By Patrick Connelly, originally published in Buffalo Law Journal, Buffalo Business First on Mon, 16 Dec 2019 11:30 EST.

GOVERNMENT & REGULATIONS

SECURITY GUARDS: Jessica Copeland and other attorneys help clients comply with new cybersecurity regulations in New York’s SHIELD Act

There is good news if you are the person responsible for ensuring that a business or nonprofit agency complies with the latest technological regulations.

“Starting now … shows a willingness to mitigate the risk in the future, so it’s never too late,” says Jessica Copeland, attorney at Bond Schoeneck & King PLLC in Buffalo. “One of the most challenging steps in the process for companies is understanding what data they hold, how it comes into the company and where it’s stored.”

Attorneys in the region and statewide helped entities prepare for the SHIELD Act, a cybersecurity law that mostly takes hold in March, but is partially in effect now.

The regulation aims to improve the electronic security of data held by businesses or nonprofits that isn’t already protected by other federal or state mandates. All entities inside or outside the state are expected to comply if they do business with consumers or other entities within New York. (There is a less-stringent policy that applies to enterprises that can be categorized as small businesses, according to the law.)

The part of the SHIELD Act already in place expanded what had been standard procedure when personal information was breached. It requires any person or business that owns or licenses private computerized information to notify affected residents of the state “in the most expedient time possible.”

There are some exceptions to when entities do not need to notify residents, but they must default to other prevailing state or federal regulations to see if notification is required.

Changes to what is considered private information was expanded and now encompasses:

  • Biometric information
  • Driver’s license or state ID card numbers
  • Financial account information and access details
  • Social Security numbers
  • Email addresses, user names and passwords or security-question answers that could permit access to an account.

Biometric information is defined as something that details someone’s physical characteristics, such as a fingerprint or retina image.

New York is among a group of states that strengthened data safeguarding and notification regulations.

Copeland, a member at her firm, and other area attorneys have fielded questions from clients as they prepared to fall in line. Among the biggest concerns, she says, is if the SHIELD Act does indeed apply to their entity.

“The answer is predominantly yes if you are holding computerized data of New York residents, which affects most organizations in New York state and now affects organizations operating outside of New York state but (which are) holding New York computerized data,” Copeland says.

F. Paul Greene, partner at Harter Secrest & Emery LLP, says that companies often asked how they could simultaneously look at some of the other complex cybersecurity laws.

“They don’t just want to know how I can comply with the SHIELD (Act) but how can I do this once,” he says.

Anna Mercado Clark, partner at Phillips Lytle LLP, says businesses have worked to comply with all that should be on their radars, including regulations beyond the SHIELD Act such as those in the Health Insurance Portability and Accountability Act.

She says the firm tracks laws around the country and analyzes what applies to specific businesses and the impact. Attorneys in her practice group keep tabs on pending legislation.

“When it gets passed, you can immediately hit the ground running,” Clark says.

Copeland says she’s had inquiries from businesses outside the state.

“I just try to translate the law for them to understand whether or not it applies and, if it does, that they’re in compliance,” she says. “Depending on the size of the client (and) the complexity of the data that they hold or process, it necessarily requires unraveling what law applies (specifically to a) company and what law applies to the data in which (that) company holds.”

Small businesses with fewer than 50 employees and that are below revenue figures the SHIELD Act outlines will have an easier row to hoe with all that is required by next year. But Copeland says that could still create confusion.

“A small-business entity does not have to follow each of the safeguards enumerated in the statute that will be in effect in March,” she says. “They have to do what is reasonable with respect to the complexity of the data that they hold.

“That raises more questions than it answers because no business knows right now what the state views as reasonable.”

The laws, despite their complexity, are what Copeland relishes about her work.

“I enjoy the marriage of technology and law,” she says. “I’ve always been a mathematically inclined individual. And while I don’t always see things in zeros and ones, I understand the background of a computer network and framework and in many ways act as an intermediary between the (tech personnel and executive teams of a company) to understand the importance of adding a cost to their budget.”

Among the first steps for businesses is to evaluate what risks could be, Greene says.

“You need to look at your organization and where your center of gravity is,” he says. “The best way to kind of attack (all the varying laws) at once is to look into application and rollout of a generally accepted security framework. … It’s really not just focusing on the laws themselves but zooming out a bit.”

Alan Winchester, partner at Harris Beach PLLC, says small businesses by the final deadline will have to tailor and scale safeguards to fit their entity.

“If an organization doesn’t start now, that’s going to be (difficult),” he says.

His firm, through tech subsidiary Caetra, developed a tool called CyMetric that debuted last year. It enables users to select regulations that apply to their entity and easily see what controls must be in place.

“Even the most secure places get breached,” Winchester says. “Even though you may get breached, you can show that you have (the controls) in place.”