A Guide to NYS SHIELD Act Compliance: How to Issue Breach Notifications

When a consumer places personal data in the hands of a private organization, there’s a reasonable assumption of privacy. 

However, breaches of personal data are on the rise and can occur in any number of ways, including a hack by a malicious source, insider theft or an accidental leak. When a breach occurs, it can wreak amazing havoc—cybercrime as a whole is expected to cause $6 trillion annually by 2021.

That’s why the consumer data breach notification is so important. It allows the consumer to take proper action to prevent identity theft, blackmail, credit card fraud and a number of the other potentially life-changing consequences of a data breach. 

In an effort to boost personal data security of New York residents, Governor Andrew Cuomo signed the NYS SHIELD Act into law, which mandates that any business that handles a New York resident’s private information must issue a breach notification in the event that information has been accessed (such as when an unauthorized user logs into an account but maybe does not download any information). This is a change from the previous law, which only required notification if there was proof the information had actually been acquired. 

The act also strengthens the legal definition of “personal data” and mandates stronger corporate data security programs. 

But for now, we’ll walk you through some breach notification best practices. 

The Wrong Way to Send a Breach Notification 

In 2019 a group of researchers from the University of Michigan found that most breach notifications are unhelpful and unclear. 

The group studied 161 breach notifications from 2018 and found that 97 percent ranked as “difficult” or “fairly difficult” in terms of readability and often failed to convey risk or a need to take action.  

A number of problems led to this, including: 

• The notifications were too long and buried information at the end after lengthy paragraphs of unhelpful text. 
• The language was too technical for the average reader. 
• The notifications used language like “potentially” and “may,” which minimized the dangers created by a breach. 
• The notifications made statements indicating there was no evidence user information had been misused, often misleading consumers to believe there was no reason to take further action. 
• Thorough tips were included but often placed in a location that didn’t indicate their importance.  

The Right Way to Send a Breach Notification 

The good news is this means you have the opportunity to be one of the precious few who offers a helpful breach notification. Below are some best practices: 

Description: The story is important. Your users will want to know exactly what happened. Open with a description of the breach. Include the cause of the breach, the date of the breach, the date the breach was discovered, and what was exposed. Be concise but detailed. 

Use Design Standards: To improve readability, use headers to break up sections. Use bullet points to make long lists of information more readable. Anything you can do to make your page more visually appealing will help engage your readers. 

Focus on Readability: Write the notification for the average reader. Don’t use technical language that’s beyond the average reader. Try to keep your language at an eighth-grade level, and remember that good writing is concise and doesn’t include unnecessary information.  

Avoid “No Evidence” Claims: To claim there is no evidence often leads a consumer to believe there is no need for further action and that there is no risk to credit, financial or emotional health. Further action should always be advised. A link to the FTC’s identity theft advice website should be provided as well. 

Notifying Law Enforcement and Reporting Health-Related Breaches

Some breach notifications may require additional steps, depending on the nature of the information leaked, including contact with law enforcement and media agencies. This is especially true if you handle personal health records (PHR). 

If there’s a risk of identity theft, the Federal Trade Commission lists local police as your first point of contact. If local law enforcement is unable to help, the next step is to contact the nearest FBI office. 

The third resort is the U.S. Secret Service. In the case of mail theft, contact the U.S. Postal Service. 

Notifying the FTC

The following business types are required to notify the Federal Trade Commission in the case of a data breach:

• Personal health record vendors: The FTC defines personal health record vendors as any business that “offers or maintains a personal health record.” 
• PHR-related entities: These are businesses that interact with personal health record vendors by accessing personal health information (the FTC offers apps that help manage medications or upload blood pressure statistics as an example). 
• Third-party service providers: These businesses disclose or destroy personal health records or other health information-related items. 

Who must be notified: 

• The consumer must be notified within 60 days of the breach discovery.
• The FTC must be notified as soon as possible. The notification can come no longer than 10 days after the breach is discovered if it involves 500 people or more.
• The relevant local media must be notified with a press release if 500 people or more are involved.
• If your company is a third-party service provider, you also must inform clients without reasonable delay and no longer than 60 days after the discovery of the breach. 

Notifying the U.S. Department of Health and Human Services

Additionally, if you’re under the Health Insurance and Portability Accountability Act breach notification rule, you’re required to notify the U.S. Department of Health and Human Services and also sometimes the media. 

• Consumers must be notified within 60 days in writing by first-class mail (or email if the consumer has opted). If the contact information is outdated for 10 or more customers, the business must post a notice on the front page of its website for at least 90 days or in major print or broadcast media where the consumers likely live. If fewer than 10 contacts are out of date, alternate notice by phone or other written means is acceptable. 
• HIPPA-covered businesses with a breach affecting more than 500 people must notify prominent media outlets in the area within 60 days of discovery of the breach. 
• The Secretary of Breaches must be notified with an electronic breach report form without delay if more than 500 people are impacted. If fewer than 500 people are impacted, a report may be submitted annually.