Caution... Any business that holds private information of a New York resident – regardless of whether that organization does business in New York – is required to comply
Inspired by government and legal action against Equifax which ultimately cost the company billions of dollars, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), sponsored by Senator Kevin Thomas and Assembly member Michael DenDekker. This move amends the State’s current data breach notification law, imposing more expansive heightens data security and data breach notification requirements on companies, in the hope of to ensuring better protection for New York residents from data breaches of their private information. The SHIELD Act takes effect on March 21, 2020.
Governor Cuomo also signed into law the Identity Theft Prevention and Mitigating Services Act that requires credit reporting agencies that face a breach including Social Security numbers to provide five years of identity theft prevention and mitigation services to affected consumers, and allows for consumers, at no cost, the right to freeze their credit. This law becomes effective in 60 days.
Unlike other state data breach notification laws, New York’s original data breach notification law included definitions for “personal information” and “private information.” The current definition of “personal information” remains: “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” However, the SHIELD Act expands the definition of “private information” which sets forth the data elements that, if breached, could trigger a notification requirement. Under the amended law, “private information” means either:
- personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
- social security number;
- driver’s license number or non-driver identification card number;
- account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
- biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR
- a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Another interesting twist is the definition of "access" to information as related to a breach. Access means altering information as well as taking it. In other words Ransomware which is technically a breach but not always reported as such is now definitely a breach and covered by the Shield Act.
Any person or business that owns or licenses computerized data which includes private information of New York residents must comply with breach notification requirements, regardless of whether the person or business conducts business in New York. That said, there are several circumstances which would exempt a business from the breach notification requirements. For example, notice is not required if “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials”. Further, businesses that are already regulated by and comply with data breach notice requirements under certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are not required to further notify affected New York residents, however, they are still required to notify the New York attorney general, the New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police.
“This legislation will ensure that impacted individuals receive appropriate credit monitoring and identity theft mitigation services when a credit reporting agency loses their social security number,” said sponsor Assembly Member Jeff Dinowitz (D-Bronx).
Companies must also safeguard data in accordance with the appropriate size and complexity of their business. Knowing and reckless violations can cause a fine of up to $250,000. The per-record cost is $20 and is capped at 12,500 records.
We have reported previously that according to IBM, a small business data breach costs $2.5 million on average. That was before this new law which can take the number to $2.75 million. The number of attackers is also increasing by the day. The government has warned us that the country of Iran has upped its hacking of U.S. corporations. Recent reports show hacking could cost the U.S. $1.6 trillion! The scary part is this could be without the accompanying fines which can be very expensive. Just a few of the first GDPR fines levied within a few days of each other cost companies one-third of a billion dollars!
Most buisiness owners and managers hope they won't be affected.
Sadly, it is not that simple.
We have put together cybersecurity essentials – a simple list which will help most organizations become far more secure.
There are no guarantees but most of the time a simple error causes a breach and these are typical areas to watch for.
We are happy to come onsite, evaluate your cybersecurity risk and make recommendations. Even if you have a current IT solution, it is always a good idea to get a second opinion. The alternative could be a costly or catastrophic shutdown... And then a bunch of lawsuits and fines.