What's New in New York: Recent Cybersecurity and Data Privacy Developments in New York State
27 April 2020
As the world has moved to a Working from home (WFH) environment, two developments in New York highlight the continuing need for adequate cybersecurity protections.
These are: -
- First, the Safeguard Provisions of the New York Shield Act (the "Shield Act") went into effect on March 21, 2020 with little fanfare. This development has important implications for companies that hold personal data about New York residents.
- Second, the New York State Department of Financial Services ("DFS") released guidance on April 13, 2020 regarding the need for cybersecurity awareness during the current crisis.
The Shield Act
The New York Shield Act, which was enacted on July 25, 2019, created new breach notification and safeguard provisions for personal data for New York citizens. The act broadened the scope of who was required to comply with these requirements to include any company or person that "owns or licenses computerized data that includes private information of a resident of New York"
Shield Act Breach Notification Requirements: The breach notification requirements, which went into effect in October 2019, strengthened New York's breach notification requirements by adding to the types of information considered to be personal information and expanding what types of cybersecurity incidents would be considered a breach.
Shield Act Safeguard Provisions: The safeguard provisions, which went into effect last month, require companies to have "reasonable" safeguards to protect the security, confidentiality and integrity of private information, unless the company already complies in this respect with other data security rules or regulations of the federal or state government for respectively regulated entities (including HIPAA, GLBA, and the NYDFS Cybersecurity Regulation).
The law provides examples of what is considered "reasonable" safeguards, including administrative safeguards, technical safeguards, and physical safeguards. These include:
Administrative safeguards, such as:
- designating one or more employees to coordinate the security program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of safeguards in place to control the identified risks;
- training and managing employees in the security program practices and procedures;
- selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract; and
- adjusting the security program in light of business changes or new circumstances;
Technical safeguards, such as:
- assessing risks in network and software design
- assessing risks in information processing, transmission and storage
- detecting, preventing, and responding to attacks or system failures; and
- regularly testing and monitoring the effectiveness of key controls, systems and procedures; and
Physical safeguards, such as:
- assessing risks of information storage and disposal;
- detecting, preventing, and responding to intrusions;
- protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposal of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Under New York law, a violation of the Shield Act is deemed to be a violation of the state's consumer protection act, meaning the New York State Attorney General now has the power to bring an action against a company not only for failing to provide timely notification of a breach, but also for failing to have adequate safeguards in place to protect personal data of New York residents.
On March 1, 2017, DFS issued a particularly stringent cyber security regulation, which requires that insurance companies, banks and other covered entities who operate in New York State to maintain department-approved plans to deter cyberattacks, and report any significant attacks to the NYDFS within 72 hours of when they occur. DFS has since followed these up with periodic reminders to DFS regulated entities regarding their cybersecurity requirements.
On April 13, 2020, DFS sent a reminder to its regulated entities, which addresses cybersecurity risks related to coronavirus. Specifically, the guidance identifies three areas that DFS believes to pose heightened risk for covered entities:
DFS cautioned that there are risks associated with remote working, including use of less-secure personal networks and devices, increased use of video and audio-conferencing applications that introduce cyber vulnerabilities, and use of unauthorized personal accounts and applications to transmit non-public information. DFS recommended that regulated entities adjust their security protocols to address these risks, such as by establishing secure VPNs, installing security software on remote work devices, and requiring multi-factor authentication.
DFS observed that there "has been a significant increase in online fraud and phishing attempts related to COVID-19." As a result, DFS suggested that regulated firms provide additional data privacy training to their employees, adjust current training, and consider revising authentication protocols to strengthen defenses against intruders.
Third Party Risks
DFS noted that the risks associated with remote working and an increase in fraud and phishing attempts also apply to vendors and recommended that regulated entities coordinate with critical vendors to determine how they are adequately addressing the new risks.
Now more than ever it is important for companies that do business in New York to stay vigilant and ensure that they have proper security protocols in place to protect their systems and data. The Coronavirus pandemic has brought about increased risks and challenges, but establishing proper policies and controls can help companies ensure that not only are they able to weather the current storm, but that they will emerge from the crisis stronger than ever and ready to go back to business as usual.