What is the Stop Hacks and Improve Electronic Data Security (SHIELD) Act? How does it affect the residents of New York? What does it mean for the future of companies? Read on.
The past few years have seen data breaches affecting millions of people in ways ranging from harmless to disastrous. High-profile breaches at companies over the past three years alone have resulted in millions of users and individuals being placed at risk, and billions of dollars’ worth of data being seized. While the US government has taken some steps towards constructing stronger security frameworks on a national level, individual users must rely on state governments to protect their interests. In this regard, the response has been mixed, but there are positive signs on the horizon.
Most recently, the State of New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which sets requirements for companies to protect the data of New York residents. The law is one of several that have been passed across the US at the state level with the aim of protecting individuals from companies which are increasingly exposed to threats and repeatedly found to be lacking in both protections and concern. With the damage wrought by breaches also on the rise, these new laws represent a significant change in the status quo for companies that have until now neglected their security and users’ privacy.
Shielding Users From Negligent Tech Security
The increasing digitization of most day-to-day services—from e-commerce to paying utilities and even buying groceries—means that users’ data is held or partially owned by a variety of companies. Despite this expanded digital footprint, and the easy access malicious actors have to users’ information, corporations have been woefully slow to implement security measures that defend against current threats.
Most people still hold the common view that hacks and breaches are perpetrated by lone-wolf hackers and malicious actors sitting alone at their computer typing in lines of code. However, hacking today is far removed from these dated perceptions. Today’s virtual attackers have increased their sophistication, and especially when it comes to targeting state and enterprise-level targets. More than simply attempting to brute force their way in, today’s hacking groups prefer the advanced persistent threat (APT) model. More than a constant stream of threats, APT refers to long-term attacks on corporations, enterprise companies, and even state actors undertaken by large collectives.
APT attacks start when groups infiltrate targets’ networks and slowly expand their presence. After securing themselves, undetected, within servers and networks, these groups gain full access and can safely extract any amount of data they want or need, as well as do serious harm to existing infrastructure. These attacks have already been wildly successful, and companies have suffered in more than one way as a result. Equifax, for instance, ended up paying nearly $650 million to resolve claims that resulted from its massive 2017 breach in which 147 million consumers’ data was stolen.
Elsewhere, Quest Diagnostics was slapped with a class-action lawsuit following a breach that saw 12 million patients’ personal data leaked, while Capital One received a similar notice for a hack that saw 100 million users’ data compromised. Uber reached a settlement with all 50 states to pay a then-record $148 million after it failed to disclose a 2016 data breach.
What the SHIELD Act Means
New York’s SHIELD Act seeks to crystalize protections for individuals and set standards for companies that have access to users’ private information. The law clarifies what counts as a data breach (even including “access to data” which reduces the threshold to simply viewing data without authorization instead of obtaining copies of it) and expands the enforcement capabilities and consequences for companies that fail to comply. Some of that language clearly stems from recent high-profile cases such as the Cambridge Analytica fiasco, where Facebook let the analytics firm access user data without their consent.
More importantly, the SHIELD Act raises the bar for security requirements, including the ways to test and assess risk vulnerability, the designation of people in charge of network security, and the development of better technical frameworks for security. For companies that already have security systems in place, this means creating better testing standards and tools to evaluate their protection. For those without strong security, it means having to invest in better infrastructure.
This will undoubtedly be a positive catalyst for the cybersecurity sector, which is already forecast to experience significant growth over the coming years. More specifically, the market for automated breach and attack simulation testing is set to reach over $720 million by 2024. This sector includes testing for APT alongside more immediate threats such as DDoS and malware attacks.
Stronger Standards, Safer Experiences
New York’s legislation raises the bar on data protection laws with sweeping language that clarifies a previously murky topic. Although most states already have data privacy laws on the books, many of them remain concerningly vague, or simply toothless when it comes to enforcement and actual consequences.
The SHIELD Act brings a much needed and welcomed clarity to the matter, expanding the definition of a breach and creating a stronger framework for enforcement. With the number of breaches seemingly on the rise and companies still none the wiser, the SHIELD Act could be a serious motivator for upgrading to stronger security standards and constructing better user protections.