In many countries, companies must notify all persons affected in the case of a data breach. However, in the US there is still no single federal law governing this. This means different states have introduced different laws regarding data breaches.
New York State is no different, it has its own law requiring businesses to inform customers if their data has been breached. It is called the NYS Information Security Breach and Notification Act.
This article is not legal advice. Before making any decisions relating to the handling of customer data, you should consult with a legal professional who is familiar with New York’s Data Breach Notification Act as well as other data protection regulations your business may be bound by.
Which Information Is Covered By The NYS Information Security Breach and Notification Act?
The act covers any data breaches which contain a “combination of name, Social Security number, driver’s license number, account number, or credit and debit card number”. However, it is good practice to inform your customers if any of their data is exposed. Some forms of data, like biometric information, is not specifically covered by the law but could still put your customers at risk if it was breached.
In What Circumstances Does A Business Need To Make A Disclosure?
The law states that it applies to any circumstances “when a person has acquired computerized data containing personal information without valid authorization.”
It is down to the business to determine whether such unauthorized data access has taken place. It recommends that a business notify the affected parties if it has any of the following
- Knowledge that the information is in the physical possession and control of an unauthorized person such as a lost or stolen computer or another device.
- Evidence of unauthorized download or copied information.
- Evidence of unauthorized use of the information.
When Does A Business Need To Make A Disclosure?
The law states that the disclosure “must be made in the most expedient time possible and without unreasonable delay upon determination of a data breach.” This is open to some interpretation, but it is advisable to notify your customers as soon as you are confident their information may have been breached.
How Businesses Are Required To Disclose A Breach
You can notify your customers by either writing to them or calling them. You can also notify them via email or text, but only if the customer has previously consented to receive digital communications from you.
If you believe that the data breach may have affected more than 500,000 people, or that notifying each customer individually would cost in excess of $250,000, you can use a substitute notice. A substitute notice is generally accepted to be posting a notice on your website’s home page or publishing the leak in a major print or broadcast outlet.
What Exactly Needs To Be Disclosed?
You do not have to disclose how you believe the breach occurred or provide information on what the customer should do next, but you do need to let affected customers know;
- What information you believe was breached.
- Your contact details
Do Credit Agencies Need To Be Notified?
If you believe more than 5,000 New York State residents may have been affected simultaneously by a breach, your business also needs to notify the relevant consumer credit reporting agencies with the same information that would be sent to your customers.
Does Law Enforcement Need To Be Contacted?
If New York State residents are affected by the breach, you must inform;
- The New York State Office of the Attorney General
- New York State Division of State Police
- The New York Department of State’s Division of Consumer Protection
The text of the act also says that “Law enforcement may require that you delay notification of a data breach if they believe that its disclosure will impede a criminal investigation”. For this reason, if you believe the data breach was the result of a criminal act, you should contact the authorities before you notify your customers.
How Managed IT Services Can Help You Stay Compliant With Data Protection Laws
As you can see from the details above, a data breach can result in a lot of extra worry and administration to deal with. Luckily, this can all be avoided by preventing a data breach happening in the first place.
At Carden IT Services, we offer a wide range of cyber defences and data protection services. Here are just three of the ways our managed IT services can help you prevent and survive data security incidents.
Data Loss Prevention
When correctly implemented, data loss prevention (DLP) can help protect sensitive information stored by your company from being lost, misused, or accessed by unauthorized individuals. DLP enables you to set policies for distinct types of data classifications within your organization.
You could, for example, create a policy that bans data marked as “sensitive” from being transferred to a USB stick or sent outside of your network.
When infractions are detected, DLP enforces these policies through data encryption and also notifies our cybersecurity team. Having DLP implemented in your organization helps to keep end users from inadvertently or deliberately releasing data that could put your company at risk.
Dark Web Scanning
You can only notify your customers about a data breach if you know one has occurred. Unfortunately, a lot of stolen data ends up on the dark web, which can be a confusing and dangerous place to go looking if you don’t know what you’re doing. The dark web also isn’t accessible by search engines, so you can’t just Google “your company name + leaked data”.
At Carden IT Services, we offer a dark web scanning service which crawls the dark web for mentions of your business or your customers. While there is very little chance of getting this data removed from the dark web, it gives you an opportunity to notify your customers. Dark web scanning is an invaluable service as some businesses would never realise that their data had been leaked until it was too late.
Phishing Email Simulations
Phishing emails are still the leading cause of data breaches and malware infections. Someone sends an email pretending to be a colleague, perhaps using a slightly altered email address, and convinces the recipient to hand over their password or other sensitive data.
At Carden IT Services, we can send dummy phishing emails (faked fake emails if you will). These emails use the same tactics as a hacker’s phishing emails would use, but if the recipient falls for them, they are directed to an online refresher pointing out what elements of the email should have tipped them off that it was fake. Over time your team will get better at spotting real phishing emails. This, combined with regular training, keeps your team engaged in the security of your business.
Need Help Securing Your Business’s Data?
We hope this has been a useful update on how businesses in New York will be affected by the NYS Information Security Breach and Notification Act. If you would like to know more about how to prevent data breaches in your business, speak to our cybersecurity team today.