The New York attorney general is scheduled to begin enforcing the Stop Hacks and Improve Electronic Data Security (SHIELDS) Act on March 21, but as covid-19 takes its toll on the world economy, market watchers say a delay in enforcement is likely. The office of the AG declined to comment.
New York is the latest state to adopt data security measures for the private data of its consumers and follows recent measures taken by Massachusetts and Illinois. “This is much more along the lines of what Massachusetts has, rather than what California has,” says Jeffrey Neuburger co-head of the technology, media and telecommunications group at Proskauer. California’s CCPA is focused on privacy, whereas NY and MA are focused on data security.
The statute amends the data breach notification law and expands the requirements for reporting a breach. It also expands the definition of ‘private information’ under New York law.
“[Firms] need to have a program, they need to assess if the controls are effective or not, and they need to train and manage their employees on security practices and procedures,” said Ray Hillen, managing director of cybersecurity for Agio.
One of the most potentially onerous aspects of the act calls for designating one or more individuals to coordinate the cybersecurity compliance, as well as a security assessment included in service provider agreements. Jeffrey Neuburger, co-head of law firm Proskauer’s technology, media and telecommunications group, said he’s advising clients to designate someone specifically for the role.
Data security programs in compliance with the new law must protect firms from, as well as prevent and respond to, attacks and system failures, and must be regularly tested for efficacy. Physical safeguards such as information storage and disposal should also be in place.
The measure affects the handling of New York citizens’ data, even if the firm or organization doesn’t have a physical location within the state.
In conversations with Private Funds CFO, many managers and CFOs place cybersecurity at the top of their priorities, making full compliance seem within reach for much of the PE community. But the rapidly shifting dynamics brought on by coronavirus in recent weeks could delay its immediate effect.
“[Coronavirus] isn’t going to result in extension of time to comply,” says Proskauer’s Neuburger. “But I suspect it will delay the plan in terms of enforcement until things clear up.”
Many in New York and around the world are transitioning to work-from-home programs for the foreseeable future – making SHIELDS compliance a significant hurdle for firms farther behind in their data security progression. A lag in enforcement action from the AG may be inevitable, but that doesn’t mean firms should feel safe delaying compliance.
“The AG is going to take the position that companies shouldn’t have waited this long to get their act in gear,” said one anonymous source.
The act may also tighten up relations with service providers, as it explicitly mentions the use of maintaining appropriate safeguards by service providers and requiring those safeguards in contracts.
“This whole thing requires funds and organizations to have a security assessment, and that’s something that should flow through to service providers as well,” Neuburger said.
“A fund is only going to be as secure as its least secure service provider.”