must provide it to.
Here's a detailed look at everything the SHIELD Act requires if you suffer a data breach.
The SHIELD Act applies to any person or business (including sole proprietorships, non-profits, public bodies, etc) that "owns or licenses computerized data" that includes the private information of New York State residents.
This means that businesses of any size, based anywhere in the world, can be affected by the SHIELD Act.
There is a partial exemption for small businesses regarding the SHIELD Act's Data Security Program. However, this small business exemption does not apply in respect of the Data Breach Notice requirement.
The SHIELD Act's Data Breach Notice requirements also partially apply to any person or business that "maintains" the private information of New York residents, rather than owning or licensing it.
This section of the SHIELD Act is likely to be relevant to service providers who maintain personal information on behalf of other businesses, such as cloud storage services or Customer Relationship Management (CRM) providers.
Such businesses are not required to provide notice to affected persons or notice to the authorities in the event of a data breach. Instead, they must immediately notify the business that owns or licenses the information.
Certain entities that are regulated by other cybersecurity laws, known as "Compliant Regulated Entities," have a partial exemption from the Data Breach Notice requirements of the SHIELD Act.
This partial exemption applies to companies that are already regulated by and compliant with one or more of the following regulations:
Compliant Regulated Entities do not have to provide notice to affected persons in the event of a data breach. However, they must still provide notice to the authorities and notice to Consumer Reporting Agencies.
You must provide a Data Breach Notice in the event of a breach of the "private information" of New York residents.
The SHIELD Act defines two types of private information, which we're calling "type I" and "type II" private information.
The first type of private information defined in the SHIELD Act is a data set that consists of:
|A. Personal information||B. Data element||C. Encryption status|
Any information can identify a natural person (living individual), including:
One of more of the following:
The data element or the combination of both the personal information and the data element must be:
Note that if your business takes care to encrypt the data of New York residents, and you ensure that the encryption key is kept safe, you can avoid being in possession of private information and thus escape many SHIELD Act obligations.
Type II private information is "a user name or email address in combination with a password or security question and answer that would permit access to an online account" (login details).
The SHIELD Act calls a data breach a "breach of the security of the system." Here's the definition provided in the Act:
There are several components to this definition. A data breach occurs when:
The SHIELD Act provides three examples of indications that a data breach may have occurred:
In other words, there may have been a data breach if one of the following sorts of activities occurs:
If you have good reason to believe that you have suffered a data breach, you must provide Data Breach Notice.
There's an exception to the data breach rule: a data breach does not occur if an employee or agent of your business accesses the information:
This might occur if an employee accidentally accesses a private area of your system without valid authorization. So long as they do not disclose any of the information they access, you might not have to provide a Data Breach Notice.
There's another, more limited exception. You do not need to provide Data Breach Notice if:
You have reasonably determined that the breach will not result in:
If you make such a determination, you must keep a written record of it. If the breach affects more than 500 New York residents, you must submit this written record to the New York Attorney General within ten days of creating it.
If you discover a data breach or receive notification of a data breach, you must provide Data Breach Notice to any New York residents that have been affected, certain New York State authorities, and, under certain conditions, Consumer Reporting Agencies.
The SHIELD Act requires that you include the following information in your Data Breach Notice:
A description of the information that has been breached or may have been breached:
Here are some examples of real Data Breach Notices that comply with these requirements.
Here's how Educational Enrichment Systems provides its contact information:
Here's how Wawa provides contact information for New York state agencies to find out more information regarding data breach response and prevention:
Here's how Checkers explains which categories of information were exposed in its data breach:
Although it isn't mandatory under the SHIELD Act, you should also:
Here's some advice from the Federal Trade Commission (FTC) outlining the information businesses should provide following a data breach:
Here's an example from Rooster Teeth's Data Breach Notice:
Following a data breach that affected consumers' payment details, Rooster Teeth advised its customers to check their account statements, and it offered one year's free credit monitoring with credit-rating agency Experian.
The SHIELD Act doesn't provide a clear deadline in terms of hours or days for providing Data Breach Notice to New York residents.
Upon discovering or receiving notification of a data breach, you must provide Data Breach Notice to New York residents "in the most expedient time possible and without unreasonable delay."
There are two caveats. You may delay notification:
You can use one of the following methods to provide Data Breach Notice to New York residents:
Electronic notice, if:
The SHIELD Act provides a method of providing "substitute notice" that requires fewer resources than providing Data Breach Notice via one of the above methods.
You may only provide substitute notice if you can demonstrate to the New York Attorney General that:
Substitute notice involves providing Data Breach Notice via all of the following methods:
Email notice (if you have email addresses for the affected New York residents),
In addition to providing Data Breach Notice to New York residents, you must also notify the authorities of what has occurred. This must not cause any delay to providing notice to New York residents.
Specifically, the SHIELD Act requires that you inform:
You must let these authorities know:
You must also provide a copy of your Data Breach Notice.
If more than 5,000 New York residents were affected by the breach, you must also provide Data Breach Notice to Consumer Reporting Agencies. Again, this must not cause you to delay providing notice to New York residents.
The New York Attorney General is responsible for compiling a list of Consumer Reporting Agencies and will provide this on request.
You must inform the Consumer Reporting Agencies of the same information you provided to the authorities. However, you do not need to provide them with a copy of your Data Breach Notice.
There is an additional Data Breach Notice requirement for entities regulated by HIPAA or the Health Information Technology for Economic and Clinical Health Act (HITECH Act, available here).
Here's the relevant section of the SHIELD Act:
Businesses regulated by these laws must give notice to the Secretary of Health and Human Services in the event of a breach of certain health information.
If this occurs, the SHIELD Act requires that they also give notice to the New York State Attorney General within five business days of notifying the Secretary of Health and Human Services.
There's no "private right of action" under the SHIELD Act, so New York residents cannot sue you for failing to protect their private information or failing to provide Data Breach Notice.
However, the New York Attorney General can take your company to court if you don't provide Data Breach Notice.
This might mean that you may have to pay:
If you "knowingly and recklessly" violated the SHIELD Act, a civil penalty of whichever is the greater of the following two amounts:
The Attorney General must act within three years of becoming aware of the breach, or six years of the date of the breach itself (unless you tried to cover it up, in which case they have longer).
A data breach can cause legal trouble, penalties, and reputational damage.
Your business can take the following steps to prepare:
Your Data Breach Notice must contain:
You can distribute your Data Breach Notice:
You must send your Data Breach Notice:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.