Rome Lab selected for quantum economic development consortium

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

ROME — The Air Force Research Laboratory in Rome (Rome Lab) will be the U.S. Department of Defense’s (DOD) leading representative on the quantum economic development consortium (QED-C). Rome Lab serves as the lead Air Force Research Laboratory for quantum information technology, cybersecurity, and information sciences. The National Institute of Standards (NIST) leads the QED-C, […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ROME — The Air Force Research Laboratory in Rome (Rome Lab) will be the U.S. Department of Defense’s (DOD) leading representative on the quantum economic development consortium (QED-C).

Rome Lab serves as the lead Air Force Research Laboratory for quantum information technology, cybersecurity, and information sciences.

The National Institute of Standards (NIST) leads the QED-C, which was created by the 2018 National Quantum Initiative Act, the office of U.S. Senate Minority Leader Charles Schumer (D–N.Y.) announced on Nov. 8.

It also includes the Office of Science and Technology Policy, the U.S. Department of Energy (DOE), and the National Science Foundation (NSF) as other federal-government representatives.

In total, the QED-C has just under 100 member organizations, spanning from large corporate entities to schools and academic institutions to startup companies. The QED-C’s goal is to combine public and private expertise to advance the quantum computing industry in the U.S., and to identify research priorities and the best means of boosting the quantum workforce.

Schumer said that with Rome Lab’s research capabilities and expertise on quantum computing, it will play a “critical role” with the QED-C in “developing future innovation in quantum computing.”

“The race to innovation in quantum computing is proving to be the great scientific race of the 21st century, and Rome Lab is leading the pack. The impacts of falling behind international competitors like China and Russia when it comes to this emerging technology would be wide-ranging and severe — from our economic stability to our national security,” Schumer said in a statement. “Fortunately, through its addition to the quantum economic development consortium, Rome Lab will be on the scene to help prevent that from happening.”

Schumer explained that Rome Lab was selected to serve as the DOD’s lead representative on the QED-C because of how advanced its quantum research capabilities are in comparison to other DOD facilities.

Rome Lab has developed these capabilities, “thanks to yearly budgetary increases Schumer has fought to secure for the facility, specifically for its quantum computing research,” his office contended.

In the defense budgets for fiscal years 2018 and 2019, $243 million and $245 million, respectively, was allocated for Rome Lab’s operations and personnel. That funding included more than $13 million for Rome Lab to establish components of its Quantum Computing Center of Excellence. The Lab is using the funding to create an “Open Innovation Campus” where researchers from the Air Force, DOD, government, industry, small-business community, and academia can collaborate to solve different computing problems using quantum-computing technology.

This past year, Rome Lab announced a partnership with Oneida County to locate the “Open Innovation Campus” at Griffiss International Airport.

NYSTEC formally opens new corporate HQ at Griffiss Park

Regional News, Subscriber Only, Technology

ROME — NYSTEC in mid-October formally opened its new corporate headquarters at 99 Otis St. at Griffiss Business and Technology Park. NYSTEC executives, partners in government, and community members gathered to formally cut the ribbon and open the facility. The 32,110-square-foot building includes 16,779 square feet of space leased to NYSTEC, with the rest of

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The New York SHIELD Act: What’s new under the state’s breach law?

Business Mentors, Law, Accounting & Taxes, Subscriber Only, Technology

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

On July 25 of this year, Gov. Andrew Cuomo signed into law the “Stop Hacks and Improve Electronic Data Security” Act, commonly known as the SHIELD Act. While the SHIELD Act has garnered some attention given the ever-increasing number of privacy breaches impacting New York residents and others throughout the country, N.Y. General Business Law § 899-aa, New York state’s breach law, has been on the books since 2005. The SHIELD Act’s amendments to Section 899-aa have given New York businesses more to which they should pay attention.

Previously, Section 899-aa explicitly applied to any entity conducting business in New York state that owned, licensed, or maintained computerized data. Under the SHIELD Act, the prerequisite of conducting business in New York state has been eliminated, even though the obligation to notify individuals impacted by a breach, or regulatory agencies that may intercede in the event of a breach, relates only to breaches affecting New Yorkers. In addition, the types of computerized data — called “private information” under Section 899-aa — that a business must safeguard have been expanded by the SHIELD Act. Private information now includes biometric data (e.g., fingerprints, voice prints, or retina scans) as well as combinations of information, such as user names and passwords, if the improper disclosure of such information could compromise an individual’s account.

Perhaps the biggest change under the SHIELD Act is the addition of Section 899-bb, which will require businesses that own or license computerized private information of New Yorkers to implement and maintain “reasonable safeguards” to protect that information. For entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act, this may sound familiar, as federal regulations have required these industries to maintain reasonable security standards for years. In fact, entities that can demonstrate compliance with these laws or other New York State data security requirements, such as the New York Department of Finance cybersecurity regulations, will be deemed compliant for purposes of Section 899-bb. Entities that are not deemed compliant under other data-security rules must have a data-security program with administrative, technical and physical safeguards for computerized data in place by March 21, 2020. Small businesses have additional flexibility for developing their data-security programs based on their size, complexity and the sensitivity of the information they maintain. Small businesses are defined as those having fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.

The SHIELD Act also brought about changes to reporting requirements for breaches of private information. Section 899-aa now includes an exception to the breach-notice requirement for inadvertent disclosures where the entity can demonstrate that exposure will not result in misuse of the information or financial or emotional harm to an individual. Such determinations must be documented by the entity and maintained for a period of five years. If an incident affects over 500 New Yorkers, the entity must provide its written determination to the New York State Attorney General within 10 days of making such a determination.

In the event a breach notice is required, it continues to be the case that the entity must provide notice to impacted New York residents as well as the New York State Attorney General, the State Police, and the Department of State’s Division of Consumer Protection. For breaches affecting more than 5,000 New Yorkers, notice is also required to consumer reporting agencies, as was the case prior to the SHIELD Act amendments. In addition, the attorney general must now receive notice of breaches that do not include “private information.” This raises the question whether entities must provide notice to the attorney general of breaches that do not involve computerized data. In addition, notices to individuals impacted by a breach must include contact information for state and federal agencies that provide information regarding security breach response and identity theft protection. Since this is not currently required for HIPAA breach notices to individuals, this is one area where health-care organizations may have to update their HIPAA breach-notification policies and templates.

Failure to comply with Sections 899-aa and 899-bb may be costly. While individuals do not have a right to bring a claim in court under this law, the attorney general may bring an action against an entity in the name of impacted New Yorkers. Knowing or reckless violations of the data-breach notification requirements could lead to civil penalties of $5,000, or up to $20 per instance of failed notification, capped at $250,000. Failure to comply with the data-security program requirements could lead to civil penalties of $5,000 per violation, though it is unclear what would constitute a single violation. While the civil penalties are not new, the amounts have increased, just as we expect to be the case with enforcement efforts under New York’s breach law. The changes to the breach-notification law went into effect on October 23, 2019; however, businesses have until March 21, 2020, to meet the new data-security program requirements.

Mary M. Miner is a partner and Andriy Troyanovych is an associate at the Syracuse–based law firm of Hancock Estabrook, LLP. Contact Miner at mminer@hancocklaw.com and contact Troyanovych at

atroyanovych@hancocklaw.com

Viewpoint: What Windows 7 End of Life Means for You

Business Mentors, Subscriber Only

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

It’s the end of an era: Microsoft has announced that Windows 7 will be put out to pasture after a venerable 10 years in operation. This means when Windows 7 reaches its end-of-life phase on Jan. 14, 2020, Microsoft will stop releasing updates and patches for the operating system. The widely popular operating system still has a huge user base, as it maintains 37 percent of the global market for Windows desktop and laptop systems, according to NetMarketShare. The biggest issue with continuing to use Windows 7 is that it won’t be patched for any new viruses or security problems once it enters end of life, and this leaves you extremely vulnerable to any emerging threats.

On the downside, Windows 7 is running on many mission-critical systems, such as a majority of the voting machines in the United States as well as PCs used by the UK’s National Health Service. Many businesses still rely on Windows 7 for their day-to-day operations, and may fear that the announcement of its end of life will mean more headaches. If you’re still running Windows 7, the good news is that end of life isn’t the end of the world: there are several precautions that can be taken to ensure the security of your data and maintain the functionality of your operating system until you upgrade.

Security concerns

If a large number of people continue to use Windows 7 after the end-of-life date, that could actually be a big incentive for malicious users to target viruses and other nasties at Windows 7 users. Since the end-of-life process means that Microsoft will stop patching bugs and security holes, it is not unlikely for hackers to start targeting computers that don’t have the added support. Continuing to use Windows 7 after the end-of-life date will make users more vulnerable for hackers to exploit the weak points no longer being supervised by Microsoft. Large enterprises can apply for extended support contracts after the January 2020 date, but they will be charged a fee per device per year.

Exchange Server

If you use Microsoft Exchange for your email and calendar needs, note that Exchange Server 2010 will reach end of support. If you haven’t already begun your migration from Exchange 2010 to Office 365 or Exchange 2016, now is the time to start your planning.

When Exchange 2010 reaches its end of support on Oct. 13, 2020, Microsoft will no longer provide:

• Technical support for problems that may occur;

• Bug fixes for issues that are discovered and that may impact the stability and usability of the server;

• Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches;

• Time-zone updates.

Solutions

If you are part of a business that uses Windows 7 across many computers, updating them all may seem daunting. To prioritize your update schedule, it is important to take stock of which computers are most at-risk for data breaches. Take an inventory of each computer and note which ones are connected to the public internet or sensitive data and which are used by system administrators — these factors all make computers running Windows 7 more vulnerable and should be addressed first.

If you’re still using Windows 7, you should immediately upgrade to Windows 10, which is the current Windows version. Released in 2015, Windows 10 supports apps that can be used across multiple devices, including PCs, tablets, and smartphones. It also supports touchscreen, keyboard, and mouse-input methods. Additionally, Windows 10 is faster than Windows 7 and provides a number of other useful benefits.

Kevin Blake is president and CEO of ICS, an information-technology (IT) support firm with offices in the greater Binghamton, Syracuse, and Ithaca areas.

Breaking Down the New York SHIELD Act

Business Mentors, Subscriber Only

N ew York’s new Stop Hacks and mprove Electronic Data Security SHIELD) Act is broadening the state’s security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical, and physical safeguards for New York residents’ private information (899-BB). Signed by Gov. Andrew Cuomo on July 26, 2019, SHIELD’s breach-notification requirements took effect in

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ew York’s new Stop Hacks and

mprove Electronic Data Security

SHIELD) Act is broadening the state’s security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical, and physical safeguards for New York residents’ private information (899-BB). Signed by Gov. Andrew Cuomo on July 26, 2019, SHIELD’s breach-notification requirements took effect in October of this year, with safeguard requirements due by March 2020.

Why the SHIELD Act is needed

The updated breach-notification law was designed to “keep pace with current technology.” And if we look at technology’s current state, that’s easily understood.

Organizations have seen a digital transformation over the past few years as workloads move from on-premise to multiple cloud services, including software (SaaS), platform (PaaS), and infrastructure (IaaS). Data is being transferred and dispersed — and the attack surface broadened — making information containment and control much more challenging.

The threat landscape has changed dramatically. Hackers are taking advantage of advanced technologies — such as artificial intelligence, machine learning, and data analytics — to build new capabilities, including shapeshifter malware with the ability to analyze network defenses and modify malicious code on the fly to circumvent those defenses.

Cybercrime economics statistics are staggering, with $6 trillion in annual global losses expected by 2021. For New York State, the cost of a lost record is $148, up 4.8 percent from 2018, and the average recovery cost from a breach stands at $3.86 million.

So, the need for the new SHIELD Act is evident in the numbers.

When the SHIELD Act applies

The SHIELD Act applies to any person or business that owns or licenses computerized data that includes a New York resident’s private information. And not just those that conduct business within New York state.

The law applies to both regulated and unregulated companies, but “without imposing duplicate obligations on those already subject to other federal or New York State data security regulations.” That means if a person or company (the Department of Financial Services, for example) is already regulated by existing New York or federal data regulations (including the Gramm-Leach-Bliley Act or HIPAA), they should already have the appropriate level of controls in place to be considered compliant with the SHIELD Act. However, companies should keep in mind that those controls must be applied to any additional data types included in the SHIELD Act.

Protected private information for New York residents includes:

• User names or email addresses in combination with a password or security question and answer that would permit access to an online account

• A name or other information that can be used to identify a specific person, in combination with any of the following:

– Social Security number

– Driver’s license number or non-driver identification card number

– Account, credit, or debit-card number in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account

– Account, credit, or debit-card number, if the number could be used to access an individual’s financial account without additional identifying information, security code, access code or password

– Biometric information, specifically data generated by electronic measurements of an individual’s unique physical characteristics, including fingerprint, voiceprint, or retina or iris image, or other unique physical representation or digital representations used to authenticate an individual’s identity.

Defining a breach

Prior versions of the law defined a breach as the unauthorized acquisition of private information. A breach only needed to be reported if you were confident information was exfiltrated from the network.

Starting Oct. 23, the SHIELD Act expanded the definition of a breach to include any unauthorized access to private or personal information. Now, any unauthorized viewing of private or personal information is considered a breach and requires notification to the attorney general, even if there is no evidence the data was removed.

Security requirements

The SHIELD Act requires organizations to develop, implement, and maintain “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York residents’ private information. However, the requirements read more like mission statements than specific control requirements, so here’s an attempt at translating the requirements into high-level action plans for organizations.

Administrative safeguards

• Designate one or more employees to coordinate the security program: assign security responsibility, appoint or outsource CISO

• Identify reasonably foreseeable internal and external risk: develop a risk-management plan

• Assess the sufficiency of safeguards in place to control the identified risks: perform a gap analysis to identify deficiencies and develop a plan of action for remediation

• Train and manage employees in security program practices and procedures: implement a training program aligned with organization policies and procedures, security reminders and user testing

• Select service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract: develop a third-party security audit and contractual process for onboarding service providers and for ongoing safeguard evaluation

• Adjust the security program in light of business changes or new circumstances: implement change management

Technical safeguards

• Assess risks in network and software design: vulnerability management, including authenticated scans of external and internal network assets

• Assess risks in information processing, transmission and storage: monitor data flows and boundary defenses

• Detect, prevent, and respond to attacks or system failures: develop a documented incident-response plan

• Regularly test and monitor the effectiveness of key controls, systems, and procedures: develop an internal-audit process

Physical safeguards

• Assess risks of information storage and disposal: develop storage-media policies and procedures

• Detect, prevent and respond to intrusions: again, develop a documented incident-response plan

• Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information: implement access-control policies and procedures

• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so the information cannot be read or reconstructed: develop documented data retention and media disposal policy

Fines and penalties

The penalties for violating the SHIELD Act are somewhat murky. The state attorney general may prosecute the offending organization if it fails to implement reasonable administrative, technical and physical safeguards to secure New York residents’ private or personal information.

If an organization fails to comply with the SHIELD Act’s breach notification requirements, the attorney general may impose a civil penalty of the greater of $5,000 or $20 per instance of failed notification, with a new ceiling of $250,000 — twice the previous penalty.

The March 23 deadline is quickly approaching, and for organizations that are starting at square one, getting to compliance with the SHIELD Act is going to require a substantial effort. The clock is ticking. Go.

Michael Montagliano is the chief technology officer at iV4 (www.iv4.com), an IT consulting, support, and professional services firm with offices in Fairport, Syracuse, and Amherst. Contact him at mmontagliano@iv4.com

Ithaca startup wins $50K in FuzeHub commercialization competition

Subscriber Only

An Ithaca startup won $50,000 in prize money in FuzeHub’s commercialization competition held Nov. 18-19 in Albany. FuzeHub is an Albany–based nonprofit organization that works to help small- to medium-sized manufacturing companies in New York. The Jeff Lawrence manufacturing-innovation fund, which FuzeHub administers, provided the award funding. Halomine, Inc. of Ithaca is “developing antimicrobial products to

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

New York milk production rises almost 2 percent

Subscriber Only

New York dairy farms produced 1.26 billion pounds of milk in October, up 1.8 percent from 1.24 billion pounds in the year-ago period, the USDA’s National Agricultural Statistics Service (NASS) recently reported. Production per cow in the state averaged 2,015 pounds in October, up 1 percent from 1,995 pounds a year prior. The number of milk cows

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Community Bank System appoints MacPherson as new independent director

Banks & Credit Unions, Subscriber Only

DeWITT — Community Bank System, Inc. (NYSE: CBU) recently announced that its board of directors has appointed Kerrie D. MacPherson as a new independent director. MacPherson previously served as a senior partner at Ernst & Young, LLP (EY). She started as an auditor and served in leadership roles in transaction advisory services in EY’s New

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ConMed to pay Q4 dividend of 20 cents a share in early January

Manufacturing & Engineering, Subscriber Only

UTICA — ConMed Corp. (NASDAQ: CNMD), a Utica–based surgical-device maker, recently announced that its board of directors has declared a quarterly cash dividend of 20 cents a share for the fourth quarter. The dividend will be payable on Jan. 7 to all shareholders of record as of Dec. 13. At the company’s current stock price,

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

MVHS appoints Fatuik as new nurse manager

Employee Benefits & Human Resources, Health Care, Nonprofits, People on the Move, Regional News

UTICA, N.Y. — The Mohawk Valley Health System (MVHS) announced it has named Christine Fatiuk nurse manager of the AC 3 unit at its St.

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Greater Binghamton Chamber of Commerce Connect Over Lunch

CNYSME Networking Happy Hour

2025 Engaging Electeds: Summer Soiree

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates