SHIELDing Consumers From Data Breaches
The New York City subways have become extremely problematic, enough to warrant a long form Times piece. Trying to avert disasters in another area, at least, New York attorney general Eric Schneiderman recently introduced the SHIELD Act (Stop Hacks and Improve Data Security Act) to protect New Yorkers and their personal information from data breaches. The bill is currently still going through Albany, but it already is quite comprehensive. After all, 2016 saw a 60% increase in breaches involving New York residents. And with a continued cybersecurity skills shortage across industries (which, almost half of the respondents to an ESG report stated as a major factor in contributing to security incidents in their organizations), consumers need all the protection they can get.
Based on a reading of the publicly released aspects of the bill, it seems like a good blueprint for others to follow, in terms of scope, definition and flexibility. For starters, the bill extends beyond the previous requirements, wherein covered entities include those who conduct business in the state: now, any person or company that licenses or processes New Yorkers’ private information, even out of state, must adhere to SHIELD.
Also expanded are the types of information that qualify for protection, or notification in the event of a breach. The act differentiates ‘personal’ and ‘private’ information, with the former being anything that can identify a person (names and phone numbers, for example). The latter, meanwhile, includes the personal, but also data like Social Security numbers, driver’s licenses, credit or debit card information (numbers and passwords), unsecured protected health information (PHI), biometric information, and so on.
When any of these data elements are compromised, either through unauthorized access, acquisition or disclosure, a data breach has occurred, according to the act. Consequently, notification to the affected parties is required “in the most expedient time possible and without unreasonable delay.” SHIELD further specifies the appropriate methods and stipulations of notification, including written notice, phone, email, or, in the case of larger breaches, posting an announcement to the company website or alerting statewide media.
Failure to meet SHIELD standards leaves organizations open to action from the New York State Attorney General, whether injunctive relief, damages for losses, or civil penalties. Although, this does not include a private right to action, which is a shortcoming. Nevertheless, it’s always a plus to see positive action being taken to protect consumers and their personal information.