Submission Date:
Question:
With the NYS Shield Act taking effect in March 2020 what changes or precautions should libraries be thinking about to comply with the law and minimize the risk of data breaches?
Answer:
There are many technical aspects to this question, and this answer will explore many of them. But first, I invite each reader to sit back, close their eyes, and envision the types of information their library takes in, maintains, or manages digitally.
Name…address…phone number…e-mail…library card number and account information. Perhaps a driver’s license, or other photo ID. Credit card information? Job applicant information, payroll, and employee data…. Donor information. Survey responses. Licensed lists. Content related to digitization. And (of course) every digital record related to a library’s core function: providing information access.
Now envision what someone with less-than-ethical intentions could do if they accessed or appropriated that digital information:
Disclose confidential library records…sell active credit card information on the dark web...use the information to design a very convincing phishing[1] scheme….
And I bet you can easily think of more.
Scary? You bet it is. This is the type of risk-management New York’s lawmakers had in mind when they enacted the SHIELD Act[2], a far-reaching amendment to the state’s laws governing data security.
And as the member points out, the changes will impact your library.
So, what does this law require?
A lot.
And here is where we get technical. Because the law will hit different types of institutions differently, this “Ask the Lawyer” can’t give you a word-by-word recital of the precise obligations the SHIELD Act will impose on your institution. But it can give you a plain-language DIAGNOSTIC FORM to help your board, your director, and your (internal or external) IT team a tool to start assessing your obligations.
So here, without further ado, is the ‘ASK THE LAWYER’ SHIELD ACT DIAGNOSTIC FORM. If you have a buddy to fill this in with, I suggest you invite them to help, this is not the type of exercise to do alone.[3]
|
|
Diagnostic question
[NOTE: Any member of a library council in the State of NY is licensed to make a copy of this form for diagnostic purposes. However, THIS IS NOT INDIVIDUALIZED LEGAL ADVICE and no legal conclusion about the obligations of your institution should be made without the input of a lawyer. That said, filling this out will help that lawyer help you a lot faster.] |
Your Answer
|
Significance |
|---|---|---|---|
|
1. |
Does your library collect electronic versions of “personal information” as defined by SHIELD?
Here is the definition of “personal information”: "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
|
|
If your library collects “Personal information” as defined by SHIELD, it may be subject to SHIELD’s requirements.
So, if you marked “yes,” keep going!
|
|
2. |
Does your library’s network or equipment collect electronic versions of “private information” as defined by SHIELD?
Here is the type of data that, when combined with “personal information” becomes “private information” protected under SHIELD: (1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
|
|
If your library collects “private information” as defined by SHIELD, it may be subject to SHIELD’s requirements.
So if you marked “yes,” keep going!
(NOTE: if any libraries out there are using biometric records like retina scans in place of library cards, please let me know, because that is Bladerunner-level cool).
|
|
3. |
Does the “private information” your library collects include information from residents of New York?[4]
|
|
If your library collects “private information” relating to New Yorkers, it may be subject to SHIELD’s requirements.
So if you marked “yes,” keep going!
|
|
4. |
Is your library part of a larger institution such as a school, college, university, museum, religious institution, or hospital?
|
|
If the answer is “yes,” then STOP.
Your work on SHIELD ACT compliance should be coordinated with your full entity, who should be sensitive to not only your library’s obligations under CPLR 4509, but your institution’s obligations under SHIELD and other data security laws like FERPA and HIPAA.[5]
Don’t go rogue!
|
|
5. |
Does your institution contract with another entity, like a library system, to maintain private information?
EXAMPLE: When a person applies for a library card, does the personal information supplied stay on the local library’s network, or does it simply flow through a terminal at the local library to a system’s network? This is a very common arrangement in NY.
|
If “yes” list and attach the contracts, along with the information maintained by the contractor. |
This question applies to both parties.
If the answer is “yes,” gather the contract(s) governing the arrangement(s), and be ready to check the contracts for assurance of SHIELD compliance. This includes assurance of “reasonable security requirements,” and a clause governing data breach notification.
|
|
6. |
Now, aside from information maintained on another entity’s network as listed in #5 above, (library system, payroll service, credit card service provider, etc.) does your institution maintain any computer system with private information?
|
If yes, list the information gathered and where it is maintained:
|
If the answer is “no,” you only have to follow step #7, below.
If the answer is “yes,” make an appointment with your IT team, and be ready to do steps #7 through #15, too. |
|
7. |
Contract compliance check:
If you answered “yes” to #5, above, the contracts governing that relationship would be clear about SHIELD Act compliance, including the notification procedures for data breach.
|
Who is the person at your institution who will do this work with your contractors?
|
This is a smart step because contract vendors must meet this standard: Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
|
|
8. |
Okay, so it looks like my institution has to comply with the SHIELD Act. What does that mean?
Well, firstly: Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
So, does your institution have a policy for data breach notification? |
|
Your institution may already have one! If so, it should be updated to reflect the changes in the law.
If it doesn’t have one, now is a good time to get a policy in motion.
The law lists the steps and requirements for notification. Among other things, those requirements can depend on the size and nature of the breach.
NOTE: a data breach response is something a library should respond to with a qualified IT team and, if there are concerns about liability and compliance, a lawyer and your insurance carrier.
|
|
9. |
Secondly: Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
Does your institution have a policy to implement these “reasonable security requirements?”
|
|
Your institution may already have one.
If so, it should be updated to reflect the changes in the law.
If it doesn’t have one, now is a good time to get a policy in motion!
NOTE: ***I have put the SHIELD Act’s criteria for a data security program next to three asterisks in the text following this form.
|
|
10. |
Thirdly, are you a small library and feeling panicked about your security requirements?
Don’t worry, if you’re a “small business,” the law has a provision related to your obligations.
Here is the SHIELD Act’s definition of a “small business”: "Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
So (deep breath) are you a “small business?” |
|
If the answer is “yes,” then your “reasonable security requirements” are tempered: …if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.
This analysis is why having an inventory of the private information maintained by your library (or for your library) is critical; depending on the “sensitivity” (or use) of what you maintain, your plan can adjusted for what is “appropriate.”
|
|
11. |
Just to reiterate: if you have gotten this far into the assessment diagnosis, you should probably have a “data breach” plan—even if it is just for coordinating with the entity who holds most of your data.
So: do you have a “Data Security and Data Breach Notification Policy and Procedure?”
|
|
As can be seen in the factors cited in the sections above, policy and procedures related to data security and data breach notification cannot be a cookie-cutter based simply on what other libraries do. Your policy and practices will be governed by many factors.
|
|
12. |
Are you insured for data breach and recovery? |
|
This is a great question to ask your insurance carrier! You should also be familiar with their notice requirements in the event of a hack or breach.
|
|
13. |
Who at your institution is responsible for coordinating your data security program?
|
|
This responsibility should be confirmed in a job description and reinforced with regular training. Working with your system or other larger supporting entity may be important, too.
|
|
14. |
Who are your outside contractors assisting with emergency response in the event of data breach?
|
|
This is a good standing contract to have, and one that systems and councils might consider jointly negotiating for on behalf of members (and hopefully it is a service you never need to invoke!).
|
|
15. |
Did you ever think, when you chose a library career, you’d get to moonlight in IT?
|
|
IT and libraries: two great tastes that go great together….with enough planning.
|
And that’s the SHIELD Act.[6]
How does a small not-for-profit tackle this expansion of data security laws? Like anything else: inventory your status under the law, establish a goal for compliance, develop a budget and a plan, make sure the responsibility is appropriately allocated, confirm insurance coverage alignment, use all the resources at your disposal (your system, council, insurance carrier, and board members who have lived through data breach compliance) and get it done.
In practical terms, this is also means:
- If your library makes a practice of getting a copy of every member’s photo ID, and stores it on an Excel spreadsheet on an unsecured computer, now is a great time to stop doing that.
- If your library maintains a list of users, credit card numbers, CCV numbers and expiration dates on your network, now is a great time for a network security assessment.
- If your library uses an outside IT contractor, now is a great time to review their contract and make sure it provides assurance that services will be SHIELD Act-compliant.
- If you have no idea if your institution’s insurance covers data breach (and recovery), now is a great time to ask your agent, broker, or carrier. They might even have some resources to help you with SHIELD Act compliance.
The penalties for violation of the SHIELD Act are $5,000 per violation, in an action brought by the New York Attorney General (the law doesn’t create a private right to sue). Other changes to the law make it easier for the AG to learn of data breaches, and to coordinate with other law enforcement agencies trying to combat them. As we envisioned at the beginning of this article, the states for a breach are high.
But don’t worry. No matter where your diagnosis falls, remember: libraries have been operating under heightened privacy obligations since before there were computers. That mindset—awareness of an ethical duty to protect privacy--is the most important part of a program to minimize the risk of breaches.
You’ve got this.
Thanks for a great question.
***A data security program includes the following:
(A) reasonable administrative safeguards such as the following, in which the person or business:
(1) designates one or more employees to coordinate the security program;
(2) identifies reasonably foreseeable internal and external risks;
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(4) trains and manages employees in the security program practices and procedures;
(5) selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and
(6) adjusts the security program in light of business changes or new circumstances; and
(B) reasonable technical safeguards such as the following, in which the person or business:
(1) assesses risks in network and software design;
(2) assesses risks in information processing, transmission and storage;
(3) detects, prevents and responds to attacks or system failures; and
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) reasonable physical safeguards such as the following, in which the person or business:
(1) assesses risks of information storage and disposal;
(2) detects, prevents and responds to intrusions;
(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
[1] “We just need your bank information to refund your library fees since 1987 with interest!”
[2] SHIELD stands for "Stop Hacks and Improve Electronic Data Security".
[3] Why? Well, if you’re lucky, it’s because it will be boring. But chances are, it will be all too exciting, as you discuss the different types of data your library maintains and explore the data security obligations that come with it. And if that happens, you’ll need one person filling in the form, while the other one looks up information—and you’ll both want someone to share your sense of urgency when it’s over.
[4] NOTE: This is a huge change in the law, which used to only apply to businesses in New York. Now it applies to any business that collects the information of New Yorkers; a big difference and one that impacts businesses out-of-state.
[5] Institutions subject to HIPAA have special provisions to ensure disclosure obligations aren’t redundant.
