Businesses handle personal data more than ever.
The digital economy grew 4.3 times faster than the United States economy over the last two decades, more healthcare data is online now than ever before, and new web-based business models now offer free services while gathering consumer information and becoming data brokers.
Around 4 billion records containing private data were breached in 2019 alone, either maliciously or accidentally. Forbes recently called data privacy “one of the defining social and cultural issues of our era.”
In an effort to combat potential harmful breaches of personal consumer data and bring New York’s cybersecurity into the future, Governor Andrew Cuomo signed the SHIELD (Stop Hacks and Improve Electronic Data Security) Act into law on July 26, 2019.
Some state and federal laws already exist to protect consumer data; however, the NYS SHIELD Act will go above and beyond them.
Aside from mandating a data security and risk management program, it also takes significant steps to expand certain protections.
About the NYS SHIELD Act and Private Information
If even the simplest bit of personal, private information falls into the wrong hands, it can be used for a number of malicious purposes, including identity theft, bank fraud and more.
That’s why the NYS SHIELD Act expands the definition of “private information” to include several new protected categories. By including them, businesses would be required to inform consumers and employees if this data were stolen or leaked.
The expanded definition now includes biometric data, an important addition as physiological data collection is becoming more common with the popularity of facial recognition software, fingerprint locking smartphones and voice recognition software.
Other new additions to the definition include:
- E-mail addresses along with their passwords, security questions and answers.
- Social Security numbers.
- Driver’s license numbers and non-driver’s license ID card numbers.
- Credit, debit and account numbers with or without security codes.
About Data Breaches
A data breach is any security incident in which personal information is accessed by someone who doesn’t have proper authorization.
Sometimes this is malicious, such as an identity thief gaining access to a bank account. Other times it’s not, such as an accidental text message containing private information.
Either way, data breaches are a big deal, and the average total cost of a data breach is around $3.86 million, according to the Ponemon Institute.
While New York already had a legal system in place requiring companies to offer notifications to consumers in the event of a data breach, NYS SHIELD changes New York from an “acquisition state” to an “access state.”
Here’s what that means:
Previously, as an acquisition state, businesses in New York only were required to notify consumers if their data had been verifiably acquired by an unauthorized person. If a hacker had broken into a computer but not necessarily accessed private data, for instance, no notification was necessary.
But now, as an “access state,” a breach notification is required at the mere event of access. A company no longer has to know whether or not any private information was actually taken. This will certainly result in more breach notifications overall but most likely safer consumers in the long run.
About Accidental Data Breach Where Misuse Is Unlikely
The NYS SHIELD Act does make things easier for your HR department in one area, though.
In cases where an accidental data breach occurs but misuse or financial/emotional damage is still unlikely (for instance, if an employee accidentally e-mails a spreadsheet containing private data to his supervisor instead of the payroll department), the company is allowed a breach notification exception.
However, there are special requirements when an exception is made. Those requirements are as follows:
- The reason for the determination must be documented.
- The documentation must be kept for at least five years.
- If the breach involves more than 500 New York residents, the documentation must be submitted to the New York attorney general within 10 days.
Does the New York SHIELD Act Effect Me?
It’s easy to assume that because the NYS SHIELD Act is a New York State law, only businesses that operate within New York State limits are required to comply.
That would’ve been true before SHIELD was passed. However, the new law holds any business, anywhere in the world, accountable as long as it handles or licenses computerized data of a New York resident or has one employee in the state of New York.
The law becomes active on March 21, 2020.
Keep an eye out for our upcoming blog on the steps you should take to comply with the NYS SHIELD Act data security program mandate.
