As the holidays approach, time seems to fly – not in the reindeer sense — but quicker and more rushed than usual as year-end work increases and as parties and other social events seem to multiply like presents under the Christmas tree. In that rush it is easy to overlook the fact that entities that “conduct business” in New York state and collect information of New York residents must also be aware of the New York Shield Act (the “Stop Hacks and Electronic Data Security Act”). Though some portions have gone into effect already, the “reasonable security” requirements” go into effect in March 2020. For businesses that also collect California residents’ personal information, the double-punch of the Shield Act coupled with the California Consumer Privacy Act of 2018 (CCPA), effective Jan. 1, 2020, could add up to an all-consuming regulatory task for businesses that are not fully prepared.

The Shield Act, unlike the CCPA, defines what reasonable security means. While the California Attorney General endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security in a 2016 report, the CCPA itself does not specify what steps businesses must take to meet a “reasonable security” standard.

Although there is no private right of action under the Shield Act, it is likely plaintiffs will rely on the Shield Act’s “reasonable security” elements in future data breach cases brought in New York. Thus, it is important that organizations understand and implement the necessary security procedures to ensure they are in line with the Shield Act’s “reasonable security” requirements.

So, what is “reasonable security” under the NY Shield Act? The act lists elements that could enhance security:

  1. A designee to “coordinate the security program” (that might mean a CISO or CIO or some other designated employee);
  2. A program that identifies internal and external risks;
  3. A program that assesses the safeguards in place to control the identified risks;
  4. A program that has a full employee cybersecurity training program;
  5. A cybersecurity vendor due diligence program that requires providers to be capable of maintaining safeguards, and requires those safeguards by contract;
  6. A program that is adjustable based upon business changes or new circumstances;
  7. A program that assesses risks in network and software design;
  8. A program that assesses risks in information processing, transmission, and storage;
  9. A program that detects, prevents, and responds to attacks or system failures;
  10. A program that regularly tests and monitors the effectiveness of key controls, systems, and procedures; and
  11. A program that has reasonable physical safeguards that assesses risks and information storage and disposal; detects and responds to intrusions; and protects against unauthorized access to personally identifiable information (PII), and disposes of information within a reasonable amount of time after it is no longer needed for business purposes.

For organizations subject to regulations and/or guidance under SEC rules, the NY Department of Financial Services (DFS) cyber rules (Part 500), or the EU’s General Data Protection Regulation (GDPR), some of the reasonable security elements might be nothing new. For instance, the requirement of a CISO or the equivalent is found in NY DFS rules. Cybersecurity vendor due diligence guidance is also in many of the rules and regulations given the prevalence of breaches occasioned by third parties. The concept of a cybersecurity employee training program (education of personnel about concepts such as phishing attacks, and the proper use of social media) is again found in many of the rules. And all entities, big or small, should already have incident response, business continuity, and crisis communications programs.

The concept of risk, and treatment of vulnerability assessments (items 2, 3, 7, and 8), while found in the NIST cybersecurity framework (the CSF), are not generally found in all cyber regulatory regulations or guidance. Both are critically important, especially for non-IT executives, director, and officers.

Risk Assessment

A risk assessment determines the information resources that could be affected by a cyber attack (such as hardware, systems, computers, customer data, and intellectual property), and then identifies the various risks that could affect those assets. In a risk assessment, an organization determines the potential IT and data breach risks, how critical those risks are, and what would be the financial impact of those risks if they were to materialize. A risk assessment is sometimes depicted in a heat map with green (okay), yellow (intermediate risk), and red (high impact, so beware!). Identification of a risk allows controls to be conceived and put in place to contain those risks, and then assess their success (or failure). For example, one of these risks might be the threat of an insider breach by a negligent employee, or by a malicious insider who steals information, or the risk of an employee clicking on a ransomware link. Another risk might be the threat of a nation-state attack that attempts to steal your most critical intellectual property. If not identified and addressed, these risks could later cause or enable a significant attack if left unsupervised or uncontrolled.

Vulnerability Assessment

A vulnerability assessment is a bit different and more granular in its approach, because it applies to networks and systems (including the cloud, if the firm uses cloud storage or services). Definitionally, a vulnerability assessment determines and analyzes cyber risks and vulnerabilities in computer networks, systems, hardware, applications, and other IT assets, both at the physical location and in the cloud. Vulnerability assessments provide security teams and other stakeholders with the data they need to assess and prioritize risks for potential rectification.

A vulnerability risk might be that of an unpatched known weakness in a program or operating system, for example, the “Eternal Blue” that caused several significant attacks including the Wannacry and Petya/NotPetya ransomware attacks. A second type of vulnerability could be a weakness or unpatched vulnerability in a web application or public-facing website that could allow a third party to steal customer information entered on a sales or service webpage. A third potentially severe vulnerability could be an unprotected server or unprotected cloud storage application (like an AWS S3 bucket) that, if unprotected by a password, could be accessed by anyone in the wild — even those without a lot of IT knowledge. Legions of these unprotected server vulnerabilities have been reported in 2019. They are truly almost a daily occurrence. A fourth vulnerability could be the lack of safeguards that companies can maintain to prevent unauthorized access to their networks. That could include permitting use of weak passwords or single-factor access to critical files, etc.

Risk and vulnerability assessments are important aspects of a security program for two reasons: (1) they provide critical information to nearly all interested constituencies (like non-IT executive and board members); and (2) they take time and effort to complete the right way — especially vulnerability assessments, which take qualified people, scanning applications, a lot of thought, and resources and time of the organization. However, experience has shown that the resources of time, people, and money needed to prevent a vulnerability can be much less costly than those needed to remediate, and avoid what can be severely damaging to the reputation of the business.

Since under Delaware and many other state laws, boards of directors are charged with responsibility for overseeing cybersecurity issues, boards should be aware of and seek to have their organizations conduct risk and vulnerability assessments. As of March 2020, when the Shield Act becomes effective, these responsibilities will be part of the law for those doing business in NY and collecting NY resident information, and there is little time remaining to complete the processes required in the right way.

To ensure your organization is in line with these elements of the reasonable security requirements under New York’s Shield Act, you will want to conduct and document a risk and vulnerability assessment well in advance of the Shield Act’s March 21, 2020, effective date, so that issues can be addressed prior to the effective date. Larger companies can likely do much of this work themselves, though a good forensic cyber consultant provider could provide great value and comfort, and save internal time and resources as well. Smaller organizations would be well-advised to hire not only a good cyber forensic consultant, but a good cybersecurity law firm as well, to help make sure the legal requirements of the Shield Act are completed in substantial part.

It is unquestionably better to find and deal with risk and vulnerabilities (and remediate them) before an attacker finds them first, and exploits them to your detriment. Failure to comply with the Shield Act’s risk and vulnerability assessment requirements might also earn your organization not only a fine or penalty, but a bad day in court. Cyber risk today is enterprise risk – and there is no reason to let cyber “grinches” steal your holiday – or your most precious IP – because of a problem the organization could have found if it had conducted the necessary risk and vulnerability assessments.