Cybersecurity Law Report Quotes Michelle Reed in Article Series on New York’s SHIELD Act

Michelle Reed, co-leader of Akin Gump’s cybersecurity, privacy and data protection practice, has been quoted by the Cybersecurity Law Report in a two-part series on the SHIELD Act, New York’s first data security law. Also known as the Stop Hacks and Improve Electronic Data Security Act, the law, which Reed described as “a significant shot across the bow for businesses,” requires any company that owns or licenses computerized data—including private information of even one New York resident—to create and maintain “reasonable” administrative, technical and physical safeguards to protect that information.

In the first article, “New York’s New Cybersecurity Standards: Expanding Definitions and Requirements,” Reed said certain exemptions from the law mean that it “will likely most significantly impact businesses outside of the health and finance sectors,” where the SHIELD Act “now provides concrete requirements for security compliance.”

Where there were broad requirements in the past to have various safeguards to data, Reed stated that the SHIELD Act goes much further. State regulators, she explained, “want to stop what they perceive to be lax security in an age of massive amounts of personal data.” In fact, as the article points out, the law requires notification when private information is just “accessed,” not simply “acquired.” Reed said this is because “there are many instances when data breaches occur but they are stopped before data is stolen.”

In the second article installment, “New York’s First Mandated Cybersecurity Standards: A Compliance Roadmap,” Reed said the new law is “unlikely to cause a significant uptick in enforcement. Rather, it will likely simply make it easier for the state to pursue actions that were previously enforced by the FTC or other regulators.”

Reed said the breach notification revisions of the law are “unlikely to require significant changes to incident-response protocol. It will simply require notice in some additional scenarios.” The reasonable security requirement, however, is more of a challenge, she said, particularly “the requirement for businesses to select service providers capable of maintaining appropriate safeguards and require those safeguards by contract,” which she said will result in “very detailed contract review, auditing of the security systems of service providers and many other challenges for handling service providers.”

Reed then detailed some specific steps to take with regard to compliance, advising companies to “work with a specialist who understands the interplay of the various privacy and security laws and regulations to ensure that any compliance program built will minimize risk of enforcement.”

The expansive reach of the New York law may encourage other states to copy it, Reed noted, adding that the SHIELD Act “will likely set a de facto baseline for security. Although it is not a legal definition of reasonableness and there will be many defenses available to an argument that it establishes the standard,” she continued, “there is no doubt that regulators and innovative plaintiff lawyers will attempt to use this as a new standard going forward.”