New York Tightens Data Security Laws Amidst Increased Cyber-Crime Risks

Cyber-criminals are taking full advantage of the COVID-19 pandemic, leveraging IT resources that are stretched thin or employees who are facing a multitude of confusing new situations and technologies. For their part, governments across the board have responded with detailed guidance and dire warnings about the increased risks. The FBI and Department of Homeland Security (DHS) have issued almost daily updates highlighting increases in ransomware, phishing and online fraud. But, companies also face a different set of heightened risks from enforcement of more demanding data security and privacy laws, and these efforts are not being delayed or throttled back. New York, which, like California, has been a trend setter in data security laws, has now fully implemented the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), which increases the potential liability for any organization that holds the private information of New York residents.

As we previously reported, the SHIELD Act was signed into law on July 25, 2019, and has come into effect in two phases:
 

1. Revised breach notification requirements that went into effect on October 23, 2019; and
2. Requirement, as of March 21, 2020, that organizations subject to the Act adopt data security safeguards as laid out in the law.

SHIELD implements a comprehensive and far more demanding data security approach for New York—broadening data breach notification obligations by expanding the definition of “private information;” expanding the definition of “breach” to include the unauthorized access to private information, not just unauthorized acquisition; and prescribing additional governmental agency reporting and notice content requirements.

Effective March 21, 2020, the Act mandates that organizations in possession of New York residents’ private information to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”[1] In the sections that follow, we address some of the key questions that any company with ties to New York should consider with respect to complying with the SHIELD Act.

Does the SHIELD Act Affect Your Organization?

Any organization that maintains the private information of New York residents must comply with the SHIELD Act. This includes every employer with employees in New York if you collect private information such as Social Security numbers to complete IRS W-2 forms. Thus, the Act subjects many out-of-state companies to new data security and privacy compliance obligations regardless of corporate structure, revenues or location.

The Act does not provide threshold minimums for compliance. Rather, the Act only takes the size of a company into account when determining the reasonableness of data protection programs, but there is no blanket exemption for small businesses.

Penalties

Violations of the SHIELD Act are considered deceptive acts or practices and may be enforced by the New York Attorney General. The Act does not authorize a private right of action, but violators may be liable for a civil penalty of up to $5,000 per violation, with no cap on the total penalty. Failing to comply with the reasonable security requirements could quickly add up depending on how New York’s Attorney General chooses to define “per violation.” In addition, a company may be fined up to $250,000 for failing to notify the Attorney General when a breach occurs.

What is Reasonable Security?

Companies must develop, implement and maintain a data security program that addresses the following safeguards and considerations:
 
Administrative Safeguards:
 

• Designate one or more employees to coordinate the security program;
• Identify reasonably foreseeable internal and external risks;
• Assess the sufficiency of safeguards in place to control the identified risks;
• Train and manage employees in the security program practices and procedures;
• Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
• Adjust the security program in light of business changes or new circumstances.

Technical Safeguards:
 

• Assess risks in network and software design;
• Assess risks in information processing, transmission and storage;
• Detect, prevent, and respond to attacks or system failures; and
• Regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical Safeguards:
 

• Assess risks of information storage and disposal;
• Detect, prevent, and respond to intrusions;
• Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

If your company is already subject to and compliant with another data security regulation, to include the Gramm-Leach Bliley Act, HIPAA or New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, then you may be deemed compliant with the SHIELD Act.

NYDFS Compliance

Apart from the SHIELD Act, certain financial services companies are also subject to New York State Department of Financial Services’ (NYDFS) regulations on Cybersecurity Requirements For Financial Services Companies (the “Regulation”). The Regulation applies to any individual or any non-governmental entity operating “under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” (a “Covered Entity”).

The Regulation creates additional dimensions of cybersecurity compliance for Covered Entities and prescribes certain minimum regulatory standards for cybersecurity, including, encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”), improved multi-factor authentication and a comprehensive vendor and third-party risk management program. 

While there are many similarities to the SHIELD Act described above, the Regulation also has many unique requirements. 

For example, the Regulation mandates executive board oversight and involvement in the cybersecurity program, and even exposure to individual liability if the Covered Entity’s program is found to be noncompliant. Moreover, the Regulation requires an affirmative statement from a senior officer or executive board member of the Covered Entity, attesting to compliance with the Regulation. These statements must be filed yearly and must also disclose any known areas of non-compliance.

Another key requirement of the Regulation is the need for Covered Entities to report Cybersecurity Events to the NYDFS as promptly as possible and within 72 hours at the latest. The 72-hour deadline can present a serious compliance challenge for many Covered Entities and puts a premium on having a practiced and effective incident response plan. 

Cyber-crime risks have increased dramatically during the past months in sync with the COVID-19 pandemic and the shift to a remote workforce. Government enforcement entities are fully aware of these dynamics and have been actively cautioning companies to be on alert. The NYDFS issued an industry letter highlighting the increased risks for Covered Entities and their continued obligations to the requirements of the Regulations, noting that Covered Entities should review their risks around:
 

• Remote access connections and use of Multi-Factor Authentication (MFA);
• Bring-your-own-devices (BYOD) with access to Nonpublic Information[2] and whether they are secured with appropriate end-point protections (e.g. anti-virus, local disk encryption);
• Secure communication platforms (e.g. videoconferencing, telephonic conference lines) and risks for unauthorized access;
• Training to personnel on new phishing threats and fraud tactics capitalizing on the COVID-19 pandemic.

Covered Entities should also review risks presented by their third-party vendors and service providers, because many of these are struggling to maintain their capabilities during the pandemic.  Among the areas of concern are whether a service provider’s workforce is capable of remote working in a secure manner and whether the service providers have implemented additional controls.

The COVID-19 pandemic has required companies to dramatically alter their normal business operations, in a manner most had never contemplated until recently. This “new normal” brings new risks and cyber-threats. Companies located in New York state or that otherwise possess private information of New York residents should promptly evaluate the sufficiency of both their internal programs and the third-party vendors and service providers they use for compliance with the comprehensive data security protection requirements of NYDFS and the SHIELD Act.

Ice Miller has the professionals and experience to help clients develop data security and privacy programs to comply with the requirements of New York’s laws and regulations. To speak to an attorney, please contact Guillermo Christensen, a partner in the Data Security and Privacy practice based in DC and New York, Sid Bose or Tiffany Kim.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.