LITIGATION SUPPORT TIP OF THE NIGHT

In September 2020, the Sedona Conference released the public comment version of its Commentary on a Reasonable Security Test. A test is proposed that is similar to one used in the Hand formula to determine if a duty of care was owed in a negligence case.

B₂ - B₁ < (P x H)₁ - (P x H)₂

B represents the burden. P the probability of harm. H the magnitude of harm. The subscript 1 represents the security controls in place before a reasonable standard was implemented, and the subscript 2 is the supplement to security that can be added.

Drawing analogy to the foreseeability test in negligence, the guide asserts that someone responsible for information security should not be expected to address unknown risks.

The guide includes an outline for assessing risk when:

1. a small company is responsible for consumer data for millions of customers.

2. a medium sized company in the healthcare industry stores medical test results that are several years old.

3. a hospital with more than a billion dollars in annual revenue is responsible for protected health information (PHI).

In 2019, New York State passed new legislation, the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), N.Y. Gen. Bus. Law § 899-bb. The SHIELD Act requires businesses to implement reasonable safeguards to protect the security and confidentiality of the private information of New York State residents.

A business must adopt a data security program, and take the following measures:

1. Identify company employees who are responsible for enforcing the program.

2. Identify reasonably forseeeable external and internal risks.

3. Assess the adequacy of the safeguards, in particular evaluating:

   1. network risks

   2. software risks

   3. data processing risks

   4. data transmission risks

   5. data storage risks

4. Provide training in the security program to its employees.

5. Engage service providers who are contractually bound to implement the safeguards.

6. Update the program as circumstances change.

7. Respond to attacks or failures of its system.

8. Test the effectiveness of its program.

9. Dispose of information when it is no longer needed for any business purpose.

The SHIELD Act specifically directs that electronic media be erased so that data cannot be reconstructed when private data is disposed of.

The measures taken by a smaller business need only be proportional to the resources of the business; the scope of its activities; and the nature of the personal information it collects, if the business has fewer than 50 employees; less than $3M in gross annual revenue for the past 3 years; or has less than $5M in total assets.

A business will be automatically considered to be in compliance with the SHIELD Act if it complies with the regulations of the following:

1. Title V of the Gramm-Leach Bliley Act which addresses consumer data held by financial institutions.

2. HIPAA

3. Health Information Technology for Economic and Clinical Health Act

4. New York State's cybersecurity requirements for financial services companies under 23 CRR-NY § 500; OR

5. The data security regulations of any other federal or New York state department or agency.

The SHIELD Act added biometric data, and user & password account information, to SSN, driver license number, bank account number, and credit card number data covered by earlier legislation.

Your computer can become infected with rootkit software - malicious software that will enable access to restricted areas of a computer or the legitimate software installed on it. If you want to supplement the search your anti-virus software performs for rootkit, you can download the free Sophos Rootkit Removal tool, available here. Any viruses it detects, it will also attempt to remove without the purchase of a paid license.

The Sophos tool does not work in real time, so it will not interfere with your regular antivirus software.