Rebecca Rakoski is a co-founder and managing partner of XPAN Law Group, a woman-owned boutique law firm where her practice is devoted exclusively to cybersecurity and data privacy. Rakoski is a member of the New Jersey State Bar Association’s Cybersecurity Task Force. She spoke recently about the big changes coming to the world of cybersecurity thanks to the New York Shield Act, which was recently signed into law and goes into effect next March.
What is the Shield Act?
Laws have borders, but data moves back and forth across borders all the time. With the continued ascension of internet-based businesses, we are ordering things and conducting business from one state and may never leave it, but that data is traveling around the world. New York is saying we are going to protect the data of our residents regardless of whether it is travelling to another jurisdiction.
Sounds like an important law, but what reach does it have outside of New York?
The Shield Act applies to any organization that owns or licenses computerized data that includes private information of New York residents and must comply with breach notification requirements. The organization could be in New Jersey, Delaware, or anywhere. If an organization is collecting data, they are under the purview of the Shield Act.
What are the important changes as a result of the Shield Act?
It’s a revamping of New York’s data breach response laws. It was changed to bolster, expand and enhance the security of data for New York residents. First, it broadens the definition of a data breach. There are 50 different states with different laws about data breaches. But in most jurisdictions, you have to have a violation of what is called personally identifiable information (PII) in order to have a breach. The Shield Act broadens the traditional definition of what that triggering information is. Traditionally, that information was some combination of name, Social Security number, credit card information, user name and PIN (personal identification number). Now it has been changed to include things like biometrics and answers to security questions. By doing that, they are saying we are going to catch more in that net.
Another critical change is that before, an organization was only required to notify people that it had a data breach if data was actually acquired by a hacker. Now, a breach is any unauthorized access to information. It’s recognizing you don’t have to take the information in order for there to be a breach. A hacker can just break into an organization’s network for a law to be broken now. Essentially, your system was still compromised, even if they weren’t able to get the information. Someone still broke into your house, but just didn’t take anything.
Why does it matter that the definition of what a data breach is has changed?
Because if there is a breach, then there is an obligation to notify people that their data might have been compromised. Broadening the definition of what is a breach and what is a PII means that more incidents are going to be classified as breaches and trigger the reporting requirements.
That all makes sense for banks and stores, but why should attorneys be thinking about this?
When we are thinking about lawyers, they hold the crown jewel of information on their clients. Nine out of 10 times the information lawyers have on their clients constitutes PII: Social Security numbers, health information, birthdates. That is all sensitive information that would trigger obligations to notify people. Add to that the ethical obligations attorneys must obey to keep information confidential. On a related note, New Jersey law is moving in this direction and lawyers need to start thinking about it.
What can attorneys do to protect their information and client data?
Technology moves in dog years. Technology changes roughly the equivalent of seven years’ worth in a single year. Hackers come up with new ways to do things that we haven’t even thought of yet. The laws are struggling to keep up. It is really hard for businesses, including law firms, to figure out what to do.
That said, good data and security practices will help you avoid a whole litany of issues, especially for lawyers. We all need to develop and maintain appropriate safeguards that include administrative, technical and physical control of data. Lawyers should develop written policies and procedures about how to access and protect data. We can find experts to help our firms properly vet the systems we use. And it’s important to keep in mind physical considerations, like what can someone see on a computer by just walking past a window. This may seem daunting, but is very similar to the safeguards already in place due to HIPPA, so it’s absolutely manageable. We always like to say that luck favors the prepared— and a prepared attorney will be able to meet the changing threats in a digital world.