I was recently contacted by my employer stating that someone had applied for unemployment benefits using my Social Security number name and Job title. My employer notified me by email to be aware of this but stated that they conducted a security audit and found that there was no breach on their end and that the matter was currently being investigated by the department of labor and FBI. What responsibilities does an employer have to the employee when this happens? What should the employee do?
For this answer, we are again joined by Jessica Keltz, associate attorney at the Law Office of Stephanie Adams, PLLC.
This question takes us back to the SHIELD Act. Last discussed by Ask The Lawyer at the end of 2019 (https://www.wnylrc.org/ask-the-lawyer/raqs/100). The SHIELD Act requires businesses (and other entities that conduct business, such as, yes, libraries) that collect personal data to institute compliance measures including assessing security risks, implementing new data security measures, and securely destroying private information when it is no longer needed for business purposes.
We will take the two questions separately.
First, what responsibilities does an employer have to the employee when this happens?
If your library is not part of a large institution such as a university or a hospital, its compliance responsibilities likely fall under the SHIELD Act requirements for “small businesses.”
The act’s definition of a “small business” is:
"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
Compliance requirements for small businesses under the SHIELD Act are more generalized; they simply need to ensure that their data security safeguards are appropriate for their business’ size, complexity, scope of activities, and the sensitivity of the information the business handles. Within those guidelines, libraries that fall under the “small business” requirements should have a data breach plan.
The event that the member described is certainly cause to be concerned that a data breach had occurred, and the library should have a plan to address it. What does addressing it look like? The most important elements are being able to evaluate whether a breach occurred (which it seems like the employer was able to do), and disclosing to the potential victim that a breach may have occurred (which the employer definitely did).
If the library had found that a data breach did occur, staff or a contract data security expert should re-evaluate the library’s security protocols to make sure to prevent the problem in the future; but in this case, as a breach did not occur, this may not be necessary.
In the case of a data breach or potential data breach (and this falls under “potential”), the employer is also required to disclose the concern to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. By notifying you this event occurred, the employer has complied with the requirement.
Meanwhile, what can an employee in this position do?
First: as soon as possible, the employee should consider involving their own attorney. The risks posed by this situation are too critical. For those who can’t afford an attorney, contact the local county bar association to learn about pro bono assistance in your region.
Second, assuming the employer has complied with their obligations under the SHIELD Act, since this involved a fraudulent claim for unemployment from the New York State Department of Labor (“NYSDOL”), the employee should work with the NYSDOL to learn all they can about the incident.
This starts with contacting NYSDOL’s fraud department at https://labor.ny.gov/agencyinfo/uifraud.shtm, to see what they can share about the abuse of your personal information. Armed with whatever other information is gathered from NYSDOL, the employee (or their attorney) can then look at their own credit history and other uses of their identity for potential breaches (social media and e-mail accounts).
While this is going on, be extra-wary of any calls, emails, or other contact requesting any personal information. Always require people to call back or write to you with any out-of-the-blue-seeming inquiry. Make sure the people close to you know you are on heightened alert. Consider changing all passwords (just make sure you keep a good record of the changes in a very secure place).
The Federal Trade Commission offers guidelines on when and how to place a “fraud alert” on your credit, to stop new accounts from being opened using your name and information.
https://www.consumer.ftc.gov/articles/0275-place-fraud-alert. Any person who learns their information may have been illegally accessed should also request a free credit history from one of the three main credit bureaus, and review their credit report for any unexpected checks or accounts. Depending on what you find when you do so, consider freezing your credit and reporting the theft of your identity to the Federal Trade Commission.
And finally, if any employee has reason to believe their employer or a contract provider is at fault for a breach (even if the employer or contract provider denies it) it is even more critical that the employee consult their own attorney as soon as possible. There are too many variables to give general guidance on this, but broadly speaking, the more you have at stake (employment-related information, direct deposit information, health and benefit-related information, and of course, a potential dispute with an employer) the more important it is to act quickly.
The scenario the member describes is nerve-wracking, and the member was right to reach out about it. Don’t go it alone!
Tags: COVID-19, Emergency Response, Security Breach, SHIELD Act, Employee Rights, Identity Theft
With the NYS Shield Act taking effect in March 2020 what changes or precautions should libraries be thinking about to comply with the law and minimize the risk of data breaches?
There are many technical aspects to this question, and this answer will explore many of them. But first, I invite each reader to sit back, close their eyes, and envision the types of information their library takes in, maintains, or manages digitally.
Name…address…phone number…e-mail…library card number and account information. Perhaps a driver’s license, or other photo ID. Credit card information? Job applicant information, payroll, and employee data…. Donor information. Survey responses. Licensed lists. Content related to digitization. And (of course) every digital record related to a library’s core function: providing information access.
Now envision what someone with less-than-ethical intentions could do if they accessed or appropriated that digital information:
Disclose confidential library records…sell active credit card information on the dark web...use the information to design a very convincing phishing[1] scheme….
And I bet you can easily think of more.
Scary? You bet it is. This is the type of risk-management New York’s lawmakers had in mind when they enacted the SHIELD Act[2], a far-reaching amendment to the state’s laws governing data security.
And as the member points out, the changes will impact your library.
So, what does this law require?
A lot.
And here is where we get technical. Because the law will hit different types of institutions differently, this “Ask the Lawyer” can’t give you a word-by-word recital of the precise obligations the SHIELD Act will impose on your institution. But it can give you a plain-language DIAGNOSTIC FORM to help your board, your director, and your (internal or external) IT team a tool to start assessing your obligations.
So here, without further ado, is the ‘ASK THE LAWYER’ SHIELD ACT DIAGNOSTIC FORM. If you have a buddy to fill this in with, I suggest you invite them to help, this is not the type of exercise to do alone.[3]
|
|
Diagnostic question
[NOTE: Any member of a library council in the State of NY is licensed to make a copy of this form for diagnostic purposes. However, THIS IS NOT INDIVIDUALIZED LEGAL ADVICE and no legal conclusion about the obligations of your institution should be made without the input of a lawyer. That said, filling this out will help that lawyer help you a lot faster.] |
Your Answer
|
Significance |
|---|---|---|---|
|
1. |
Does your library collect electronic versions of “personal information” as defined by SHIELD?
Here is the definition of “personal information”: "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
|
|
If your library collects “Personal information” as defined by SHIELD, it may be subject to SHIELD’s requirements.
So, if you marked “yes,” keep going!
|
|
2. |
Does your library’s network or equipment collect electronic versions of “private information” as defined by SHIELD?
Here is the type of data that, when combined with “personal information” becomes “private information” protected under SHIELD: (1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
|
|
If your library collects “private information” as defined by SHIELD, it may be subject to SHIELD’s requirements.
So if you marked “yes,” keep going!
(NOTE: if any libraries out there are using biometric records like retina scans in place of library cards, please let me know, because that is Bladerunner-level cool).
|
|
3. |
Does the “private information” your library collects include information from residents of New York?[4]
|
|
If your library collects “private information” relating to New Yorkers, it may be subject to SHIELD’s requirements.
So if you marked “yes,” keep going!
|
|
4. |
Is your library part of a larger institution such as a school, college, university, museum, religious institution, or hospital?
|
|
If the answer is “yes,” then STOP.
Your work on SHIELD ACT compliance should be coordinated with your full entity, who should be sensitive to not only your library’s obligations under CPLR 4509, but your institution’s obligations under SHIELD and other data security laws like FERPA and HIPAA.[5]
Don’t go rogue!
|
|
5. |
Does your institution contract with another entity, like a library system, to maintain private information?
EXAMPLE: When a person applies for a library card, does the personal information supplied stay on the local library’s network, or does it simply flow through a terminal at the local library to a system’s network? This is a very common arrangement in NY.
|
If “yes” list and attach the contracts, along with the information maintained by the contractor. |
This question applies to both parties.
If the answer is “yes,” gather the contract(s) governing the arrangement(s), and be ready to check the contracts for assurance of SHIELD compliance. This includes assurance of “reasonable security requirements,” and a clause governing data breach notification.
|
|
6. |
Now, aside from information maintained on another entity’s network as listed in #5 above, (library system, payroll service, credit card service provider, etc.) does your institution maintain any computer system with private information?
|
If yes, list the information gathered and where it is maintained:
|
If the answer is “no,” you only have to follow step #7, below.
If the answer is “yes,” make an appointment with your IT team, and be ready to do steps #7 through #15, too. |
|
7. |
Contract compliance check:
If you answered “yes” to #5, above, the contracts governing that relationship would be clear about SHIELD Act compliance, including the notification procedures for data breach.
|
Who is the person at your institution who will do this work with your contractors?
|
This is a smart step because contract vendors must meet this standard: Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
|
|
8. |
Okay, so it looks like my institution has to comply with the SHIELD Act. What does that mean?
Well, firstly: Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
So, does your institution have a policy for data breach notification? |
|
Your institution may already have one! If so, it should be updated to reflect the changes in the law.
If it doesn’t have one, now is a good time to get a policy in motion.
The law lists the steps and requirements for notification. Among other things, those requirements can depend on the size and nature of the breach.
NOTE: a data breach response is something a library should respond to with a qualified IT team and, if there are concerns about liability and compliance, a lawyer and your insurance carrier.
|
|
9. |
Secondly: Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
Does your institution have a policy to implement these “reasonable security requirements?”
|
|
Your institution may already have one.
If so, it should be updated to reflect the changes in the law.
If it doesn’t have one, now is a good time to get a policy in motion!
NOTE: ***I have put the SHIELD Act’s criteria for a data security program next to three asterisks in the text following this form.
|
|
10. |
Thirdly, are you a small library and feeling panicked about your security requirements?
Don’t worry, if you’re a “small business,” the law has a provision related to your obligations.
Here is the SHIELD Act’s definition of a “small business”: "Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
So (deep breath) are you a “small business?” |
|
If the answer is “yes,” then your “reasonable security requirements” are tempered: …if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.
This analysis is why having an inventory of the private information maintained by your library (or for your library) is critical; depending on the “sensitivity” (or use) of what you maintain, your plan can adjusted for what is “appropriate.”
|
|
11. |
Just to reiterate: if you have gotten this far into the assessment diagnosis, you should probably have a “data breach” plan—even if it is just for coordinating with the entity who holds most of your data.
So: do you have a “Data Security and Data Breach Notification Policy and Procedure?”
|
|
As can be seen in the factors cited in the sections above, policy and procedures related to data security and data breach notification cannot be a cookie-cutter based simply on what other libraries do. Your policy and practices will be governed by many factors.
|
|
12. |
Are you insured for data breach and recovery? |
|
This is a great question to ask your insurance carrier! You should also be familiar with their notice requirements in the event of a hack or breach.
|
|
13. |
Who at your institution is responsible for coordinating your data security program?
|
|
This responsibility should be confirmed in a job description and reinforced with regular training. Working with your system or other larger supporting entity may be important, too.
|
|
14. |
Who are your outside contractors assisting with emergency response in the event of data breach?
|
|
This is a good standing contract to have, and one that systems and councils might consider jointly negotiating for on behalf of members (and hopefully it is a service you never need to invoke!).
|
|
15. |
Did you ever think, when you chose a library career, you’d get to moonlight in IT?
|
|
IT and libraries: two great tastes that go great together….with enough planning.
|
And that’s the SHIELD Act.[6]
How does a small not-for-profit tackle this expansion of data security laws? Like anything else: inventory your status under the law, establish a goal for compliance, develop a budget and a plan, make sure the responsibility is appropriately allocated, confirm insurance coverage alignment, use all the resources at your disposal (your system, council, insurance carrier, and board members who have lived through data breach compliance) and get it done.
In practical terms, this is also means:
The penalties for violation of the SHIELD Act are $5,000 per violation, in an action brought by the New York Attorney General (the law doesn’t create a private right to sue). Other changes to the law make it easier for the AG to learn of data breaches, and to coordinate with other law enforcement agencies trying to combat them. As we envisioned at the beginning of this article, the states for a breach are high.
But don’t worry. No matter where your diagnosis falls, remember: libraries have been operating under heightened privacy obligations since before there were computers. That mindset—awareness of an ethical duty to protect privacy--is the most important part of a program to minimize the risk of breaches.
You’ve got this.
Thanks for a great question.
***A data security program includes the following:
(A) reasonable administrative safeguards such as the following, in which the person or business:
(1) designates one or more employees to coordinate the security program;
(2) identifies reasonably foreseeable internal and external risks;
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(4) trains and manages employees in the security program practices and procedures;
(5) selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and
(6) adjusts the security program in light of business changes or new circumstances; and
(B) reasonable technical safeguards such as the following, in which the person or business:
(1) assesses risks in network and software design;
(2) assesses risks in information processing, transmission and storage;
(3) detects, prevents and responds to attacks or system failures; and
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) reasonable physical safeguards such as the following, in which the person or business:
(1) assesses risks of information storage and disposal;
(2) detects, prevents and responds to intrusions;
(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
[1] “We just need your bank information to refund your library fees since 1987 with interest!”
[2] SHIELD stands for "Stop Hacks and Improve Electronic Data Security".
[3] Why? Well, if you’re lucky, it’s because it will be boring. But chances are, it will be all too exciting, as you discuss the different types of data your library maintains and explore the data security obligations that come with it. And if that happens, you’ll need one person filling in the form, while the other one looks up information—and you’ll both want someone to share your sense of urgency when it’s over.
[4] NOTE: This is a huge change in the law, which used to only apply to businesses in New York. Now it applies to any business that collects the information of New Yorkers; a big difference and one that impacts businesses out-of-state.
[5] Institutions subject to HIPPAA have special provisions to ensure disclosure obligations aren’t redundant.
Tags: Data, Digital Access, , Policy, SHIELD Act, Templates
