The need to be “cyber-secure” is making things more complicated and costly for small and mid-sized businesses, yet the cost to comply with increasing cybersecurity requirements is far FAR less than the risk of a breach, compromise, or ransomware attack.
Frankly, cyberattacks have reached a tipping point – the point where the increase in scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.
In light of this increased threat, governments feel a need to “do something,” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward.
In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. In New York, the Stop Hacks and Improve Electronic Data Security Act or SHIELD Act imposes more data security requirements on companies that collect information on New York residents, no matter where the company conducts business.
THIS IS HUGE. And don’t stop reading because you’re not in New York. First, it doesn’t matter where YOU are. This law applies to any company that collects information on NY residents, as I said above. Don’t do that? Okay. But make no mistake – other states are looking at the SHIELD Act as a potential model. So this could well apply to you directly before too much longer. So keep reading.
The SHIELD Act introduced significant changes to existing law:
It broadens the definition of “private information.” SHIELD expands the definition to include account numbers, biometric information, credit/debit card numbers (even without a security code), access codes, usernames, email addresses, passwords, and security questions and answers. If you previously thought you DIDN’T collect private information, look again. The information you collect could fall within this new scope as outlined by SHIELD.
It expands the definition of a “breach.” Originally, a breach was defined as an “unauthorized acquisition of unencrypted computerized data.” But more broadly, it refers to unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information. The law provides samples of unauthorized access and includes updated procedures in the event of a breach. In human terms, that means that previously, you could escape a lawsuit by proving that information never left your network. Under this new definition, you’d ALSO have to prove that no one even looked at it, which is lots more difficult to prove.
It expands the territorial scope. Previous New York privacy laws were limited to parties who conducted business in New York. The SHIELD Act broadens the scope to any person or business that owns or licenses private information of a New York resident. Essentially, even if you don’t do business in New York, it’s likely the SHIELD Act applies if you operate anywhere in the U.S. So…from Amazon to a solopreneur, if you have even one customer in New York, SHIELD applies to you.
It imposes new data security requirements. The SHIELD law enforces companies to adopt safeguards to protect the security, confidentiality, and integrity of private information. Companies should implement a data security program with specific measures, employee training, vendor contracts, risk assessments, and timely data disposal. The law also requires organizations to designate an employee who oversees cybersecurity operations. THIS IS BIG. If you’re a huge company, no problem. But if you’re a small or mid-sized business, this requirement can be a burden. A big burden. How will you handle this? (We have thoughts on that.)
Companies are considered compliant if they implement reasonable administrative, physical, and technical safeguards. The bill offers several ways to ensure compliance:
- Conduct risk assessments.
- Train employees in security program practices and procedures.
- Designate someone responsible for the security program.
- Carefully select vendors and set safeguards by contract.
- Adjust security programs as the business changes.
- Assess the risks of information storage and disposal.
- Create systems to prevent, detect, and respond to physical intrusions.
- Dispose of private information within a reasonable amount of time.
- Protect against the unauthorized access of private information at any point during collection, transportation, and disposal.
- Identify risks in network and software design.
- Identify risks in information processing, transmission, and storage.
- Prevent, detect, and respond to system failures and attacks.
- Monitor and test the effectiveness of system controls and procedures.
If you own a small business and those bullets feel daunting, don’t worry: The SHIELD Act makes exceptions for businesses with fewer than 50 people and/or less than $3 million in annual revenue. Still, you must implement a reasonable security program that’s appropriate for the size and complexity of your business.
If companies fail to comply with these security requirements, they could face civil penalties of up to $5,000 per violation. There are no caps on penalties, so fines can rack up quickly. Additionally, a $250,000 fine exists for failing to notify authorities when a data breach occurs.
Of course, the really bad news is that the fines and penalties kick in WHEN SOMETHING BAD HAS ALREADY HAPPENED. So they’re salt in the wound. And the wounds caused by cyberattacks don’t need to get any worse.