If you handle private data about any New York resident, you likely fall under the jurisdiction of the SHIELD Act. As well as requiring data security measures, the act says you must inform people in a specific manner about data breaches.
Here's what you need to know.
- 1. What is the SHIELD Act?
- 2. Does the SHIELD Act Apply to Me?
- 3. What is Private Information?
- 4. What Triggers the Breach Notification Requirements?
- 5. What are the Breach Notification Requirements?
- 6. How Do I Provide the Notification?
- 7. Who Else Do I Need To Notify?
- 8. Are There Any Exemptions to the Notification Requirements?
- 8.1. Duplicate Notification
- 8.2. Good Faith Access
- 8.3. Inadvertent Disclosure
- 9. What Happens If I Don't Follow These Rules?
- 11. Summary
What is the SHIELD Act?
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a New York state law passed in 2019. It has two key measures, which came into force on different dates.
From October 2019, the requirements to notify officials and data subjects of a breach greatly expanded. It's these requirements we'll primarily address in this guide.
From March 2020, businesses must develop and maintain safeguards to secure personal data. Key points include carrying out risk assessments, training employees on good practice, making sure contracts with vendors require similar safeguards and destroying data at an appropriate point to limit the potential damage from a breach.
Does the SHIELD Act Apply to Me?
Before the SHIELD Act, New York state legislation on data breaches only covered people and businesses who operated in the state.
The SHIELD Act expands this to cover any person or business, regardless of their physical or legal location, that handles private information about New York residents.
The notification requirements only cover data about residents of New York state. This means you'll need to organize your records so you can clearly identify the relevant data if you suffer a breach.
Specifically, the SHIELD Act applies if you own or license computerized data that includes private information. In practical terms, "own" simply means you possess the data. The reference to "license" is to clarify that you still need to report a breach even if you've acquired the data from a third party (for example, buying a mailing list) rather than got it directly from the data subjects.
The rules on safeguarding data work differently depending on the size of the business. However, the rules on data breach notifications are the same for all individuals and businesses.
What is Private Information?
The SHIELD Act has specific descriptions of private information, with the focus being on the consequences of a breach.
The act covers six situations, most of which involve a combination of "personal information" and another piece of data. In this context, personal information is anything that can identify a specific individual. (The law uses the phrase "natural person" to distinguish humans from corporations and other legal bodies.)
With the first five situations, the combination only counts as private information if the data isn't encrypted, or if the encryption key has been exposed.
The situations are:
- Personal information plus a social security number
- Personal information plus a driver's license or non-driver ID card number
- Personal information plus a financial account or card number plus any other information (such as password) required to access a financial account
- Personal information plus a financial account or card number for an account that doesn't require any other information to access a financial account
- Personal information plus biometric data
The sixth situation doesn't require any personal information. It simply covers the combination of a user name or an email address with a password or a security question and answer. The key point is that the combination of data is enough to access an online account.
What Triggers the Breach Notification Requirements?
Previous New York law only covered unauthorized "acquisition" of data. The SHIELD Act extends this to also cover any "access" of private information. This can include the data being viewed, used or altered by an unauthorized person.
Under the act, it doesn't matter how the unauthorized person was able to access the data. For example, the notification requirement applies whether the person accessed the data physically or over the Internet. It also applies whether they saw the data in an unprotected form or if they had to breach a security measure to access it.
What are the Breach Notification Requirements?
Once you become aware of a breach you must notify every affected person (the person that the data is about) who is a resident of New York state.
You should err on the side of caution as the requirement covers not just when you know data was accessed without authorization but where you reasonably believe it was accessed.
For example, if you know somebody was able to access a specific database file, you will need to notify everyone whose private information is in that file, even though the unauthorized person may actually only have had time to see some of the records.
The notification must include:
- Your contact information
- The phone number and websites for relevant government agencies that can provide information about identity theft and data breaches
- The general categories of information accessed or acquired in the breach
- Specific details of what pieces of information were accessed or acquired
That last point doesn't mean you actually list the information such as "3/29/1974" in the notification. Instead the general categories could be "health data" or "login details" while the specific details could be "your social security number" or "your security question answer."
This example from the Fire Department of New York covers both the category ("patient care report" and specific details):
You must make the notification as soon as possible. The only acceptable reasons for delay are to help with law enforcement, to find out how big the breach is, or if you need to fix the breach before making it public knowledge.
If you license private data, you must tell the license holder about a breach as soon as you discover it.
How Do I Provide the Notification?
Normally you must use one of three methods to make the notification:
- Written notice: This could be as a mailed or hand delivered letter.
- Electronic notice: This doesn't include emails, but could instead be an on-screen message that appears when somebody logs into an account, or a message through their online account on your site. The person must have previously consented to receiving such messages, and you must keep a log of the notifications sent this way.
- Telephone: Again, you must keep a log of the notifications made this way.
In special circumstances you can use another method. These circumstances are that:
- It would cost more than $250,000 to make the notifications under the usual methods
- You need to notify more than 500,000 people
- You don't have the contact information to reach everybody under the usual methods
If the special circumstances apply, you must notify the state Attorney General. You can then make the notification through statewide media or a conspicuous post on your website.
The Brooklyn Hospital Center made this notification through a press release targeted at state media:
You can also send the notice by email if the special circumstances apply. However, you can't do this if the email address was part of the private information accessed without authorization.
Instead you must notify the user on screen when they next log in to their online account with you, though only if they do so from an IP address or location that they've "customarily" used to log in before.
Who Else Do I Need To Notify?
Whenever you notify people about their private information, you must also contact:
- The state Attorney General (always)
- The New York Department of State (always)
- The division of state police (always)
- Consumer reporting agencies (only if you are notifying more than 5,000 people)
You will need to tell them:
- When you are sending out the notifications to the affected people
- How you are making the notifications
- Approximately how many people you are notifying
You must also give them a copy of the template you've used for the notifications.
Are There Any Exemptions to the Notification Requirements?
You may already be required to notify individuals about unauthorized access of their personal data under another law or regulation. Examples include:
- Medical data under the Health Insurance Portability and Accountability Act (HIPAA)
- Financial data under the Gramm-Leach-Bliley Act (GLBA)
- Financial data under the New York Department of Financial Services cybersecurity requirements
If you are making these notifications, you don't have to also notify the individual under the SHIELD Act. However, you will still need to tell the state Attorney General, department of state and division of state police.
Good Faith Access
The SHIELD Act doesn't require notification in the case of good faith unauthorized access by an employee or agent. This covers cases such as a staff member who is meant to be looking at one set of data mistakenly accessing other data.
This exemption only applies if the employee or agent doesn't use or disclose the data they unintentionally accessed.
The SHIELD Act doesn't always require notification in cases of inadvertent disclosure. This exemption applies as long as you believe the following five requirements all apply:
- The person who disclosed the private information was authorized to access it in the first place
- The disclosure was inadvertent
- The disclosure isn't likely to lead to misuse of the information
- The disclosure isn't likely to cause financial harm to the data subjects
- The disclosure isn't likely to lead to emotional harm from online credentials (such as usernames and passwords) being disclosed
If you decide this exemption applies, you must write a statement to this effect and keep it on record for five years. If the case involves private data about more than 500 people, you must send a copy of this statement to the Attorney General.
What Happens If I Don't Follow These Rules?
The Attorney General has the power to take court action if you violate the SHIELD Act. A court can then issue a penalty. This is normally calculated as $20 for each person you should have notified but didn't.
Regardless of the calculated figure, there's a minimum total penalty of $5,000 and a maximum total penalty of $250,000.
You may want to include a mention that you fully comply with the act as this will reassure customers that you have strong and well-organized privacy procedures.
This mention could include:
- Details of how you secure your data in line with the SHIELD Act. (Make certain these details are accurate so that users can make informed decisions about consenting to data collection)
- A promise that you will notify New York residents of any breach in line with the act's requirements.
A good model is the way many companies already have special sections for California residents addressing the California Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA).
Kaplan simply makes a brief reference near the start of the policy with a link to a dedicated privacy rights page for California residents:
Let's recap what you need to know and do to comply with the SHIELD Act's rules on breach notifications.
- The act covers any private data you hold about residents of New York State. Your location doesn't matter.
As well as securing private data adequately, you must notify people if their private data is accessed or acquired without authorization.
- Private information includes any combination of personal information that identifies a specific human with either a social security number, a driver's license number, a non-driver ID card number, or biometric data.
- Private information also includes the combination of personal information with a financial account or card number and any other details needed to access the account.
- Private information also includes the combination of either a username or email address with a password or security question and answer - in other words a combination that can access an online account. In this case, personal information such as a name isn't necessary.
- The notification rules cover any case where data is accessed or acquired without authorization. It doesn't matter how the unauthorized person was able to do this.
- If a breach happens you must contact every New York resident whose data was accessed or acquired. You must tell them both the broad categories and the specific types of data that were accessed. You must also give your contact details and those of relevant government agencies dealing with data breaches and identity theft.
- Normally you must make the notification in writing (printed), telephone, or an electronic notice. The last method doesn't cover emails but rather on-screen notifications or messages through your site, and you can only use this method if you've previously got the person's permission to do so.
- If you need to notify more than 500,000 people, it would cost $250,000 to make all the notifications, or you don't have sufficient contact information, you must inform the State Attorney General. You can then notify people through a notice on your website, through statewide media, or by email.
- You must not use email if the breach included email addresses. Instead you can use an on-screen message when the person next logs in to your site, as long as they do so from their usual location.
- You must also notify the State Attorney General, the department of state and the division of state police. You'll also need to notify consumer reporting agencies if the breach covers more than 5,000 New York residents.
- You don't need to notify people a second time if you've already done so under another law such as HIPAA.
- You don't need to notify people if a staff member unintentionally accessed data without authorization.
- You don't need to notify people if somebody authorized to access the data then inadvertently disclosed it, as long as you believe it won't cause any harm. You need to keep a note of the incident and tell the state Attorney General if the data covers more than 500 New York residents.
- The penalty for breaches is $20 for each missed notification (one per affected person), with a minimum total of $5,000 and a maximum of £250,000.