Tuesday, January 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

The NY SHIELD Act is Coming: Time for a Cybersecurity Checkup?

What Companies Must Do to Ensure Compliance

by Matthew Levine
February 21, 2020
in Cybersecurity, Featured
physician in white lab coat selecting broken padlock icon on virtual screen

The New York SHIELD Act will go into effect in just a few weeks, so if your organization serves residents of New York, the time is now to make sure your company is in compliance with the law. Guidepost Solutions’ Matthew Levine provides an overview for compliance pros.

In July 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Because it takes effect in a matter of weeks (March 21, 2020 to be exact), companies should be thinking about how to address its new cybersecurity requirements, which are substantial.

The SHIELD Act puts into place two significant changes that seek to enhance protection for data privacy. First, the law expands New York’s breach notification requirements in several ways, including by making subject to its reach any person or business that owns, uses or licenses computerized data that includes the “private information” of New York residents (as defined in the Act). Reasonably interpreted, this expansive definition reaches every business (with limited exceptions) that holds or uses private information of New York residents – even if the company does not actually conduct business within New York State.

The second major change (and the focus of this article) is the SHIELD Act’s new requirement that entities subject to the law “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” By this language, the Act creates an entirely new regulatory regime for a very large number of businesses – ranging from global corporations to much smaller entities – that hold or use New Yorkers’ private information. Much like the California Consumer Privacy Act, which went into effect January 1, 2020, the impact of this regulation may cross state and national borders, significantly affecting how business is conducted in the U.S. and beyond.

Regulatory Requirements

The regulatory requirements for a covered entity’s cybersecurity program are quite broad, but seemingly sensible. In a nutshell, the law requires:

  • Administrative Safeguards: An adequate cybersecurity program must have administrative safeguards, in which the business (1) designates one or more employees to coordinate the cybersecurity program; (2) assesses internal and external data-security-related risks and the sufficiency of safeguards in place to control the identified risks; (3) trains and manages employees in the cybersecurity practices; (4) selects vendors who are capable and obligated under contract to meet cybersecurity standards; and (5) adjusts the cybersecurity program in light of changes or new circumstances.
  • Technical Safeguards: A compliant cybersecurity program also must implement technical safeguards, in which the business (1) assesses data-security-related risks of network and software design and information processing, transmission and storage; (2) detects, prevents and responds to attacks or system failures; and (3) tests and monitors the effectiveness of controls, systems and procedures.
  • Physical Safeguards: An adequate cybersecurity program also must implement physical safeguards, in which the business: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Compliance and Enforcement

A significant and challenging part of the law for covered entities is that the SHIELD Act authorizes the New York Attorney General (NYAG) to enforce all of these new provisions. The NYAG has, for many years, acted in the role of enforcer, bringing actions under the prior iteration of the law arising out of specific data breaches where it found inadequate notice to consumers or other misconduct. Under the SHIELD Act amendments, the NYAG continues in this role, able to seek even greater penalties for violations arising from insufficient notice provided to consumers following a data breach.

However, the requirements of the SHIELD Act for an adequate cybersecurity program are not just punitive, but also broadly prescriptive. They create an entirely new set of rules by which thousands of businesses with a New York nexus must live by every day – not just in the instance of a data breach. As part of routine information technology operations, covered businesses must maintain a cybersecurity program consisting of adequate administrative, technical and physical safeguards.[i]

The NYAG is now empowered to enforce compliance with these new standards as well. The SHIELD Act provides that the NYAG may now ask a court to impose penalties of up to $5,000 “per violation” on a company with a substandard cybersecurity program. It is unsettled what constitutes a single “violation” under the law, and in the absence of statutory definition, the law typically favors a broad reading of this term. Nor does the Act require that a data breach occur for there to be a violation of the cybersecurity standards, and the law provides no cap on its statutory penalties.

Unlike the New York Department of Financial Services (NYDFS), the U.S. Securities and Exchange Commission or other prudential supervisors, which conduct periodic examinations of regulated institutions to ensure they are in compliance with applicable laws and regulations, the NYAG is neither authorized nor equipped to conduct such inspections of businesses subject to the SHIELD Act’s cybersecurity requirements. As noted, the NYAG serves principally in the capacity of an enforcement and litigation agency; its attorneys and staff (as a general matter) investigate, prosecute and litigate. They do not examine or recommend to entities how to bring their cybersecurity programs into compliance with the new law, and it would appear the NYAG does not have the resources to do so in any event. So, while the NYAG has significant experience in enforcing matters related to data breaches, up until now it has not had the same breadth of experience, or knowledge of a particular entity, as would a supervisory agency.

Take a Proactive Approach

Thus, the burden of ensuring that a company’s cybersecurity program is compliant with the SHIELD Act falls upon that company. If a covered entity is the victim of a data breach that affects New York residents (and it is frequently said that this is a question of when, not if), it is incumbent upon the company not only to comply with the breach notification provisions of the SHIELD Act, but also to demonstrate to the NYAG that its cybersecurity program is fully compliant with this law. Best practices argue that this type of effort should occur on a periodic basis, using either internal resources or, more commonly, an outside vendor with experience in cybersecurity hygiene.

It could be disastrous for a company to wait until it suffers a data breach to then measure whether its cybersecurity program is compliant with the SHIELD Act. Advocating to the NYAG that a company is in compliance after the event of a data breach – when the company lacks an objective evaluation of its cybersecurity program before the breach – likely will be met with substantially greater skepticism by the NYAG. With the effective date only a short time away, it is reasonable to begin conducting a gap analysis or other review of a company’s cybersecurity program imminently.

 


[i] Where an entity is in compliance with other mandatory regulations governing data security, such as the New York Department of Financial Services cybersecurity regulation, HIPAA or the Gramm-Leach-Bliley Act, then the law deems the entity to be in compliance with the SHIELD Act as well.


Tags: data breach
Previous Post

PwC’s 2020 Global Risk Study

Next Post

ProcessUnity Expands Vendor Risk Management Software with New Best Practices Configuration

Matthew Levine

Matthew Levine is President of Financial & Regulatory Compliance Services at Guidepost Solutions. Matthew specializes in assisting companies in compliance matters and investigations, including risk assessments, strengthening risk management and compliance programs, remediation efforts, corporate monitorships and internal investigations. Before joining Guidepost Solutions, Matthew served as Executive Deputy Superintendent for Enforcement for the New York State Department of Financial Services (DFS). He supervised numerous investigations and enforcement actions, including complex matters involving money laundering, terrorist financing, cybercrime and cybersecurity, virtual currency fraud, market manipulation, tax fraud and consumer fraud. He also supervised numerous monitorships implemented by DFS at financial institutions, served as the central point of coordination for other civil and criminal authorities, both in the United States and abroad and represented DFS in court in certain high-impact litigation. Matthew is a former federal prosecutor and trial lawyer with significant experience in matters involving the financial markets. For nearly a decade, he served as an Assistant U.S. Attorney, first in the U.S. Attorney’s Office for the District of Columbia and later in the U.S. Attorney’s Office for the Eastern District of New York. There, he served as Acting Chief of the Business & Securities Fraud Section, supervising a group of federal prosecutors conducting securities fraud, money laundering, cybercrime and other white-collar prosecutions. He began his career at the Justice Department, serving as the Deputy Director for Intergovernmental Affairs, where he focused on law enforcement policy and acted as a liaison to other federal and state law enforcement agencies. He has also counseled and represented corporate and individual clients in civil and criminal matters while at two major law firms, and later in his own law practice. He specialized in representing clients in matters involving the financial markets, cybercrime, and trade secrets and other intellectual property. Following law school, Matthew clerked for United States District Judge Barefoot Sanders of the Northern District of Texas.

Related Posts

digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
illustration of man on ladder with binoculars, 2021 outlook concept

Financial Services Compliance in 2021

January 25, 2021
illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
Next Post
Process Unity Logo

ProcessUnity Expands Vendor Risk Management Software with New Best Practices Configuration

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights