The SHIELD Act will impose substantial new obligations on any employer with an employee residing in New York State, as well as on many employers across the country that conduct online hiring.
Recent headlines have raised significant concerns about the possibility of cyberattacks on U.S. businesses as a result of the heightened tensions with Iran. The Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency (CISA), has published alerts and guidance recommending heightened awareness and vigilance. Industry-specific warnings have been issued to regulated entities by other agencies; for instance, advisories concerning threats to the financial system and banks have recently been sent by the Federal Reserve and the New York State Department of Financial Services (NYDFS).
These warnings should be taken seriously, and companies should strongly consider implementing the various recommendations contained in them. That is particularly true because cyberattacks from nation-states have caused significant business disruption, leading to large expenses to variously restore the business, compensate consumers and compensate for legal and regulatory defense costs and liabilities. For example, North Korean attacks in 2014 reportedly cost Sony Pictures millions in IT, income loss on the movie The Interview and legal expenses, in addition to the embarrassment of the internal emails being publicly released. And NotPetya, destructive ransomware malware allegedly launched by Russia, has reportedly caused more than $10 billion in total damages. NotPetya had impacts on organizations in almost every industry, including pharmaceutical companies, law firms and logistics companies.
Legal and regulatory expectations for cybersecurity are also increasing as recent new laws require companies to increase the attention and resources devote to cybersecurity, and that serves as another reason to seriously heed warnings about possible Iranian cyberattacks. Finally, and perhaps most importantly, the overwhelming number of Iran-related warnings could well serve as compelling evidence that attack victims were “on notice” of this new wave of cyber threats, and thus companies were required to reasonable mitigation measures.
No economic sector is truly immune from these various warnings either. As DHS CISA pointed out in its alert, Iran has conducted numerous serious high profile cyberattacks over the prior decade and is known to have significant sophisticated cyber capabilities. Its cyberattack targets have hit various industry sectors, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications and the defense industrial base. The DHS CISA alert recites numerous high-profile and significant attacks attributed to Iran, including a multi-year, massive cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps.
Given these notices, businesses should consider reasonable mitigation measures. Possible steps companies may want to take include:
By March 21, 2020, all companies that have private information about New York residents will need to adopt reasonable data security safeguards to protect confidentiality of data. Companies are exempt from this law if they can show that they are compliant with certain other cybersecurity legal requirements, GLB and 23 NYCRR 500. The SHIELD Act greatly expands New York’s requirements on companies with data relating to New Yorkers to adopt comprehensive cybersecurity programs. The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:
Companies that have not yet done so should examine their cybersecurity program for SHIELD Act compliance and consider updating the program promptly if it does not meet the New York requirements. We can help you assess your current program, develop policies, procedures, training and testing for your team, and develop appropriate practice exercises.