Data Security Requirements Under New York SHIELD Act

Data Security Requirements Under New York SHIELD Act

On July 25, 2019, New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act). The SHIELD Act amends New York’s General Business Law and is an expansion of New York’s existing cyber security and data breach notification laws. The act was updated to keep pace with individual use and dissemination of private information.

The SHIELD Act is designed to broaden the definition of data breaches to include unauthorized access to private information as well as expand the scope of information subject to the current data breach notification law to include biometric information (physical characteristics that verify an individual’s identity, i.e. fingerprint) and email addresses and their corresponding password or security questions with answers. Learn more about the SHIELD Act’s new requirements here.

The SHIELD Act requires that businesses that handle personal information of New York State residents’ must have “reasonable safeguards” in place to “protect the security, confidentiality, and integrity” of that information. If collecting New York residents’ information electronically, there must be reasonable security measures to protect that data. Businesses are “deemed in compliance” with the statute’s requirements to “implement and maintain reasonable safeguards” if:

1. Business complies with of a list of regulatory frameworks including:

a. Health Insurance Portability and Accountability Act (HIPAA)

b. Gramm-Leach Bliley Act (GLBA)

c. New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

d. Any other data and security rules and regulations administered by a federal or New York State government department, division, commission, or agency.

2. Business implements a data security program that includes specific elements.

Alternatively, an entity’s data security program can be deemed in compliance with the statute’s requirements if it includes:

1. Reasonable Administrative Controls

  • Designates one or more employee to coordinate the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risk
  • Trains and manages employees in the security program practices and procedures
  • Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjusts the security program in light of business changes or new circumstances (e.g., COVID-19 / remote workforce)

2. Reasonable Technical Controls

  • Assesses network and software design risks
  • Assesses risk in data processing, transmission, and storage
  • Incident detection and response
  • Regular testing and monitoring of key controls and systems

3. Reasonable Physical Controls

  • Assesses risks of information storage and disposal
  • Detects, prevents, and responds to intrusions
  • Protects against unauthorized access to or use of privacy information during or after the collection, transportation, and destruction or disposal of the information
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes

Reasonable cybersecurity posture will use measures to mitigate risks and will have a plan designed in the case of a breach or unauthorized access to data held.

Failure to comply with these data security requirements will be deemed a violation of the state’s prohibition on deceptive acts and practices. The New York Attorney General may pursue civil penalties of up to $5,000 per violation under the New York General Business Law Section 350-d. However, data security provisions do not create a private right of action.

In light of the SHIELD Act and many of the changes prompted by the COVID-19 pandemic, businesses should perform a thorough audit and assessment of their data security practices, including their physical, administrative, and technical controls. Beckage works with clients of various sizes and complexities to review their current policies and procedures in place, governance matters, and navigate questions about the technical safeguards and controls that are in place. Beckage can perform a Rapid Risk Assessment, done under privilege, to uncover things that need to be remediated and help implement a proactive plan to address the SHIELD Act as well as any related data privacy legislation. Our team can help you better understand the legal implications surrounding the cyber security of personal information and the legal repercussions that follow suit.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

HardwareNew Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

New Potential NYSB Training Requirement Highlights Interplay of Cybersecurity and Ethical Obligations

The New York State Bar Association (NYSBA) has approved a report from the NYSBA Committee on Technology and the Legal Profession that recommends amending the mandatory continuing legal education (CLE) rule to include cybersecurity training. If approved by the CLE board, the new rule would require New York attorneys to take one CLE cybersecurity credit every two years and would make New York State the first to implement a specific cybersecurity requirement.

The recommendation comes on the heels of the SHIELD Act, a law that took effect this past March and requires businesses (including law firms) to use reasonable safeguards to protect New York residents’ personal information, and the COVID-19 pandemic, which has forced nearly everyone to move business online. As lawyers do more work from home on personal devices and networks without the safety net of their corporate security systems, it’s more important than ever for them to understand the cybersecurity risks and safeguards that need to be in place.

What are an attorney’s ethical obligations regarding cybersecurity?

The ethical guidelines that every attorney must adhere to certainly cover cybersecurity in broad terms. Protecting client information is a top priority, for example, whether that information is on paper or online. There are also many ethics obligations focused on communications and confidentiality, including safeguarding confidences competently and acting responsibly if an unauthorized disclosure occurs. Generally, lawyers are expected to implement reasonable administrative, technical, and physical safeguards to protect their clients. These safeguards are particularly important when dealing with PHI and are mandated by HIPPA:

Administrative safeguards are the policies and procedures that help protect against a breach, including documentation processes, training requirements, data maintenance policies and more. These administrative protections also ensure that the physical and technical safeguards are implemented correctly.

Physical Safeguards make sure data is physically protected. Security systems, video surveillance, locks on the doors and even rules about mobile device usage are physical safeguards.

Technical safeguards are the technologies and related policies that lawyers and firms enlist to protect data from unauthorized access.

The American Bar Association has issued some guidance on data privacy and cybersecurity obligations that echo these safeguards, noting that attorneys are expected to develop and implement data privacy and security programs, monitor for data breaches and understand the basic features of relevant technology to competently service their clients. The new potential CLE requirement will help ensure that NY attorneys are familiar with these obligations and hopefully better equipped to fulfill them. Cybersecurity is becoming an increasingly important part of any law practice, and it’s critical that attorneys have the tools and knowledge to uphold their ethical responsibilities in the digital age. Our Beckage team works with law firms of various sizes and scope to implement data security programs designed to protect the security, confidentiality, and integrity of private information.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

SHIELD ActBeckage Urges NYS AG To Delay SHIELD Act Enforcement

Beckage Urges NYS AG To Delay SHIELD Act Enforcement

In light of the rapidly evolving COVID 19 pandemic and the unprecedented changes to the New York workforce and network infrastructure, Beckage PLLC has sought from New York’s Attorney General (AG) Letitia James a delay to the March 21 compliance milestone and general enforcement of the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act by six months.  

By letter dated March 18, 2020, the law firm Beckage, on behalf of a range of its clients which cut across industries and size in New York State, asked the AG to provide this relief for companies as well as a concurrent postponement of enforcement actions and civil penalties to allow companies throughout New York State to work to update their administrative, physical, and technical controls in light of the current pandemic.

For background, phase two of the SHIELD Act’s implementation has a compliance deadline of March 21, 2020.  This compliance milestone requires companies handling NYS resident data to have certain administrative, physical, and technical controls and policies in place by this date for data security protections.

Leading up to March 21, companies were forced to respond to the COVID 19 outbreak, shift overnight to a remote workforce, but still meet the phase two of the SHIELD Act.  Companies throughout the state have experience sudden changes in a very short period to adapt to the COVID 19 pandemic.  Accordingly, any prior SHIELD Act compliance work needs to be reviewed and updated as necessary.  

Considering the COVID 19 pandemic, for which Governor Cuomo issued a state-wide emergency declaration on March 13, 2020, Beckage’s letter to the AG highlighted the incredible challenges posed as it relates to the SHIELD Act.  

Jennifer A. Beckage, Beckage said, “Businesses throughout the State are moving hundreds, if not thousands, of employees to remote workforce and cloud-based environments and are dedicating extensive Information Technology and HR resources to these efforts.  The diversion of these resources to COIVD 19 efforts means that many organizations may not have the resources to meet the SHIELD Act’s March 21, 2020 milestone.”  Additionally, even organizations with extensive resources that have already taken steps to comply with the Act by the milestone are now seeing their entire enterprise shift in light of COVID 19.  As Ms. Beckage explained, “By moving to remote workforces overnight, existing policies, practices, network infrastructure, and risk assessments may have completely changed, rendering current policies in some respects irrelevant or obsolete, or requiring updates to existing administrative, physical and technical controls.”

Beckage supports the goals of the SHIELD Act and applauds New York’s efforts to keep the state’s laws up to date with current technology.  Beckage is organizing comments on behalf of businesses impacted by the SHIELD Act, which will be anonymized and included in a report prepared by Beckage to the New York’s AG’s office as they continue to seek assistance from the AG.  Should you wish to be included, please submit your comments through our SHIELD Act comment portal by emailing shieldactcomments@beckage.com.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee future outcomes.