Published on November 2nd, 2019 📆 | 2489 Views ⚑
0Protecting customer data is the law – News – The Evening Tribune
Last week, the first part of a new state law went into effect that will have consequences for local consumers and businesses. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act updates New Yorkâs laws governing notification requirements, consumer data protection obligations, and broadens the Attorney Generalâs oversight regarding data breaches impacting New Yorkers.
âThe SHIELD Act is now the law of the land and provides better protections for consumersâ private information,â said Attorney General Letitia James in a press release after the bill became law this past summer. âNew Yorkers deserve the peace of mind that companies will be held accountable for securing their information.â
A data breach is any unauthorized access to or acquisition of computerized data that compromises the security, confidentiality or integrity of consumersâ private information. Recent cases this year include Capital One, when hackers gained access to tens of thousands of customersâ social security numbers, bank accounts, names, addresses, credit scores and balance information; Facebook, when hundreds of millions of usersâ Facebook IDs and phone numbers were stored on an unprotected server; and the food delivery company Door Dash, when hackers stole customersâ names, emails and phone numbers, as well as delivery workersâ driverâs license information.
But big companies arenât the only targets and sources of data breaches. According to Verizonâs most recent data breach investigation report, an annual collaboration with partners such as the FBI and the Department of Homeland Security, 43 percent of the incidents in 2018 involved small businesses.
âData breaches remain a serious threat to any business that uses technology to handle customersâ private data, said Sen. Kevin Thomas, a Democrat from Long Island and a co-sponsor of the law. âThe consequences of a data breach can be devastating for both the business and the consumer.â
While the most immediate impact of the SHIELD Act may be to hold huge companies accountable for the security of New Yorkersâ private information, the law also applies to businesses on Main Street, Elm Street and Clinton Street.
So, as a small local business, what do you need to know about the new law to ensure youâre in compliance?
Do you have customers who live in New York state?
The SHIELD Act is written specifically to protect customers who reside in New York, which means any company â no matter where its home base is â can be held accountable. But obviously, if youâre a local business, the vast majority of your customers are going to be New Yorkers.
Do you own, license or maintain computerized data that includes private information about these customers?
The SHIELD Act clearly defines what âprivate informationâ means:
⢠Personal information (a personâs name, for example) combined with other personal data such as a social security number, a driverâs license or other identification card number, a financial account number (along with the password or security code), or biometric information like fingerprints, voice print or retina image.
⢠An email address along with a password or security question that permits access to an online account.
What do you need to do in the event of a breach?
First and foremost, you need to inform your New York customers who are affected âin the most expedient time possible and without unreasonable delay.â A specific timeframe (such as âwithin 24 hoursâ) isnât written into the law because, according to the office of the Attorney General, there are many different factors that will affect how quickly a business can communicate with customers.
When you do inform your customers of the breach, it must be in one of the following ways:
⢠Written notice (like a letter)
⢠Telephone (be sure to keep a log of all calls)
However, if contacting affected customers by letter or by phone will cost more than $250,000, or if youâll need to contact more than 500,000 customers, or if you donât have the right contact information (and you can demonstrate any of these circumstances to the Attorney Generalâs office), you may notify customers in one of these other ways:
⢠Email (as along as each customerâs email information hasnât been affected by the breach)
⢠A conspicuous and obvious announcement on your website
⢠Notifying statewide media outlets
Regardless of how you notify customers, you must provide the following information:
⢠Contact info for you or your business.
⢠Telephone numbers and websites for the relevant state and federal agencies that can provide information regarding security breach response and identity theft prevention and protection information.
⢠A description of the information that was breached.
In addition to notifying customers, youâll need to notify the New York Attorney General, the Department of State and the State Police about how you communicated with customers and the approximate number of customers affected. If you have more than 5,000 New York customers affected by the breach, youâll also need to get this same information to consumer reporting agencies.
Are you already required to report a data breach to affected customers under a different law, such as the Health Insurance Portability and Accountability Act (HIPAA)?
Then thereâs no additional notification requirements for you under the SHIELD Act.
This is just the first part of the SHIELD Act. Whatâs the second part?
In March 2020, the SHIELD Act will require every business to have a data security plan that conforms to specific expectations laid out in the law. More on this in a future story.
Do you still have questions about the SHIELD Act and what it means for you?
You can read the full law (S5575B) on the New York Senateâs website.Â
Itâs also recommended that you contact your business lawyer or trade group for more guidance.
Gloss