This definition did not change much from its original form, other than for “ACCESS” and “PRIVATE.” It still means that a breach is an access or acquisition of private information that was unauthorized or without valid authorization.
The variables for a business to consider when deciding if an incident is a breach remain fairly informative. For example, if “…information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person,” it is safe to conclude the incident is a breach.
The new part for security teams to note is that once the notice of the breach is made due to the requirements of other regulations (i.e. GLB, HIPAA/HITECH, 23 YNCRR 500, and other NY and federal laws), no additional notice to affected people is needed. However, notice to the state attorney general, the Department of State, the state policy, and consumer reporting agencies is still required.
CHAT WITH A LAWYER: Breach notification requirements are detailed in the law, addressing who, how, when and what. Every organization must detail processes and procedures per their circumstance and risk tolerance—including what “the most expedient time,” “unreasonable delay” and “any measures necessary” mean.
OPPORTUNITY: Revisit and update your incident response plan. Ensure appropriate reporting, triage, evaluation, prioritization, escalation, containment, and remediation practices, along with proper root-cause analysis and corrective action. Detail incident classification and timeframe and an escalation path that includes CIO/CISO, legal, and communication representatives. Don’t forget to outline a communication plan for informing asset owners and supervisory authorities and approving media and information sharing. Test it.
While the SHIELD Act has not made the same waves the GDPR and the California Privacy Act have, it is still important to be aware of its impacts. Subtle changes to rules and regulations can have a significant effect on the way organizations must respond to data breaches, and education is critical to moving forward successfully. For example, certain regulations can serve as a proxy for SHIELD compliance. Consider these practical applications of the SHIELD Act: