Are you Compliant with the New York SHIELD Act?

The New York Shield Act has broadly increased the scope of how “private information” is defined, and how it must be dealt with by any business that maintains the customer data of any citizen of the state of New York. The “Stop Hacks & Improve ELectronic Data Security” Act is an attempt to modernize the way that financial data is secured. It also expands the definition of a breach, and changes the threshold at which a company is obligated to disclose the theft of data to the state and to citizens of New York.

While there are many federal and state laws across the country with varying standards, SHIELD intermingles with some, but is written in such a way that it supersedes older laws, and applies more broadly than existing law in New York. Any business, of any size, in any state that collects Social Security numbers, W2 forms or other relevant financial data of a New York citizen breach notification components came into effect on October 23, 2019. The security safeguard requirements of the SHIELD Act will be in effect on March 21, 2020.

The new law broadly expands on requirements and specifies many new steps that companies must go through in the reporting of a data breach, and offers plenty of suggestions to create reasonable safeguards against malicious attack.

Data Breach Notification

The SHIELD Act amends New York’s existing laws to broaden the obligations of all businesses to notify customers of a breach. The big change in the definition of “private information” now includes e-mail addresses, biometrics, as well as security questions and answers for password and identity authentication in addition to the more typical definition that includes financial account numbers and personal contact data. SHIELD also expands the definition of a “data breach” from unauthorized acquisition to merely unauthorized access to private information. If any unauthorized person in the business environment could view the protected information of client, the data should be considered compromised.

Another significant change is that rather than simply notifying customers of a breach, the offending business party must also provide relevant links, phone numbers or other contact information for the agencies most appropriate to compensate for the specific types of compromised data. In some circumstances, this could include mandatory credit monitoring, but it could go as far as reporting specific cases to state and federal agencies for recovery and compensation of the individual affected parties.

Another shift is that for health care organizations which are bound to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are currently required to notify the Secretary of Health and Human Services of breaches under those regulations, the SHIELD Act adds the requirement to provide notification to the state Attorney General within ten business days of notifying the Secretary.

In-state businesses that experience a breach must also notify the New York State Office of Information Technology Services, who will provide a report on the scope of the breach and recommendations to improve the security of the system to the offending New York based business.

With such a large step in reporting requirements, it is crucial to make sure your compliance with SHIELD is up to par. If you are unsure, GoVanguard offers compliance assessment consultation and reporting as a first step to limiting your company’s exposure.

Safeguards

The SHIELD Act requires businesses to first be compliant with all other existing regulations like HIPPA… Businesses must also implement administrative, technical and physical safeguards to minimize risk.

This includes the following:

  • SHIELD requires staff to be trained to be in compliance with the new law.
  • Businesses must also have sufficient software and hardware controls, and they must maintain malware detection and protection tools. We recommend regular pentesting intervals to confirm the effectiveness of these systems.
  • The law may also mean records must be stored in a locked and monitored room and disposed of in accordance with very tight procedures.

While the law gives no leniency on penalties for small business, it does give some slack on standards that are “reasonable” and “appropriate” for the size of the business and the value of the data to comply with security standards.

Penalties

The SHIELD Act does not eliminate private rights to pursue restoration in court, but it does double the civil penalty from $10 to $20 per incident or $5,000, whichever is greater, for businesses who fail to sufficiently report a data breach. SHIELD also increases the statutory cap on the penalty from $150,000 to $250,000.

But even with the new and increased regulations and penalties, not everyone feels the Act goes far enough! Crane’s New York editorialist, Fouad Khalil, states:

“…the Shield Act, though a promising first step, is still very much a stopgap in the fight for complete consumer privacy. Organizations will still have more “control” over our private data because of a lack of enforcement.”

He goes on:

“At a time where consumer data protection is more important than ever, organizations trying to maintain sanity with all the laws and regulations must keep their privacy and security programs up to date. And government must be clear and forceful with the laws it is instituting. If both can play their part, this would be a victory for both consumers and businesses in New York.”

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to comply with The Shield Act, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.

The Wawa credit card data breach is one of the worst retail failures of data security in recent history. 

Last week we reported on the consumer side of the Wawa credit card data breach that, as far as we can tell, affected every single swiped payment card between March and December 2019. In a nutshell, Wawa discovered a security breach back on December 10th, 2019 involving all of their POS systems, fast-forward to January 28th2020 and Wawa released a statement acknowledging that the recently stolen card holder data was featured on “Joker’s Stash”, a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches. 

 This week, we will take a quick dive into some of the likely causes of the credit card data breach, baseline security controls that should have been in place, and some of the ways that GoVanguard recommends to help prevent security incidents like this from happening to your organization. 

Jokers Stash

Wawa Credit Card Data For Sale on “Joker's Stash”

 

So What Happened?

The root cause behind most data breaches perpetrated by external malicious actors (including this one) is typically poor implementation of administrative, technical and physical security controls. In the case of Wawa, malware was installed on multiple POS (point of sale) terminals – which is a common asset for malicious actors to target. 

The concerning part of the security incident, as told from Wawa’s own narrative, is that the malware was able to laterally move across multiple Wawa stores and all the way to central POS payment processing servers This means that it is likely that Wawa had no or poor network segregation in place which violates a core requirement of PCI-DSS: the standards which apply to all organizations that process card holder data (credit card and debit card transactions). It seems that Wawa did not have basic security and network segregation mechanisms in place like robust access control lists (ACLs) because physical stores should not be able to directly communicate between one another. Basic security controls like ACLs help prevent the lateral movement of malicious actors between information systems and contain the malicious actor to a specific location or system domain. 

Furthermore, the fact that the security breach went undetected for over nine months suggests that Wawa did not have any NIDS (network intrusion detection software) systemin place or it was not being monitored by staff – another PCI-DSS requirement for an organization like Wawa 

Lastly, Wawa unable to specify which stores were affected and which stores were not affected by the security breach. Wawa’s inconclusive response suggests that they had very little logs to analyze and pinpoint the exact lateral movement path of the malicious actor behind the security breachThis means there was probably no centralized logging facilities or SIEM (security information event management) in place – another PCI-DSS requirement for an organization like Wawa. 

Malicious Actor Attack Process

What Happens Next?  

The reputational and financial damage that this security breach will cause Wawa in the mid-long term is inestimable but Classaction.org says that the retailer is “swamped” with litigation; noting at least 11 major, federal lawsuits at this current moment.  

On January 29, 2019, Inspire Federal Credit Union added themselves to the list of plaintiffs. An unnamed, but official spokesman for Inspire Federal Credit Union stated 

“Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.” 

Concisely put, it iapparent that Wawa had an immature information security program with deficiencies across many security controls including network segregation, malware detection, intrusion detection and centralized systems logging. All of these deficient security controls could have been enumerated and analyzed easily with a cybersecurity risk assessment, information security program gap assessment or network penetration test.  

 

What Can My Company Do To Avoid a Similar Breach?

The Wawa security breach demonstrates worst-case scenario for a retailer that depends on the trustworthiness of their brand, especially given the failure of so many basic security principles. 

GoVanguard is a cybersecurity provider on the forefront of an ever-changing, complex security landscape. We provide both snapshot-based and continuous security testing services including risk assessments and web/network penetration tests. 

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.