New York Attorney General Letitia James is making it known that New York companies must improve their cybersecurity systems and notification procedures to avoid large legal costs and fines after a breach.
In other words – companies which are not taking cybersecurity seriously, get hacked and do not notify the victims properly, are going to get fined – in addition to potentially massive legal fees.
We recently broke the news that Dunkin is being sued by the NY AG for being hacked and then responding in a fraudulent and deceitful manner.
This past June the AG announced that New York based Bombas LLC agreed to $65,000 in penalties and implement a number of data security policies to resolve an investigation by the New York Attorney General’s Office into the breach of customer payment cards where the company failed to provide notice of the breach to 39,561 consumers for over three years.
“New Yorkers deserve to shop with confidence and have faith that their personal information will be protected,” said Attorney General Letitia James. “This agreement will ensure better protection of New Yorkers’ personal information and notice of a breach in a timely manner. My office will continue our commitment to combat inadequate data security in New York.”
Bombas LLC began notifying affected consumers in May 2018, more than three years after the company learned of the breach. Because Bombas did not notify the affected consumers and relevant New York agencies in an expedient time-period, and without unreasonable delay, it violated General Business Law §§ 899-aa. Bombas offered the potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services through Kroll Inc., which is not required by law.
New York companies as well as other organizations doing business in the state need to be prepared for far greater fines going forward. In exactly 18 days, the New York Shield Act goes into effect.
New data security protections are effective on March 21, 2020.
SHIELD stands for Stop Hacks and Improve Electronic Data Security Act and was inspired by government and legal action against Equifax which ultimately cost the company billions of dollars.
It is important to note the definition of private information is changing
New York’s original data breach notification law included definitions for both “personal information” and “private information.” The current definition of “personal data” remains unchanged, and will continue to be “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
The SHIELD Act amends the definition of “private information” to include three new types of personal information that are covered by the law:
A) Account number, credit or debit card number, even without additional identifying information or a password
B) Biometric information, such as an individual’s fingerprint, voice print, or retina image
C) User name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Basically, companies who get hacked and have information stolen are at greater financial risk than ever. In additional to reputational risk which could result in customer defections and lawsuits and the cost of the hack itself, they will have to deal with legal bills associated with numerous New York regulations. They then need to agree to an amount for the impending fines which result.
New York Shield Act fines can be as high as $250,000!
It is easy to see how a hack can cost millions of dollars to an organization who does not take their cybersecurity seriously.
In addition, these companies – after paying these fines and legal costs will then have to upgrade their systems and take other actions which – had they done in the first place, could have prevented the breach.
How your organization can stay safe:
1) Determine if you are in possession of private information for New York residents, even if you are not conducting business in New York. This may be the opportunity to assess whether you need to retain this information for ongoing business purposes.
2) Develop, or revisit, internal policies for how the company will identify and respond to a data breach. Ensure that your employees understand the policies and that they are properly implemented.
3) This is a good time to re-evaluate corporate cybersecurity – new attacks are launched constantly against organizations. We reported recently that a new IRS scam warning has been disseminated by the IRS – warning people to be careful not to click on emails from the organization as they are likely malicious messages disguised to look like they emanated from the agency.
4) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
5) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great.
6) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.