The developing coronavirus pandemic affects businesses and personnel within the state and elsewhere. With more New Yorkers working from home, there are more opportunities for cyberattacks through unsecure remote connections and the public concern growing each day.
The New York SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act was signed to law on July 25, 2019. It is an amendment to New York’s data breach notification law. The SHIELD Act provides a number of changes that we reported last year, including expanding the definitions of “private information” and “breach.” The definition of “private information” now covers emails and passwords or security questions and answers, credit card details, and biometric data among others. A “breach of the security system” now covers unauthorized access, where such access may have occurred if “the information was viewed, communicated with, used, or altered” without authorization.
The data security requirements that took effect on March 21 require businesses that own or license private information of New York residents to implement certain protections, such as:
- reasonable administrative safeguards relating to the administration of a data security program, including: designating employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, assessing the existing safeguards to control the risks identified, training workforce about the security program, and selecting and contracting with service providers who are capable of maintaining appropriate safeguards;
- reasonable technical safeguards relating to the technology of the business, including: conducting risk assessments of network, software design, information processing, transmission, and storage; implementing measures to detect, prevent, and respond to system failures; and testing and monitoring of the effectiveness of key controls; and
- reasonable physical safeguards that involve the storage and disposal of information, including: conducting risk assessments of information storage and disposal; implementing measures to detect, prevent, and respond to intrusions; and implementing protections against unauthorized access to or use of private information during or after collection, transportation, and destruction or disposal of the information.
Such safeguards may be critical to businesses trying to operate remotely during this challenging time. Malicious actors can exploit natural disasters and major health events like the coronavirus to install malware on computers in unsecured networks and through social engineering. Malware can be software that damages data and systems, or otherwise disrupts the normal operation of computers or networks. Malware can also enable unauthorized access to affected networks and even prevent authorized access to those networks.
We have become aware of numerous reports about coronavirus-themed malware, including ransomware and phishing attacks. Businesses victim to such attacks may find that they have had a “breach of the security system” under the SHIELD Act’s expanded definition, which now includes unauthorized access. Previously, a breach involved unauthorized acquisition of private information. In the event of a breach, businesses may be required to comply with certain statutory notice obligations, which, in turn, may subject them to investigation or enforcement action by the New York State Attorney General. To protect against a breach, businesses and organizations subject to the SHIELD Act should by now have all required data security safeguards in place and be particularly vigilant against cyber threats attempting to exploit disruption caused by the crisis.