On May 7, 2021, a cyberattack forced Colonial Pipeline, one of the United States’ largest oil pipelines, to close its operations and freeze its IT systems. Due to the attack, gas prices rose to their highest levels in three years. This led to consumers panic-buying gasoline (some even in plastic bags) and gas stations running out of fuel. Eventually, Colonial Pipeline paid a $4.4 million ransom to the hacker group Darkside, to end the attack and continue operations.
If the Colonial Pipeline hack has taught us anything, it is that every business should have a cybersecurity program in place in case of a breach. Not only is it good business practice, but if your business collects information from New York residents, then it is probably required by law to enact a cybersecurity program. New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act” or “Act”) went into effect in March of 2020 and has major implications for businesses big and small.
The jurisdiction of the SHIELD Act is intentionally broad. The SHIELD Act does not apply just to New York businesses, but to every business that collects data from New York residents. The SHIELD Act requires that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” But what safeguards are considered reasonable?
Although the Act does not mandate specific safeguards to be in the cybersecurity plan, it does provide some safeguards that are presumptively “reasonable.” A business should, at minimum, consider implementing the following administrative, technical, and physical safeguards.
Reasonable Administrative Safeguards
Administrative safeguards are centered around procedures and maintenance of the later discussed technical and physical safeguards. These ensure that businesses have policies in place to protect the private information they collect. All safeguards should be continually monitored and adjusted to fit the needs of the business’s activities and the sensitivity of the private information being collected. The Act suggests that inclusion of the following administrative safeguards in a security program is reasonable, in which a business:
- Designates one or more employees to coordinate the security program;
- Identifies reasonably foreseeable internal and external risks;
- Assesses the sufficiency of safeguards in place to control the identified risks;
- Trains and manages employees in the security program practices and procedures;
- Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- Adjusts the security program in lsight of business changes or new circumstances.
Reasonable Technical Safeguards
Technical safeguards relate to the technology and software a business uses to store and process the private information it collects. These safeguards make sure that such private information is not easily accessible by an unauthorized user. Inclusion of the following technical safeguards in a security program is reasonable, in which a business:
- Assesses risks in network and software design;
- Assesses risks in information processing, transmission, and storage;
- Detects, prevents, and responds to attacks or system failures; and
- Regularly tests and monitors the effectiveness of key controls, systems, and procedures.
Reasonable Physical Safeguards
Physical safeguards refer to a business’s policies to protect its hardware and equipment such as computers, hard drives, servers, or anything that physically store private information. They also deal with the disposal of private information a reasonable time after it is no longer needed by a business. Inclusion of the following physical safeguards in a security program is reasonable, in which a business:
- Assesses risks of information storage and disposal;
- Detects, prevents, and responds to intrusions;
- Protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction, or disposal of the information; and
- Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Failing to Enact a Security Program
Although the Act does not create a private right of action, violations can be met with serious consequences. The NYS Attorney General (“AG”) can seek fines and penalties against violators or suspend the person or entity’s operations until they get into compliance. Even though the Act is fairly new, the AG has already used this power to force major companies into compliance.
By the end of March 2020, there were growing concerns between law enforcement and government entities with the security measures taken by Zoom’s video conferencing platform. As Zoom grew more popular due to the COVID-19 pandemic, so did the number of hackers disrupting private video conferences. This was due to flaws in Zoom’s security procedures. In response, the AG entered into an agreement with Zoom that required Zoom to get into compliance with certain state laws and to implement a formal security program. Although the agreement did not mention the SHIELD Act by name, the safeguards the AG required Zoom to implement in its security plan strongly resemble the administrative, technical, and physical safeguards stated in the Act. Zoom acted quickly in response to the AG’s actions.
Later in 2020, the AG entered into a similar agreement with Dunkin Brands, Inc (“Dunkin”). Dunkin had experienced a cyber-attack where hackers obtained their customer’s DD Perks account information. The AG entered into an agreement where Dunkin was fined $650,000 and required to implement and maintain a comprehensive security program. Again, the agreement did not mention the SHIELD Act by name, but the safeguards that Dunkin was required to enact were extremely similar to the safeguards described in the Act.
Until a federal cybersecurity law is enacted, New York’s SHIELD Act is laying the foundation to create the standard cybersecurity practices that private businesses must follow. The AG’s agreements with Zoom and Dunkin appear to be establishing the standard for reasonable security practices.
Conclusion
Your organization’s obligations regarding the SHIELD Act are based upon its circumstances. Implementation of a cybersecurity program can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 with questions regarding anything in this article.
Justin S. Furry
Mr. Furry received his BBA from the University of Toledo and his JD from Syracuse University College of Law.