The NY Shield Act: It’s Time to Take Things Seriously

More data records have been exposed thus far in 2020 than in all of 2019, with more than 8.4 billion records being exposed in Q1 alone. That’s a 273% increase from Q1 2019, which saw 4.1 billion records exposed.

According to the IBM/Ponemon Institute “Cost of a Data Breach Report 2020,” sensitive information (PII/SPI) was compromised in 80% of the breached organizations, with lost business costs accounting for nearly 40% of the average total cost of the data breach. Data breaches have been costly for companies of all sizes over the last five years, and it’s estimated that cyber attack damages will hit $6 trillion globally by 2021 (Cybercrime Magazine). This is scary, and the trend isn’t going to get better any time soon.

These are unprecedented times; states across the U.S. have begun to act by developing laws to ensure that businesses protect U.S. citizens’ personal information.

Effective as of March 21, 2020, New York enacted one of the most aggressive state data breach notification laws in the United States, the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. This law applies to any person or business (even those operating outside of New York) that collects and maintains New York residents’ “private information.”

As a result, businesses should re-assess their cyber security strategies for collecting, processing and storing consumer personal information.

Who Needs to Comply?

Although the SHIELD Act applies to “any person or business that owns or licenses computerized data, which includes private information, of a resident of New York,” the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with:

• fewer than fifty employees;
• less than three million dollars in gross annual revenue in each of the last three fiscal years; or
• less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles (GAAP).

An applicable businesses must still maintain a security program, and adopt “reasonable” administrative, technical and physical safeguards based upon the size and complexity of its operations, scope of activities and the sensitivity of the personal information the small business collects.

Notification of a Breach & Fines

Any person or business that determines an incident has occurred involving the private information of more than 500 New York residents is required to notify the NYS attorney general within 10 days of that realization.

Penalties are $20 per failed notification with a maximum penalty of $100,000 to $250,000. For “reasonable safeguard” requirement violations, penalties are up to $5,000 per violation.

Proactive Action Prevents Needless Pain

Laying on your laurels isn’t good enough in this day and age, and you do not want to be the one with harmful and costly regrets. You must act… The upfront investment compared to the extreme recovery costs will prevent needless pain after the fact.

Recommended Proactive Actions

• Conduct a Security Risk Assessment: Assessments provide holistic insights into your overall security posture and offer you the opportunity to develop a palatable yet prudent roadmap (prioritized, budgeted) that better safeguards your company’s stability and protects the confidentiality and integrity of your sensitive information.
• Conduct a Penetration Test: These tests expose weaknesses within your company’s infrastructure that would allow adversaries to gain access and move laterally on your network, acquiring and compromising sensitive data. The results of these tests become part of the roadmap to remediate and mitigate vulnerabilities.
• Ensure the “Essential Eight” are a Priority: These are baseline controls that ADRS’s experts have proven make it much harder for adversaries to compromise your network and systems when properly implemented (Application Control, Application Patching, Operating System Patching, Macro Configuration, Application Hardening, Admin Privilege Restriction, Multi-Factor Authentication and Daily Backups). Prioritizing these controls in your roadmap can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

If you have any questions or would like to discuss the recommended SHIELD Act compliance strategies, please contact your Anchin Relationship Partner.