On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the Act). The Act imposes stringent obligations upon businesses that handle the private information of New York residents in order to help strengthen the protection of private consumer information.
Irrespective of business location, any business, including a CPA firm, that holds the “private information” (as defined below) of a New York resident, whether the resident is a client or an employee, may be subject to the SHIELD Act.
If an organization is found to have “knowingly or recklessly” violated the statute, the Act permits the court to “impose a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification,” up to $250,000.
While some of the changes initiated by the Act became effective as of October 2019, others will become effective on March 21, 2020. This change, as discussed below will have a more significant effect on the operations of businesses, including CPA firms.
WHAT DOES THIS MEAN FOR MY FIRM?
The Act expands the application of the breach notification requirements from organizations which conduct business in New York, to include any person or business that owns or licenses private information pertaining to a New York resident. As a result, if you or your practice holds personal and private information that pertains to a New York resident, whether the New York resident is a client or an employee of your practice, the Act may apply to your practice.
THE ACT AND WHAT IT MEANS
The Act establishes three major changes by:
- expanding the definition of ”private information” which may mandate data breach notification,
- broadening the definition of “breach,” and
- creating a new reasonable security requirement for organizations to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data.
Changes 1) and 2) became effective in 2019. However, change 3) related to the implementation of data security requirements may potentially be the most important change for many businesses, and will become effective on March 21, 2020.
1. Definition of "private information"
The Act expands upon the definition of “private information” which, if found to have been compromised or “breached,” may impose notification obligations upon an organization.
Historically, the data elements that were considered private information included the following:
- Personal Information (Name, number, personal mark, or other identifiers that can be used to identify a person)
- Social security number
- Driver’s license number
- Credit or debit card number
- Financial account number and accompanying security codes
The Act now expands upon the customary definition and includes other private information, including:
- Biometric information
- Email addresses and corresponding passwords OR answers to security questions and answers
- Financial account number without a required security code (if an unauthorized individual would have the ability to access the account without additional identifying information, security code, access code or password)
While not all data elements listed above may appear relevant to a CPA practice (such as biometric information), many involve financial information of its clients and/or employees that CPA firms may obtain, or already hold.
2) Definition of a “breach”
The Act also expands upon the definition of the type of event that constitutes a “breach,” which is defined as:
“Unauthorized access to or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the security, confidentiality or integrity of private information maintained by a business.”
Previously, information had to be actively acquired in an unauthorized manner to trigger the incident or breach notification requirement. Under the new definition, if the organization has an indication that information was viewed, used, or altered by an unauthorized individual or a party who did not have valid authorization, notification would be required.
Suppose that a hacker has successfully gained access to a CPA’s email account through a phishing attack. Under the previous definition of a a “breach,” the hacker would have to have acquired and exfiltrated (i.e. downloaded) information from the account to trigger notification requirements. Under expanded definition of a “breach,” even if information was not explicitly exfiltrated, if the hacker could use the sensitive information simply by viewing or using the information obtained through their unauthorized access, a notification requirement may be triggered.
3) Reasonable security requirement
The “reasonable security requirement,” is the most significant change associated with the changes implemented by the Act. Organizations are now legally required to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including but not limited to, disposal of data.”
The “reasonable security requirement” requires an organization to implement a data security plan which defines administrative, technical, and physical safeguards. Below is the list of safeguards defined per the Act:
- Assess the sufficiency of safeguards in place to control the identified risk;
- Train and manage employees in the security program practices and procedures;
- Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
- Adjust the security program in light of business changes or new circumstances;
- Assess risks in network and software design;
- Assess risks in information processing, transmission and storage;
- Detect, prevent and respond to attacks or system failures; and
- Regularly test and monitor the effectiveness of key controls, systems and procedures
- Assess risks of information storage and disposal;
- Detect, prevent and respond to intrusions;
- Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
INTERPRETATION OF APPLICABILITY
The Act includes a provision for small businesses which enables some flexibility in the application of the aforementioned data security requirments presumably, to avoid overly burdening small businesses.
For small business that meet the following criteria, their safeguards need only be “appropriate for the size and complexity of the small business, the nature and scope of the small business’ activities, and the sensitivity of the personal information” it collects.
Small business criteria:
Small businesses that meet the following criteria may be exempt, if they have:
- Fewer than 50 employees
- Less than $3 million in gross annual revenues in the last three fiscal years, or
- Less than $5 million in year-end total assets
Additionally, organizations already required to comply with data breach requirements under other regulations1 may be exempt from certain notification requirements of the Act. However, such organizations should still review the notification requirements specific to the Act to determine that existing processes in place supports compliance with the Act.
WHAT SHOULD I DO?
Consult with a data privacy attorney, or other experts to determine how the Act applies to you and your firm. Practitioners with existing data security plans or those that are required to implement a similar plan under other regulations are encouraged to review existing data security plan safeguards and requirements relative to the Act’s requirements. Doing so will likely result inthe identification of overlapping elements and minimize potential duplication of effort. Determine how your firm should address the requirements given the technical nature of your firm’s structure, as well as the complexity of operations.
Notably, the requirements of the Act also closely follow the National Institute of Standards and Technology’s (NIST) Cyber Security Framework, which may be leveraged as CPA firms pursue their statutory obligations.
If a firm experiences or suspects it has experienced a security incident, such as social engineering attacks (i.e. phishing), malware, or that data may have been accessed or acquired by other inappropriate means, the firm should consult its cyber and professional liability insurer to obtain assistance regarding an appropriate response and compliance with breach notification requirements. Firms also should consult with their agent or broker regarding coverage in the event of a data security incident. If a gap is identified, other products or endorsements may be available to provide insurance coverage for notification and other costs associated with an incident.
1Those required to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), New York Department of Financial Services Cybersecurity Regulations, or the Gramm-Leach Bliley Act may be considered in compliance of the Act.
By Accountants Professional Liability Risk Control, CNA, 151 North Franklin Street, 17th Floor, Chicago, IL 60606.
This information is produced and presented by CNA, which is solely responsible for its content.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations.
Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites.
To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy.
Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
“CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved.