Putting the SHIELD Act and CCPA into perspective

Cybersecurity lawyer, industry association SVP offers tips for companies to become, stay in compliance
 - 
Wednesday, January 29, 2020

YARMOUTH, Maine—On Jan. 1, two new statutes — the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), a consumer privacy statute, and the California Consumer Privacy Act (CCPA), a cyber-breach notification statute — went into effect, changing the way some security professionals do business. 

“While the CCPA is regarded as the most comprehensive consumer privacy statute passed in the nation to date, the SHIELD Act is generally regarded as the nation’s strictest cybersecurity statute,” Scott Watnik, cybersecurity practice co-chair at Wilk Auslander LLP, located in New York, told Security Systems News (SSN). 

The SHIELD Act 

With the SHIELD Act, employers in possession of New York residents’ private information must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information;” however, the statue does not specify or mandate any specific safeguard. Herein lies the confusion. How are “reasonable safeguards” defined so that employers can stay compliant?
Watnik pointed out that while there is no “one-size-fits-all” approach to cybersecurity, the Act requires covered, non-exempt entities to establish the following:

     1. Reasonable administrative safeguards, which may include:

  • Designating one or more employees to coordinate a security program;
  • Identifying foreseeable external and insider threats; 
  • Assessing existing safeguards;
  • Employee cybersecurity training;
  • Selection of third-party service providers in compliance with the Act; and
  • A process for adjusting the security program based on business changes or new circumstances. 

     

     2. Reasonable technical safeguards, which may include:

  • Risk assessments of network, software design and information processing, and transmission and storage;
  • Implementing ways to detect, prevent and respond to system failures; and
  • Regular testing and monitoring of key controls effectiveness.

     

     3. Reasonable physical safeguards, which may include:

  • Detection, prevention and response to intrusions;
  • Protections against unauthorized access to or use of private information during or after collection;
  • Transportation, destruction and/or disposal of information; and
  • Erasing electronic information so that it cannot be read or reconstructed after a reasonably amount of time when it’s no longer needed for business purposes.

 

Because cybersecurity in and of itself demands a non-universal approach, “there is no way to absolutely ensure that your company is in compliance,” Watnik said. “What is expected of one company to be in compliance may not be expected of another.” 

This makes compliance sounds impossible without a specific, step-by-step, itemized protocol that can be followed to ensure full compliance with the SHIELD Act. Add in there’s no way to stop cyber-attacks from happening, and it all sounds utterly hopeless. “However, by adopting and following a formal plan that includes data security measures and a breach notification policy, businesses can greatly limit their exposure under the SHIELD Act,” Watnik encouraged.

Watnik offered the following tips to help greatly mitigate the risk of non-compliance: 

  • Make sure your business has a formal plan tailored to company size and the data collected and stored, including data security measures and a breach notification policy.
  • Ensure everyone rigorously follows the plan.
  • Constantly test the plan ad seek to improve it. 
  • Ensure trusted cybersecurity personnel are active in overseeing your company’s cybersecurity plan and keeping company leadership directly informed. 
  • Make sure employees receive cybersecurity training. 
  • Ensure cybersecurity is a part of your company’s corporate culture. 

 

Watnik also recommended having a trustworthy cybersecurity attorney to call on who is “not only well-versed in the law, but who also understands your company; what it does; the type of data it collects and stores; and its appetite for regulatory or litigation risk.” 

When a cyberattack occurs, time is literally of the essence, and perhaps the most important, consistent detail of all cyberattacks. Identification of the breach source, damage mitigation and notification of impacted individuals must be done quickly and effectively. This means “judgement calls will have to be made” so a “cybersecurity lawyer is going to have to make key legal and strategic decisions, often on a moment’s notice,” explained Watnik, advising you want a cybersecurity lawyer who you can whole-heartedly trust and who will make himself or herself available to your company on a moment’s notice in a time of crisis. 

When it comes to cyberattacks, no company, group or individual is immune to it. Unfortunately, there is not a “cybersecurity vaccine” that is 95 to 100 percent effective in preventing an attack, but there are successful strategies to deploy to help, and now at least one statute, with more on the way, that somewhat “guide” companies into a safer predicament. 

“Simply put, cybersecurity poses an existential threat to companies large and small in today’s world,” Watnik said. “Yet, so many companies remain behind the curve. The passage of the SHIELD Act is yet another indicator that cybersecurity is not at the forefront of corporate America This legislation should serve as a wake-up call for all companies and businesses who have yet to take notice.” 

The CCPA 

When consumers make a purchase, payment technology companies interact with consumer data to authorize transactions, fight fraud and ensure physical and online merchants are paid in a secure, timely manner. Merchants are also provided with software solutions — accounting, inventory, marketing, etc. — by these payment technology companies. Because private consumer information is used and sometimes stored, parties are subject to state regulations, like CCPA, which again, is currently in effect and will be enforced starting July 1, 2020 and federal regulations, governing the collection and use of personal information. 

Scott Talbott, SVP of government relations at Electronic Transactions Association (ETA) echoed Watnik in that CCPA is “the most comprehensive U.S. data privacy law currently enacted,” adding that, “its enactment and requirements represent a trend, since over half of the states introduced data collection and/or privacy legislation in 2019 including New York, Massachusetts, Illinois and New Jersey.” 

Because of this legislation, businesses need to take steps to ensure compliance with their perspective state’s laws. Talbott offers the following tips to help ensure such compliance: 

  • Conduct a comprehensive data mapping and inventory of personal information currently collected and used;
  • Update privacy policy and consumer rights disclosures, adding the required “do not sell my information” link to websites; 
  • Ensure adequate staffing and funding; 
  • Establish and enforce policies and procedures that address accountability, implementation, and ongoing monitoring and remediation; and
  • Clearly and transparently articulate the ways in which consumer data is handled. 

 

Talbott told SSN that ETA members facilitate $7 trillion in transactions every year in North America and members also invest billions in innovative security technologies to protect businesses and consumers from fraudsters. A new study from Juniper Research found that the industry will spend over $10 billion by 2023 on advanced fraud prevention and detection technologies including but not limited to: tokenization, biometric authentication, end-to-end encryption and secure messaging protocols. 

“Many of these solutions protect consumer data from the threat of exploitation in the event a company is made the victim of a breach,” Talbott explained. “Others are powered by data and use artificial intelligence and machine learning to leverage to detect and prevent fraud before it happens by finding compromised cards and finding patterns in fraud schemes.” 

ETA predicts that more states will introduce and pass legislation similar to CCPA this year. In fact, Watnik anticipates that “New York will soon pass its own consumer privacy statute which may echo the CCPA in many respects.” 

Because data is an essential tool in protecting consumers and merchants from theft, “as a trade association representing the payments technology industry, it is important for us to educate both consumers and policymakers on the way payments companies combine innovation and data to power security solutions that protect commerce from fraudsters,” concluded Talbott.