About a year ago the Governor of New York signed the SHIELD act into law. Among other things, the law broadened the definition of a breach to include ACCESS to the data, not just stealing it. It also broadened the definition of personally identifiable information. Notice that no one talks about non-public personal information any more; personal information is personal information. It also says that all businesses need to have a reasonable cybersecurity program. My definition of reasonable is one that you can convince 12 jurors, who don’t really want to be there and who have had their own personal information stolen more times than they can remember, is reasonable. An alternative definition is the best commercial practices available consistent with the risk. If you are the corner deli and you email people the daily specials and all you have is their name and email address, that is a different level of risk than, say, a mortgage company. Finally, the law dramatically expanded the reach of the law to include any company, anywhere, that has private information of New Yorkers. That means that if you have a website and it collects personal information, you are likely covered. Especially if you have a breach.
But it also includes an exemption for “inadvertent disclosure”. What is important understand is that using this exemption in case of a breach comes with some risk.
Well what does inadvertent mean?
OF COURSE, the law does not define it, but it does say that to be inadvertent, all of the following must apply: (a) the disclosure was inadvertent (circular reasoning), (b) it was disclosed by someone who was authorized to access the information and (c) the exposure is “not likely” to result in any of the following (1) misuse of the information, (2) financial harm or (3) emotional harm. It also requires businesses to document the findings in writing and keep that documentation for 5 years (in case you get sued, they can hang you, so to speak, with your own documents). And, if the breach affected more than 500 people, you must provide the Attorney General with a copy within 10 days of completing the determination.
There is, however, no case law defining inadvertent or likely. That means that you should use the exemption carefully, after consulting with legal counsel.
It should be pretty easy to determine whether the disclosure was inadvertent and whether the person who disclosed is authorized. What is harder to understand is the potential harm possibility.
Also remember it covers any company who has customers in New York, no matter where the company is located.
Welcome to the world of risk management. Not an easy job these days.
See the Law.com article for more details.
Credit: Law.com (note-registration required)