A blog by Chris Kirchov on Cybersecurity and the Law
I recently read an article published in CISO Magazine on June 26, 2019, regarding a new bill passed by New York Legislature to strengthen data breach policies. The article introduced the bill to its audience, gave a brief synopsis of its purpose, included additional insight from the New York Attorney General Letitia James, as well from the bill’s sponsor, Senator Kevin Thomas and compared the bill to similar initiatives in other parts of the world.
Now, before I say anything further on this topic, there is something I must confess. The first thing that really caught my interest in the article was the name of the bill. Being a true fan of the Marvel Comics and Cinematic Universe, there was no way my eyes and mind would let me skim past this. The bill is nicknamed the SHIELD Act, which in this case means stop hacks and improve electronic data security. Quite the stretch to get the acronym SHIELD to fit, but if capturing our attention was the goal, then yup… I’d say they nailed it.
So what is the SHIELD Act? The intent of this new bill is to boost cybersecurity practices within EVERY organization that manages personal customer information by:
– Expanding the scope of customer information covered under previous cybersecurity laws
– Broadening the definition of a data breach to include the unauthorized access of private info
– Creating updated security requirements tailored to the organization’s size
– Updating the notification procedures each organization must follow after a breach
– Increasing penalties for non-compliance of requirements and/or protocol (up to $5k per violation!)
Fantastic! But what about Tennessee? Is there a SHIELD Act for us? Why, certainly! Though not as eye-catching or as ground-breaking as the New York SHIELD Act, Tennessee has had its own version of the cybersecurity protection bill, aka Senate Bill 547, signed into law on April 4, 2017. Like the New York SHIELD Act (I cannot get enough of saying that), SB 547 also defines covered customer data, notification obligation, exception criteria and compliance requirements. However, just like the SHIELD Act, new updates to the bill are certainly expected to be coming our way.
So what can your organization do to ensure compliance? The first thing every company should consider is to read the bill in its entirety to determine where they fall in size category and conduct an internal audit of their cybersecurity program as recommended by the bill for that category. The next crucial step, and one strongly recommended by the bill to ensure compliance, is to get an authorized third-party assessor to conduct an independent audit annually and provide certification of compliance.
If you feel there is a gap between your current vs. required security posture, I encourage you to address those ASAP, perhaps prior to having your independent auditor come in.
If you have further questions, consult with your cybersecurity partners at Bedroc.