Three Ways Businesses Can Use the SHIELD Act to Protect Against Rising COVID-19 Cyber Fraud

April 8, 2020Alerts

While the COVID-19 pandemic has slowed the world economy to a crawl, the pace of cyberattacks has only increased as cybercriminals exploit the outbreak to steal money and valuable private information from businesses. Law enforcement organizations, including the Department of Justice and FBI, are warning of new cyber fraud schemes that include emails offering links to information on the coronavirus that instead deliver malware that extracts private information or locks the user’s computer until a ransom is paid. 

To combat COVID-19 cyber fraud, businesses can adopt the three safeguards included in the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) and gain the added benefit of achieving compliance with this new law. Effective March 21, 2020, the new data security law requires businesses to maintain a data security program that includes reasonable administrative, technical and physical safeguards to protect private information. 

Here is how the SHIELD Act’s three safeguards can help companies protect themselves during the pandemic and avoid the uncapped civil monetary penalties the law authorizes for failure to comply with data security standards.  

Determine if the Business is Subject to the SHIELD Act

The SHIELD Act applies to a company — wherever it conducts business — if it owns or licenses the private information of just one New York resident. Generally, the Act defines private information as personal information about a New York resident that can identify them (for example a name) with any one or more of the following:

  • Social Security number;
  • driver’s license number or non-driver identification card number;
  • account number, credit or debit card number that could be used either alone or with additional information (for example a password) to access a person’s financial account; or
  • biometric information (for example a fingerprint or voice print).

Private information also includes a username or e-mail address in combination with a password or security question and answer that would permit access to a person’s online account. 

Businesses that already comply with certain other data security laws (for example HIPAA) are deemed to comply with the data security program requirement of the SHIELD Act. Businesses to which the act applies should have a data security program that includes the three safeguards described below. 

Implement the SHIELD Act’s Three Safeguards

A robust data security protection program is essential for protecting any business. The Department of Justice warns that cyber criminals will likely adapt their schemes to find new ways to exploit COVID-19. There is no one-size-fits-all model of what should go into a program but it should be appropriate to a business’ size. By incorporating the SHIELD Act’s reasonable administrative, technical and physical safeguards, businesses can mitigate against the increase in COVID-19 related cyber fraud and achieve compliance to avoid uncapped civil monetary penalties.

1.  Adopt Reasonable Administrative Safeguards

The Act provides the following reasonable administrative safeguards:

  1. Designate one or more employees to coordinate the security program.
  2. Identify reasonably foreseeable internal and external risks.
  3. Assess the sufficiency of safeguards in place to control the identified risks.
  4. Train and manage employees in the security program practices and procedures.
  5. Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract.
  6. Adjust the security program in light of business changes or new circumstances.

A business should not wait until it falls victim to a COVID-19 cyber fraud scheme to advise its employees of this new risk. Now is the time to provide training and ways to report suspicious emails relating to COVID-19. In addition, companies should ask service providers what they are doing in light of the increase in cyberattacks to protect their information. 

2.  Adopt Reasonable Technical Safeguards

The Act provides the following reasonable technical safeguards:

  1. Assess risks in network and software design.
  2. Assess risks in information processing, transmission and storage.
  3. Detect, prevent and respond to attacks or system failures.
  4. Regularly test and monitor the effectiveness of key controls, systems and procedures.

Consider penetration testing that simulates a cyberattack on your computer system to evaluate its security. By finding the weaknesses in their systems before cybercriminals do, companies can mitigate COVID-19 cyber fraud. 

3.  Adopt Reasonable Physical Safeguards

The Act provides the following reasonable physical safeguards:

  1. Assess risks of information storage and disposal.
  2. Detect, prevent and respond to intrusions.
  3. Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information.
  4. Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

In light of the increase in COVID-19 cyberattacks, businesses should revisit their retention policies. Keeping data longer than necessary increases the opportunity for cybercriminals to obtain private information. If information serves no business or legal purpose, take appropriate steps to dispose of it. 

Takeaway

Cyberattacks are on the rise during the COVID-19 pandemic. Businesses can prevent cyber criminals from obtaining their valuable private information by incorporating the SHIELD Act’s administrative, technical and physical safeguards into their data security programs. This will have the added benefit of achieving compliance with the new law that went into effect March 21, 2020, avoiding its uncapped civil monetary penalties for failure to meet data security standards.

For more information, visit our Coronavirus Response Resource Center and our Privacy & Data Security resources, including our blog with relevant COVID-19 articles.