BAR REPORT - Cross-Examination
Cybersecurity update on what the New York Shield Law means for New Jersey attorneys
September 16, 2019 at 08:00 AM
5 minute read
Rebecca Rakoski is a co-founder and managing partner of XPAN Law Group, a woman-owned boutique law firm where her practice is devoted to cybersecurity and data privacy. Rakoski is a member of the New Jersey State Bar Association's Cybersecurity Task Force. She spoke about the big changes coming to the world of cybersecurity thanks to the New York Shield Act, which was signed into law this summer and goes into effect next March.
What is the Shield Act?
Laws have borders, but data moves back and forth across borders all the time. With the continued ascension of internet-based businesses, we are ordering things and conducting business from one state and may never leave it, but that data is traveling around the world. New York is saying we are going to protect the data of our residents regardless of whether it is travelling to another jurisdiction.
Sounds like an important law, but what reach does it have outside of New York?
The Shield Act applies to any organization that owns or licenses computerized data that includes private information of New York residents and must comply with breach notification requirements. The organization could be in New Jersey, Delaware, or anywhere. If an organization is collecting data, they are under the purview of the Shield Act.
What are the important changes as a result of the Shield Act?
It's a revamping of New York's data breach response laws. It was changed to bolster, expand and enhance the security of data for New York residents. First, it broadens the definition of a data breach. There are 50 different states with different laws about data breaches. But in most jurisdictions, you have to have a violation of what is called personally identifiable information (PII) in order to have a breach. The Shield Act broadens the traditional definition of what that triggering information is. Traditionally, that information was some combination of name, Social Security number, credit card information, user name and PIN (personal identification number). Now it has been changed to include things like biometrics and answers to security questions. By doing that, they are saying we are going to catch more in that net.
Another critical change is that before, an organization was only required to notify people that it had a data breach if data was actually acquired by a hacker. Now, a breach is any unauthorized access to information. It's recognizing you don't have to take the information in order for there to be a breach. A hacker can just break into an organization's network for a law to be broken now. Essentially, your system was still compromised, even if they weren't able to get the information. Someone still broke into your house, but just didn't take anything.
Why does it matter that the definition of what a data breach is has changed?
Because if there is a breach, then there is an obligation to notify people that their data might have been compromised. Broadening the definition of what is a breach and what is a PII means that more incidents are going to be classified as breaches and trigger the reporting requirements.
That all makes sense for banks and stores, but why should attorneys be thinking about this?
When we are thinking about lawyers, they hold the crown jewels of information on their clients. Nine out of 10 times the information lawyers have on their clients constitutes PII: Social Security numbers, health information, birthdates. That is all sensitive information that would trigger obligations to notify people. Add to that the ethical obligations attorneys must obey to keep information confidential. On a related note, New Jersey law is moving in this direction and lawyers need to start thinking about it.
What can attorneys do to protect their information and client data?
Technology moves in dog years. Technology changes roughly the equivalent of seven years' worth in a single year. Hackers come up with new ways to do things that we haven't even thought of yet. The laws are struggling to keep up. It is really hard for businesses, including law firms, to figure out what to do.
That said, good data and security practices will help you avoid a whole litany of issues, especially for lawyers. We all need to develop and maintain appropriate safeguards that include administrative, technical and physical control of data. Lawyers should develop written policies and procedures about how to access and protect data. We can find experts to help our firms properly vet the systems we use. And it's important to keep in mind physical considerations, like what can someone see on a computer by just walking past a window. This may seem daunting, but is very similar to the safeguards already in place due to HIPAA, so it's absolutely manageable. We always like to say that luck favors the prepared—and a prepared attorney will be able to meet the changing threats in a digital world.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
GOP Trifecta in Washington Could Put Litigation Finance Industry Under Pressure
Lowenstein Hires Ex-FTX US General Counsel Ryne Miller to Lead Its Commodities, Derivatives Practice
3 minute read
Many Lawyers Are Reeling From Election Results, but Leaders Are Staying Mum
6 minute read
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
