Law Firms Should Not Forget Upcoming New York SHIELD Act Safeguards Deadline

Joseph DeMarcoPartner, DeVore & DeMarco LLP

Just as many companies and their outside counsel have temporarily caught their breath in the run-up to the California Consumer Privacy Act compliance deadline, it is important to remember that portions of the New York SHIELD ACT[i] are going into effect soon that affirmatively require any person or business handling New York resident private information to establish reasonable safeguards to protect it.  Although law firms are not often part of the conversation on breaches of personal data, they are rich repositories of sensitive, nonpublic data.  As such, law firms would be well advised to give serious consideration to whether there are meeting their duty to keep private data within their possession secure.

The sensitive client information that law firms possess is highly desirable to criminals. In 2016, for example, the F.B.I.’s cyber division issued a warning that criminals were soliciting technically proficient hackers to access the systems international law firms and obtain non-public information to trade on.  Later that year, federal prosecutors charged three Chinese nationals with insider trading that yielded $4million in profits based on information gained by hacking two unnamed law firms.[ii]

Insider trading is far from the only data risk that law firms face.  The volume of Ransomware attacks has exploded in recent years.  The most notable incident occurred in 2017, when the NotPetya ransomware seriously affected DLA Piper—one of the world’s largest law firms—for several days and required a massive, expensive remediation.  But because these criminals know that the public of confidential client information would pose an existential threat to a law firm, firms of all sizes have been subject to extortion.  In early 2020, a hacker group called Maze successfully targeted several small law firms in several different states. Indeed, some security professionals believe that hackers prefer to target smaller law firms because they are less likely to have the infrastructure to prevent an attack.

All law firms are likely in possession of some private information, even if it is limited only to its own employees.  For example, in a 2017 phishing incident, Jenner & Block inadvertently exposed the W-2s—which contain social security numbers—to probable identity thieves.  But many firms should also pay attention to the private data it may be collecting from client without realizing it that would trigger a reporting obligation if that information was accessed or acquired by a malicious acter.  An enormous amount of information is collected and exchanged in the course of discovery, and much of it is shared with and analyzed by third-party vendors and contract attorneys. 

Although the compliance obligations are more modest than those faced by CCPA-regulated entities, the SHIELD Act nonetheless will require firms that own or license New York resident information, regardless of whether the firm does business in the state, to think about what categories of information they possess and the measures they have taken to keep it safe from unauthorized third-parties.

Specifically, the SHIELD Act also requires that by March 21, 2020, companies that own or license New York resident data “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”  Although the statute expressly precludes a private right of action, failure to comply with this requirement can result in significant civil penalties.  The statute provides a long non-exhaustive list of what it considers reasonable administrative, technical, and physical safeguards will satisfy the statute.  Small firms—those that have fewer than 50 employees, less than $3 million in gross revenue in each of the last three years, or less than $5 million in assets—are subject to the reasonable safeguards requirement, but the safeguards only need to be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

Determining what this means for your firm will entail careful attention to how the provisions are enforced after March 21 and an ongoing assessment of the company’s potential risk and the adequacy of the company’s existing data protection protocols.  General counsels will need to identify and work with key internal stakeholders in firm management, information technology, and human resources to fully assess the following:

  • Administrative
    • Is there an employee who is responsible for data security?
    • What are the reasonably foreseeable internal and external risks?
    • Are the safeguards already in place adequate?
    • Are employees adequately trained in data privacy practices and procedures?
    • Are service provides capable of providing appropriate safeguards?
    • Do contracts with service providers require adequate safeguards?
    • Has the firm adjusted the security program in light of business changes or new circumstances?
  • Technical
    • How robust are the technical protections in place and do they adequately reflect risk?
    • What are the risks in information processing, transmission, and storage?
    • How well do firm systems detect and prevent attacks or system failures?
    • How often are key systems tested and monitored?
  • Physical
    • How does the company handle and dispose of information?
    • What protocols are in place to detect and prevent unauthorized physical access to information?
    • How well does the firm protect against unauthorized access or use or use of private information during or after collection, transportation, and destruction or disposal of the information?
    • Does the firm dispose of private information within a reasonable amount of time after it is no longer needed for business purposes?[iii]

The importance conducting an adequate risk assessment and adopting appropriate controls is underscored by other amendments to the law that went into effect last year that had the practical effect of broadening the circumstances under which a breach is reportable.  First, the statute broadened the categories of information that trigger a notification obligation in the event of a breach.  The new definition adds the following classes of information:

  • Biometric information;
  • Account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password;
  • A user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.[iv]

The SHIELD Act also significantly amends the definition of a qualifying breach.  Under the prior law, only breaches resulting in “unauthorized acquisition of data” would trigger the statute.  Now, mere “unauthorized access” to private information will qualify as a breach.[v]  In determining whether information has been accessed (or reasonably believed to be accessed) a “business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

Although these amendments expand the scope of scenarios that qualify as a breach, the statute brings New York’s law into alignment with the vast majority of other states by requiring a risk of harm analysis before determining that the breach creates any legal obligation to notify.  Under the new law, notification will not be required “if the exposure of private information was an inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Such a determination must be documented in writing and retained for five years and any incident affecting over 500 residents must be reported to the Attorney General.  This is a significant improvement over the previous law, under which even minor breaches that posed no real risk to consumers often required notification to consumer—which would sometimes be accompanied by unnecessary expense and reputational risk to the company.[vi]

      Compared to most other companies, law firms face a unique and possibly existential harm in the even of a breach—the duty of confidentiality is, after all, a foundational principle of the profession.  Firm management would be well served to take stock of the private information within their possession and evaluate whether current controls meet the new statutory requirements.

 

[i] The act amended N.Y. Gen. Bus. Law § 899-AA and created N.Y. Gen. Bus. Law § 899-BB.

[ii] U.S. v Hong et al., case number 1:16-cr-00360, in U.S. District Court for the Southern District of New York.

[iii] N.Y. Gen. Bus. Law § 899-BB(2) contains a list of these safeguards..

[iv] N.Y. Gen. Bus. Law § 899-AA(1)(b).

[v] N.Y. Gen. Bus. Law § 899-AA(1)(c).

[vi] N.Y. Gen. Bus. Law § 899-AA(2)(a).