Shield Act

Don’t Put SHIELD Act Requirements On Back Burner

Business Government Other News
RCBJ-Audible (Listen For Free)
Voiced by Amazon Polly

Businesses Must Take Security Measures To Safeguard Digital Data

By Judith Bachman

Cybercrime has risen 600 percent during the pandemic; experts agree small businesses are at even greater cyber risk than big businesses. Which is why it’s critical to take a serious look at New York’s Shield Act now to make sure your business is in compliance.

judith bachmanOn April 26, 2021, the Second Circuit, the local federal court of appeals, held that a business could be sued by people whose data has been exposed in a cybersecurity breach even if they could not show any specific harm from that exposure.  The Court held that a plaintiff could state a claim for a data breach “based on [only] an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”  To sustain such a case a plaintiff could point to “whether any portion of the dataset exposed [that included a plaintiff’s data] has already been misused . . . [or if] the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”

This court decision means that more people can make claims against businesses for data breaches beyond those directly harmed. This broadened pool of possible plaintiffs takes on heightened meaning with the backdrop of consistently expanding state cyber security regulations.

Beginning March 21, 2020, New York imposed the SHIELD Act which requires businesses of any size to take internal security measures to safeguard New Yorker’s digital “private information. The law was designed to ensure that businesses built robust internal cyber infrastructure including designating a security program coordinator, implementing a security program, and training employees.  The penalty for non-compliance could range up to a fine of $250,000.

In addition to the SHIELD Act, Governor Cuomo proposed a consumer facing law that would require businesses to provide the customer with control over their personal data. The law “will mandate that companies collecting information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. The legislation establishes a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them.

The proposal creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data.

As onerous as these cyber security requirements may be, they are necessary. These incidents include the Solar Winds hack, along with a wave of attacks against Fortune 500 businesses.

Small business owners should consult IT professionals to get necessary hardware and software, their counsel to draft legally compliant internal policies, and even their insurance agents to make sure they have adequate coverage. This diligence is required not just by law but as a matter of good business practice.

Judith Bachman is the founder and principal of The Bachman Law Firm PLLC in New City. judith@thebachmanlawfirm.com 845-639-3210, thebachmanlawfirm.com