Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
When the reasonable security requirement of New York State's Stop Hacks and Improve Electronic Data Security (SHIELD) Act goes into effect on March 21, 2020 (2019 New York Acts ch. 117), it will be in a business climate filled with uncertainty, with many businesses operating differently than they did at the time they designed their data security plans.
As a result of the Covid-19 outbreak, some businesses have chosen, or been required, to instruct their employees to work from home, rather than in the office. While some companies are comfortable with telecommuting and have employees who are experienced remote workers, this will be a dramatic and unexpected shift for others.
Regardless of a company's familiarity with telecommuting, given the broad scope of the act and its requirement that covered entities adjust the safeguards in their data security programs in response to business changes or new circumstances, it behooves businesses that may be subject to the act to review those programs to ensure that they comply with the act's reasonable security requirements.
A key feature of the act is that it applies to any person or business that owns or licenses computerized data that includes “private information” of a New York State resident. A business does not need to conduct business in New York State or be located there to be covered by the act. It simply needs to own or license “private information” of New York residents.
“Private information” is broadly defined to include personal information (which is information concerning a person which can be used to identify such person) in combination with a data element such as biometric information or a social security number or a driver's license number, when either the data element, or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired, or a user name or e-mail address that, in combination with a password or security question and answer, would permit access to an online account. N.Y. Gen. Bus. Law § 899-AA(1)(b).
Effective March 21, 2020, any person or business that is subject to the act must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the private information it owns or licenses. N.Y. Gen. Bus. Law § 899-BB(2)(a). Covered persons and businesses can comply with this reasonable security requirement by implementing a data security program that includes three categories of safeguards: reasonable administrative safeguards, reasonable technical safeguards, and reasonable physical safeguards.
The act applies a proportionality standard to the reasonable security requirement for small businesses, which it defines as businesses with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets. Small businesses that are subject to the act can comply with its reasonable security requirement by implementing reasonable administrative, technical, and physical safeguards that are appropriate given the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information collected.
The examples of reasonable administrative safeguards provided in the act include identifying reasonably foreseeable internal and external data security risks, assessing the sufficiency of the safeguards put in place to control these risks, training and managing employees in the data security practices and procedures set out in the program, selecting appropriate vendors, and adapting the data security program to reflect business changes or new circumstances.
The following are some things for businesses that find themselves adjusting to a remote workforce to think about when assessing the reasonable administrative safeguards in their data security plans:
Know Your Workforce
• Assess the technological sophistication of your workforce to determine whether your employees have the ability to use technology safely when working from their homes. Employees who have limited technological skills may not be able to use email and other programs properly, and may be easy targets for phishing emails and other scams. In such cases, it may be appropriate (or necessary) to limit the company computer systems and data that they can access.
• Determine whether your employees have company-issued mobile phones, computers, and other devices that they will need to work remotely. If the employees who you need to be sure can work from home do not have these company-owned devices (the features and security of which you can limit and control, possibly more than with BYOD devices), decide whether you want to, and are in a financial position to, provide these devices to them.
If you are not in a position to provide them with company-owned devices and will need them to use their personal computers, printers, and other devices, get information from them about these devices so you can assess the potential risks and find ways to mitigate them.
• Consider the kinds of tools employees will need in order to do their jobs remotely, such as conference call services, video conference services, and VPNs, and provide them with ones that you have vetted and that meet your security standards.
• Evaluate whether to increase the number of help desk and IT support personnel who are available for employees to contact if they encounter technology-related problems while working remotely, and make sure this support is available during the hours when employees are actually working (which may be outside regular business hours).
Understand the New Technologies You Are Using
• If you decide to do video interviews with job candidates, rather than in-person interviews, know how the technologies you use to conduct these interviews work, and the laws that may apply to them. For example, if your video interview product uses artificial intelligence, your business may be subject to the Illinois Artificial Intelligence Video Interview Act (740 ILCS 14/1 et seq.), which went into effect on Jan. 1, 2020.
Educate Your Workforce
• Instruct employees not to work in areas near digital personal assistants. These devices are always listening, and can record, transcribe, and store private information, as well as confidential, proprietary, and privileged information that employees may discuss.
• Similarly, make sure that employees know not to work in close proximity to devices like digital doorbells or other “smart devices” that may photograph or make a video recording of data that is on their phones or computer screens.
• Show employees how to check the default settings on conference call and videoconferencing apps, and if the defaults are set to record conversations or videotape meetings, to change those settings so that the conversations and meetings are not recorded. Failure to do this may result in these apps recording people's faces, voices and other biometric data that may be subject to laws like the Illinois Biometric Privacy Act; recording voices without consent which may be illegal in two party consent states; and recording private information, proprietary business information, or privileged information.
• Make sure employees have passwords on their phones and other devices, and that they keep their passwords and log-in credentials in a secure location that is not visible to others in their homes.
• Ensure that employees have screen locks on their devices and that those locks activate after a short amount of inactivity, to avoid children or other people who may be near those devices accessing company networks and data when employees not using them.
• Train your employees about how to use FTP (file transfer protocol) sites and other authorized remote work tools that you have selected for them to use. Confirm that employees know how to use the encryption software that your business has chosen to ensure the security of communications. Consider making videos demonstrating how to use these tools that you can email to employees or that they can access through the company Intranet.
• Impress upon employees the importance of using only the VPN (virtual private network) and other approved tools that you have provided to them, and not public Wi-Fi. Emphasize the importance of working in a private, secure location, and not in coffee shops or other public places.
Monitor Compliance and Effectiveness of Safeguards
• Monitor your systems to evaluate whether the policies and procedures you have in place are effective and operating as intended.
• Review your employees’ activity on business computer systems to confirm that they are following the data security policies and procedures, and take appropriate action in cases where employees are violating those policies and procedures.
Revise Your Policies and Procedures
• If your business has not had employees working remotely before, this will be a learning experience. It is beneficial from a compliance perspective and a business perspective to revise your policies and procedures as you gain experience with telecommuting to reflect the lessons learned and to improve your data security program.
• It is critical to document the steps you take to ensure that the administrative safeguards you have in place are reasonable, both for your own internal corporate purposes and in the event you need to demonstrate your compliance with the act. The attorney general is empowered to enforce the act, and to seek injunctive relief and civil penalties. The act does not authorize a private right of action.
While Covid-19 may be the first business change or new circumstance in response to which businesses covered by the New York State SHIELD Act have to adjust their data security programs, it will not be the last. Businesses that are proactive in their approach to their data security programs will be in a strong position to demonstrate compliance with the reasonable security requirements of the SHIELD Act.