Data Security Requirements Under New York SHIELD Act

Data Security Requirements Under New York SHIELD Act

On July 25, 2019, New York State Governor Andrew Cuomo signed the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act). The SHIELD Act amends New York’s General Business Law and is an expansion of New York’s existing cyber security and data breach notification laws. The act was updated to keep pace with individual use and dissemination of private information.

The SHIELD Act is designed to broaden the definition of data breaches to include unauthorized access to private information as well as expand the scope of information subject to the current data breach notification law to include biometric information (physical characteristics that verify an individual’s identity, i.e. fingerprint) and email addresses and their corresponding password or security questions with answers. Learn more about the SHIELD Act’s new requirements here.

The SHIELD Act requires that businesses that handle personal information of New York State residents’ must have “reasonable safeguards” in place to “protect the security, confidentiality, and integrity” of that information. If collecting New York residents’ information electronically, there must be reasonable security measures to protect that data. Businesses are “deemed in compliance” with the statute’s requirements to “implement and maintain reasonable safeguards” if:

1. Business complies with of a list of regulatory frameworks including:

a. Health Insurance Portability and Accountability Act (HIPAA)

b. Gramm-Leach Bliley Act (GLBA)

c. New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500)

d. Any other data and security rules and regulations administered by a federal or New York State government department, division, commission, or agency.

2. Business implements a data security program that includes specific elements.

Alternatively, an entity’s data security program can be deemed in compliance with the statute’s requirements if it includes:

1. Reasonable Administrative Controls

  • Designates one or more employee to coordinate the security program
  • Identifies reasonably foreseeable internal and external risks
  • Assesses the sufficiency of safeguards in place to control the identified risk
  • Trains and manages employees in the security program practices and procedures
  • Selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
  • Adjusts the security program in light of business changes or new circumstances (e.g., COVID-19 / remote workforce)

2. Reasonable Technical Controls

  • Assesses network and software design risks
  • Assesses risk in data processing, transmission, and storage
  • Incident detection and response
  • Regular testing and monitoring of key controls and systems

3. Reasonable Physical Controls

  • Assesses risks of information storage and disposal
  • Detects, prevents, and responds to intrusions
  • Protects against unauthorized access to or use of privacy information during or after the collection, transportation, and destruction or disposal of the information
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes

Reasonable cybersecurity posture will use measures to mitigate risks and will have a plan designed in the case of a breach or unauthorized access to data held.

Failure to comply with these data security requirements will be deemed a violation of the state’s prohibition on deceptive acts and practices. The New York Attorney General may pursue civil penalties of up to $5,000 per violation under the New York General Business Law Section 350-d. However, data security provisions do not create a private right of action.

In light of the SHIELD Act and many of the changes prompted by the COVID-19 pandemic, businesses should perform a thorough audit and assessment of their data security practices, including their physical, administrative, and technical controls. Beckage works with clients of various sizes and complexities to review their current policies and procedures in place, governance matters, and navigate questions about the technical safeguards and controls that are in place. Beckage can perform a Rapid Risk Assessment, done under privilege, to uncover things that need to be remediated and help implement a proactive plan to address the SHIELD Act as well as any related data privacy legislation. Our team can help you better understand the legal implications surrounding the cyber security of personal information and the legal repercussions that follow suit.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

Social MediaSocial Media in the Workplace? Here’s How to Make it Work.

Social Media in the Workplace? Here’s How to Make it Work.

Twitter, Instagram and Facebook are now an everyday part of our lives, and that includes in the workplace. But while social media can be an excellent communication and marketing tool for businesses, personal use of social media at work can interfere with productivity and pose some serious data and cybersecurity risks. So how can businesses mitigate these risks and help make sure the company isn’t trending for all the wrong reasons?

Create an Acceptable Media Use Policy

Make sure you have a clearly outlined social media use policy in place, such as an Acceptable Media Use Policy. These policies typically warn employees that they:

o May not divulge trade secrets or confidential or proprietary information online

o Can be held accountable for content they post on the Internet—whether in the office, at home or on their own time—particularly if something they post or share violates other company policies

o May need approval (from a specific person or department) before posting certain types of information that could be associated with the organization, employees or customers

The most successful social media use policies also:

o Explain employee productivity expectations in conjunction with social media habits

o Provide examples of policy violations

o Explain disciplinary measures for policy violations

Overall, employees need to understand that they are ambassadors for the organization’s corporate brand. What they write on social media could be disseminated to the world—even if they only share it with their “friends.” Encourage employees to think twice before posting comments they would not say out loud or that they would not want their CEO or grandparents to see. Employees should be encouraged to use disclaimers and speak in the first person to make it clear that any opinions expressed are not those of their employer.

A note for unionized workforces: Employers operating in union environments need to be mindful of additional requirements that may impact their policies under the National Labor Relations Act (NLRA).  Under the NLRA, policies that are too broad or too restrictive might interfere with a workers’ right to complain about their employer and discuss the terms and conditions of employment with other employees. Always review any policies with counsel before implementing to make sure they are suitable for your particular circumstance.

Make Training Mandatory

Even the best social media policies won’t go far if employees aren’t properly trained on social networking’s benefits and pitfalls. Training should be succinct and interactive, including real -examples and table-top exercises on both the specifics of your social media use policy and more general best practices for using social media responsibly.

At Beckage, we encourage employers to leverage training such as Cybersecurity Best Practices 101, which covers topics like network security and protecting confidential and proprietary information. Organizations must educate employees about how a downloaded application or even a simple click can infect computers and the network at large. A critical concern about social networking platforms is that they encourage people to share personal information. Even the most cautious and well-meaning people can give away the wrong kind of information on company-approved social networking platforms.

Address Negative Incidents Promptly

If it seems like an employee is misusing social media at work or there’s a negative incident, it’s important to promptly investigate, document all conversations, review internal policies and procedures and take disciplinary action if warranted.

But be aware that workers’ speech is protected in certain situations. In addition to the National Labor Relations Act, federal and state employment laws protect employees who complain about harassment, discrimination, workplace safety violations and other issues.

Be Careful Using Social Media During the Hiring Process

Employers must exercise caution when using social networks during the recruiting or hiring processes. Social media can play a role in the screening process, but employers should consider when and how to use social media this way and weigh potential legal pitfalls.  For example, a candidate could claim that a potential employer did not offer a job because of legally protected information found on a social networking site (such as race, ethnicity, age, associations, family relationships or political views)

In short, successfully managing social media in the workplace comes down to the employer’s policy: in today’s workplace all employers should have a robust policy, train on it annually, and then consistently enforce it. If you’re not sure where to start, turn to experienced legal counsel to craft a social media policy that works for your company culture and brand. The experienced team at Beckage PLLC can help navigate state and federal laws, pinpoint potential social media pitfalls, and ultimately set your employees on the path to social media savvy.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

BrazilBrazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the  toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.

Does the LGPD Apply to My Business?

The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.

There are a few exceptions to the LGPD, namely:

1. Data processed by a person strictly for personal reasons,

2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and

3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.

Other fundamental rights under the LGPD include:

• Right to confirmation of the existence of the processing

• Right to correct incomplete, inaccurate, or out-of-date data

• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• Right to the portability of data to another service or product provider, by means of an express request

• Right to information about possibility of denying consent and consequences of such denial, and

• Right to revoke consent.

Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.

The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.

Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Beckage’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel.  Our Beckage team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

SecurityEU-US Privacy Shield Invalidated: Schrems II Decision Released

EU-US Privacy Shield Invalidated: Schrems II Decision Released

Yesterday, the Court of Justice of the European Union issued the long-awaited decision in Schrems II (Case C-311/18) in which it invalidated the EU-US Privacy Shield data transfer mechanism.  The Court’s decision was based on ongoing concerns that the American surveillance programs, as initially revealed by Edward Snowden, undermine the guaranteed privacy rights of EU-based individuals under Europe’s General Data Protection Regulation.  

Among the takeaways of the decision:

• Privacy Shield Invalidated; immediate effect on Privacy Shield certifications is unknown, although some grace period is expected.

• Immediate disruption in international data transfers where prior basis for such transfers has been invalidated.

• Use of Standard Contractual Clauses remains valid, for now.  However, the Court expressly requires importers and exporters relying on SCCs to verify the legal systems and adequate safeguards in place in the receiving organization’s country.

• Expect to see increase use in Binding Corporate Rules (BCRs), though these can only go so far as they are used for intra-organizational or joint company transfers.

• Expect to see increase use of Data Processing Agreements as organizations rely on contractual basis for consent.

• Organizations must evaluate other bases for transfer, to include consent.  

While the use of Standard Contractual Clauses (SCCs) is allowable, for now, their long-term fate has been called into question by the decision.  Following release of the Schrems II decision, the Irish Data Protection Commission, issued a  statement: “[…] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” It adds that the issue “will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Of note, the Schrems II decision does not concern so called ‘necessary’ data transfers.  Rather, this decision involves the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons).  Accordingly, the impact of the decision may be that more and more companies switch to regional data processing companies for European users.

One thing is clear: the impact of the Schrems II decision will have a significant impact on organizations which rely on the Privacy Shield for international data transfers.  These organizations will need to quickly evaluate data transfer activities and determine whether alternative transfer bases exist.  

Beckage works with clients to evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Beckage’s attorneys include dedicated information privacy professionals (CIPP/US) and (CIPP/EU), as certified by the International Association of Privacy Professionals.  

The Schrems II decision is found here:

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

Data BreachBreach Response Checklist

Breach Response Checklist

Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response.  Below are a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology backgrounds.

First Engage Your In-House and Outside Counsel

Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.

Notify Insurance Broker/Cyber Insurance Carrier

Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.

Execute Your Data Incident Response Plan

Every organization should have an incident response plan, and test that plan regularly.  Assemble your pre-identified incident response team as soon as there is a reasonable belief that a breach may have occurred.  The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan.  When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.

Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.

Investigate the Incident

At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personal information was compromised; what measures are necessary to restore the system, etc.).

Mitigate risks by determining whether you have any security gaps or risks, or whether other systems are under threat of immediate danger.  Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.

Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies

As of 2018, all 50 states have data breach notification laws with various legal requirements.  Certain states require notification of law enforcement when there is a security breach.  Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.

Learn From the Incident

Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.

About Beckage

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

1 2 3 4