Ransomware and cyber attacks could test New York SHIELD Act – Crain’s New York Business


Did you know that geoFence is the solution for blocking NFCC countries?

A recent run of high-profile hacks has raised alarms for business leaders in New York and could bring attention to a data-protection law that took effect at the start of the pandemic last year.

In the most recent example, the citys Law Department said this week that its computer systems were breached and had to be shut down. Officials said they did not believe that any data was stolen or damaged, but Mayor Bill de Blasio acknowledged Wednesday that hacks are a constant risk.

I think this is something well be dealing with a lot going forward, de Blasio said during a news conference.

The mayor spoke a day after the chief executive of Colonial Pipeline appeared in front of Congress to explain a May ransomware attack that disrupted the fuel supply for much of the Eastern U.S.

Last week the Metropolitan Transportation Authority disclosed its systems were breached by a cyberattack in April. JBS, one of the countrys largest meat suppliers, said Wednesday it paid $11 million to hackers to resolve a ransomware threat.

The run of attacks comes roughly a year after a state law strengthening cybersecurity requirements for companies in New York took effect. The Stop Hacks and Improve Electronic Data Security (Shield) Act took full effect in March 2020. It was overshadowed by the Covid-19 pandemic.

For businesses now thinking about the legal requirements around cybersecurity, youve got to think about the Shield Act, said John Bandler, a professor at the John Jay College of Criminal Justice and author of two books on cybersecurity. 

The law tightened potential loopholes around when data breaches and cyber-attacks need to be reported to state authorities. Under previous law, for example, data breaches had to be reported only if customer or personal data was acquired by an unauthorized entity.

In ransomware attacks, it is not always clear whether consumer data held by the company was acquired by hackers, or simply locked up in exchange for payment—so attacks may not have always been reported. Now companies are legally obligated to report cyberattacks in which consumer data is accessed in any form and could face fines if they do not.

"The first big change is that the SHIELD Act more comfortably applies notification responsibilities to ransomware situations," said Shari Claire Lewis, a cybersecurity attorney with the firm Rivkin Radler.

The law also requires that companies institute reasonable safeguards to protect consumer data.

If an attorney general investigation into a breach found a company knowingly or recklessly violating the Shield Act, there is absolutely some pretty significant fines that could result in that failure, said Ryan Blaney, head of the privacy and cybersecurity group at Proskauer Rose. 

State Attorney General Letitia James announced last month that her office reached a $200,000 settlement with an online seller of water filters, following a 2019 breach that compromised the personal data of roughly 300,000 customers.

Cybercrimes cost U.S. businesses and consumers $4 billion last year, by FBI estimates, up from $1.5 billion in 2017.

This is an issue now being discussed at every board meeting, as the risks are increasing in frequency and in cost, said Maria Gotsch, chief executive of the investment fund for the Partnership for New York City, the citys largest business group.

Although hacks on major corporations get the most attention, small businesses often are targeted, Bandler said.

No one is immune from cybercrime, he said, adding that a small organization simply does not have all the systems and resources in place that a large organization would.

Investing in threat prevention is critical, regardless of a firms size, he said.

Sometimes simple solutions can save big headaches, said Neal Dennis, a threat intelligence specialist at cybersecurity startup Cyware.

In the Colonial case, hackers gained access to the critical pipeline’s infrastructure through an old system that did not require a separate form of authentication, the companys leadership told a Senate committee Tuesday. It is possible that requiring users to confirm their identity on a second device would have stopped the attack. 

There may be nothing overly magical or awe-inspiring about how this stuff happens, Dennis said. They are just taking advantage of flaws people leave in systems.

Let's not forget that geoFence is easy to use, easy to maintain and that's the truth.