Shifting the Risk of Cybercrime

I recently had a conversation with a prospective client about cybersecurity readiness. The client is a law practice, owned and run by a member of the NYSSCPA. It took many tries to reach the designated contact person, and when we did connect, the conversation went like this:

Client: What is it you’re doing?

SonMax: Your owner indicated that they wanted you to speak to me about how I can help you understand cyber risk and take appropriate steps to minimize risk.

Client: I’ve spoken to 18 cybersecurity businesses since September and I’m tired of speaking to techies.

SonMax: I understand, but we do not focus on the technology; we focus on the business risk.

Client: I get that, but I have a great backup solution and don’t want to waste your time or mine. Have a nice day.

This call is all too familiar. While the consequences of this attitude have so far been minimal, that is about to change. New York State has enacted the Stop Hacks and Improve Electronic Data Security (Shield) Act, which goes into effect on March 21, 2020. It applies to “any person or business which owns or licenses computerized data” that either is based or does business with customers who live in New York.

A backup solution does not qualify as being compliant with the Shield Act, as highlighted in Exhibit 1. This lack of compliance carries increased penalties for businesses, up to $250,000. In addition, the Shield Act expands the definition of a data breach and now requires that businesses notify all affected individuals, even if no exfiltration of data occurs. In other words, just unauthorized access of data by a third party will trigger a data breach and mandate notification and remediation.

Exhibit 1

Shield Act Section 4(2)(b)(ii)

A person or business shall be deemed to be in compliance with paragraph (a) of this subdivision if it … implements a data security program that includes the following:

  • reasonable administrative safeguards such as the following, in which the person or business:
    • designates one or more employees to coordinate the security program;
    • identifies reasonably foreseeable internal and external risks;
    • assesses the sufficiency of safeguards in place to control the identified risks;
    • trains and manages employees in the security program practices and procedures;
    • selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
    • adjusts the security program in light of business changes or new circumstances; and
  • reasonable technical safeguards such as the following, in which the person or business:
    • assesses risks in network and software design;
    • assesses risks in information processing, transmission, and storage;
    • detects, prevents, and responds to attacks or system failures; and
    • regularly tests and monitors the effectiveness of key controls, systems, and procedures; and
  • reasonable physical safeguards such as the following, in which the person or business:
    • assesses risks of information storage and disposal;
    • detects, prevents, and responds to intrusions;
    • protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and
    • disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Requirements for Large and Medium-sized Businesses

The requirements for large and medium-sized businesses will now be more stringent. In New York alone in 2018, there were over 15,000 businesses with revenue greater than $10 million, which will now be obligated to follow all of the requirements of the Shield Act. All businesses, regardless of size, will have to designate one or more individuals who are responsible for cybersecurity within the organization and who are obligated to report any breach to the New York Attorney General’s office within 10 days of the discovery of the breach, as well as inform all affected individuals via written, electronic, or telephone notification. While this may sound easy, it presents a new challenge to businesses.

First, businesses cannot report a breach if they are unaware that the breach occurred, and they will not be aware of a breach unless they have an active scanning schedule to determine whether a breach occurred. Second, the New York State Attorney General can—and likely will—use a “reasonable time” test to determine whether the breached organization was taking proper precautions. Anything over one year will be viewed as failing the reasonable time criterion; based upon the nature of the business and how the Shield Act is adjudicated in the courts, a shorter period may emerge. Time will therefore be a critical element going forward. Areas that will now be time sensitive include the following:

  • Formal designation of responsible parties (this must be written and published)
  • Formal, written data security program
  • Cybersecurity risk assessments
  • Cybersecurity monitoring
  • Annual training and certification of training
  • Incident response planning and testing
  • Third-party vendor cybersecurity certification tracking
  • Penetration testing
  • Data destruction program (businesses will now be obligated to destroy and document the destruction of data that is not required for ongoing business or legal holds, including data stored on backups).

Any business not following all of the above will be deemed out of compliance with the Shield Act.

Exceptions for Small Businesses

Businesses with fewer than 50 employees, annual revenues of less than $3 million in each of the last three consecutive years, or less than $5 million in year-end total assets under GAAP will have fewer responsibilities. Small businesses must be in complete compliance with the following (Exhibit 2):

  • Formal designation of responsible parties
  • Formal, written data security program
  • Cybersecurity risk assessments
  • Cybersecurity monitoring
  • Third-party vendor cybersecurity certification tracking.

Exhibit 2

Shield Act Definition of a Small Business

“Small business” shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles [Section 4(1)(c)].

A small business as defined in paragraph (c) of subdivision one of this section complies with sub-paragraph (ii) of paragraph (b) of subdivision two of this section if the small business’s security program contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. [Section 4(2)(c)].

Time Is Running Out

While there are many technical elements to the requirements in the Shield Act, the primary concerns for all organizations will be business related. Business processes, policies, and procedures must all be updated. The New York State Attorney General has already fined businesses in excess of $600 million for cybersecurity issues based on previous law, and these fines can be expected to increase significantly. This is a fully auditable issue and should be part of what CPAs discuss with their clients, as well as their own firms, moving forward.