How Do We Keep Our Democracy Healthy?

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Representative democracy is based on a simple premise. It’s that ordinary citizens can make satisfactory judgments on complex public policy and political issues — or at least grasp them well enough to decide who should be dealing with them. But the significance of that premise isn’t simple at all. It means that our country’s future depends […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

But the significance of that premise isn’t simple at all. It means that our country’s future depends on the quality of democratic participation by its citizens. Collectively, we have to make discriminating judgments about politicians, policies, and issues. Not just once, but repeatedly and consistently. Moreover, when it comes to improving our own corner of the world, it means there is no one to depend upon but ourselves.

So, in an era when our democracy appears to be under great stress, what must we do to keep it healthy? Because there are certainly alternatives out there, from out-and-out authoritarianism to the Chinese and Russian models to just plain anarchy. Here are some steps I think we need to take.

First, we have to protect our elections. It’s clear that malign actors want to hack them or at least use every means they can to influence them. In the past we tended to assume that our elections were free, fair, and accurate, but we can’t take that for granted any more. This also means ensuring the independence of the judicial branch, which is critical to protecting the integrity of elections against the encroachment of authoritarian-minded leaders and manipulative politicians. We also must protect the media and sources of fair, unbiased information that citizens require when making their judgements about politicians and their policies.

Second, we need to work on expanding our democracy in appropriate ways and on fighting off efforts to restrict the vote. There are all sorts of tools that states and localities can use to make voting easier and more convenient. Many of these tools — voting hours, for instance, or the location of polling places — can also be used to make voting more difficult. Plenty of politicians want to handicap or exclude voters they don’t like, and this sort of manipulation of our system is as big a threat to its integrity as outsiders’ attempts to hack it.

Third, keeping money’s role in elections within bounds is crucial. The issue is less top-of-mind than it used to be, perhaps because we’ve become inured to record amounts being spent each election cycle. Money will always have a place in elections, but we need to find ways to keep it from disproportionately affecting voting outcomes and impeding those who don’t have the same access to funds as well-heeled candidates and causes.

This is where organizations that urge their members to turn out to vote come in. They have an important role to play, both in boosting turnout and in building networks focused on democratic participation. They’re all “special interests,” of course, with their own agendas, but that’s what it means to live in a pluralistic society. The more different groups are active, the more diversity you get in office and the better the representation you get for the entire population.

Individual participation also matters, which is why civic education is vital. I don’t think we talk about the achievements of representative democracy enough, or celebrate its heritage, or remind ourselves not to become complacent about what it takes to sustain it. In essence, I think we always need to be mindful about how we teach and encourage people to participate — through efforts to educate and register voters, through citizen-led advocacy, through neighbors getting together to change the speed limit on their road or fight groundwater contamination — it all matters. And, of course, we need a robust and independent media, using every available platform, that pushes the idea of democracy and promotes free speech, public dialogue, voting, and all the rest of it.

When Lincoln wondered at Gettysburg whether a “nation so conceived and so dedicated can long endure,” it wasn’t just a rhetorical question. It’s an undecided one, and each generation has to answer it. We are being tested to an unusual degree today, and just because we’ve come through the challenges of days past doesn’t mean we’re destined to now. We need to pay attention and do our part to keep our democracy healthy.

Lee Hamilton, 88, is a senior advisor for the Indiana University (IU) Center on Representative Government, distinguished scholar at IU Hamilton Lugar School of Global and International Studies, and professor of practice at the IU O’Neill School of Public and Environmental Affairs. Hamilton, a Democrat, was a member of the U.S. House of Representatives for 34 years (1965-1999), representing a district in south central Indiana.

Le Moyne College wants to help fill open jobs in cybersecurity

Health Care, Subscriber Only, Technology

SYRACUSE — A professor at Le Moyne College says the U.S. has a lot of available jobs in cybersecurity and not enough people to fill them. James Enwright, professor of practice in cybersecurity, pointed to data on website Cyberseek.org, which indicated that the U.S. has more than half a million job openings in cybersecurity nationwide,

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

SYRACUSE — A professor at Le Moyne College says the U.S. has a lot of available jobs in cybersecurity and not enough people to fill them.

James Enwright, professor of practice in cybersecurity, pointed to data on website Cyberseek.org, which indicated that the U.S. has more than half a million job openings in cybersecurity nationwide, including 500 openings in the Syracuse area alone.

The number of employees currently working in cybersecurity in the U.S. totaled 997,000 based on the latest results, with 504,000 open jobs in the sector.

“So one-third of all cybersecurity positions are currently open. That is a huge problem … finding people who can do the job, that have the basic skills,” he adds.

Le Moyne College started its bachelor’s degree program in cybersecurity in 2017. It currently has 28 students enrolled as cybersecurity majors. About 10 students also have a minor in the same topic.

Careers in the field can be lucrative, starting right out of school.

“I think as parents hear the average starting salary for a security analyst is $85,000 they’re going to be more motivated to potentially push their kids … toward this degree because it’s job security,” says Enwright who spoke with CNYBJ on Nov. 20 in his Le Moyne office.

With a cybersecurity degree, graduates can pursue jobs that include forensic investigator, computer crime investigator, auditor, chief security officer, ethical hacker, security engineer, risk manager, system and network administrator, cybersecurity analyst (compliance and governance), cybersecurity attorney, per the degree program’s page on the Le Moyne College website.

Enwright noted that entry-level positions available in the sector include security analyst, information-security analyst, and security engineer.

“These are basic jobs where students will get in in an entry level at an organization and a lot of what they’re doing is … what the business needs. If it’s a small business, they could be wearing multiple hats. If it’s a much larger organization, [the job duties] can be very specific,” says Enwright.

Interdisciplinary

Enwright says a lot of people believe that you need to be “incredibly technical” to get into cybersecurity, but “you really don’t.”

For example, you can become an attorney and focus on cybersecurity law. “And there’s a number of new laws and regulations that are currently being passed with regard to cybersecurity,” he notes.

Le Moyne says its cybersecurity degree program is “interdisciplinary,” drawing from computer science, political science, anthropology, criminology, and sociology. The program emphasizes skills such as critical thinking and communications.

The program offers three different tracks that a student can pursue, according to Enwright. They include the information and systems security track and that focuses more on the technical side of cybersecurity. It also has crime, society, and culture, which actually focuses on the criminology and societal impacts. The program also has a policy and law track, which examines topics such as cyberwarfare and the legal aspects of cybersecurity.

“Any students that come through, will get a flavor of all three of those areas,” says Enwright.

Defining cybersecurity

Enwright defines cybersecurity, or information security, as “the act of protecting of our data and systems with regard to confidentiality, integrity, and availability [or CIA].”

“So, we call that in the cybersecurity world the CIA triad,” he added.

He went on to explain that confidentiality is the act of protecting data to ensure that the data or the systems are not accessed by anybody that’s not authorized.

“So, when you think confidentiality, think a data breach … getting hacked, losing credit card numbers,” he notes.

Integrity is making sure that the data is not manipulated or corrupt and the data is reliable. He suggests, when you think integrity, it’s almost like a bank-account number because the data “can be relied on.” Imagine, he says, if your bank-account number was switched with your social-security number (or something that represented you) and you couldn’t rely on that data anymore. “That’s an issue with integrity,” he says.

The last part, he says, is availability, or making sure that the data is available when you need it. When you think of attacks against availability, Enwright says think of a denial of service attack, or when somebody targets a network to try to take down a web server.

Availability also means having the data when you need it. A ransomware attack, he says, is a type of attack that targets availability. Those happen when somebody gets on your network and encrypts your data or your system, so that you no longer have access to it. When they encrypt it, there’s usually a key associated with it. You pay the attackers a ransom and they’ll give you the key that allows you to unlock or decrypt your data.

CMMI appraisal could boost AIS’s pursuit of bigger contracts

Subscriber Only, Technology

ROME — Assured Information Security (AIS) says its cross domain virtualization solutions (CDVS) group has been appraised at level 3 in the “maturity” of its software-development process. AIS is a cyber- and information-security firm founded and headquartered in Rome. It also operates offices in Syracuse and Rochester, and a few locations outside New York state

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ROME — Assured Information Security (AIS) says its cross domain virtualization solutions (CDVS) group has been appraised at level 3 in the “maturity” of its software-development process.

AIS is a cyber- and information-security firm founded and headquartered in Rome. It also operates offices in Syracuse and Rochester, and a few locations outside New York state as well, per its website.

The appraisal was made by the Capability Maturity Model Integration (CMMI) Institute, AIS announced on Nov. 8. CMMI is a program based at Carnegie Mellon University in Pittsburgh, Pennsylvania.

“CMMI is often a requirement for government contractors, and the [bigger] you get … it’s one of the ways that you can prove that you have a mature software-development process,” says Adam Hovak, operations manager for the CDVS group at AIS. “So, we’ll be eligible to go after larger contracts … that we weren’t eligible for in the past.” He spoke with CNYBJ on Nov. 25.

CMMI is a “process-improvement approach that provides organizations with the essential elements of effective processes that ultimately improve their performance,” AIS explains.

The CMMI Institute “enables organizations to elevate and benchmark performance across a range of critical business capabilities,” including cybersecurity, product development, service excellence, workforce management, data management, supplier management, per its website.

“[The level 3 appraisal] means that we are investing in the future of our software-development maturity,” says Hovak. “It just shows the company’s commitment to quality.”

AIS was rated at level 2 in 2018 so advancing to a level 3 rating was a “natural next step for us,” per Hovak.

AIS provides government and commercial customers with cybersecurity capabilities and services such as research, development, consulting, testing, forensics, remediation and training.

The AIS CDVS group has about 55 employees total — working in Rome and offices in Maryland, Boston, and Denver, according to Hovak.

“We develop cross-domain solutions as well as develop commercial products as well as perform research and development for the government,” says Hovak. “Cross domain is protecting the information transfer, or information sharing, between domains.”

The CDVS group worked with Waterford, Michigan–based Broadsword Solutions in pursuing the new appraisal level. Broadsword Solutions specializes in “performance innovation and process improvement,” AIS says.

Broadsword provided agileCMMI workshops, coaching, and consulting services to help AIS reach its capability goals. As AIS describes it, agileCMMI uses methods such as incremental delivery and continuous build and collaboration, applying the same techniques used when writing software to “deploy process and help engineers embrace process.”

Cybersecurity state panel adds members, working to secure New York elections

Subscriber Only, Technology

Five new members, described as “leading experts” in cybersecurity, have joined Gov. Andrew Cuomo’s cybersecurity advisory board, the governor announced in mid-November. In addition, Cuomo directed the board to assess the threats to the “security and integrity” of New York elections and recommend steps to bolster election security. “We must face our new reality: election tampering

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Five new members, described as “leading experts” in cybersecurity, have joined Gov. Andrew Cuomo’s cybersecurity advisory board, the governor announced in mid-November.

In addition, Cuomo directed the board to assess the threats to the “security and integrity” of New York elections and recommend steps to bolster election security.

“We must face our new reality: election tampering is now one of the biggest threats to our democracy,” Cuomo said in a statement. “I welcome these new board members who will strengthen existing cybersecurity protections and help maintain integrity in New York’s electoral process.”

Cuomo first created the cybersecurity advisory board in 2013. The board includes cybersecurity experts who advise the administration and make recommendations for protecting the state’s infrastructure and information systems. New appointments to the board include experts in cybersecurity and electoral security.

Given the “continued threat of foreign interference,” Cuomo is again directing the advisory board to review New York’s current cybersecurity programs and offices and make recommendations that will improve New York’s security and resiliency.

Board leaders, new members

The board is led by co-chairs Linda Lacewell, superintendent of the New York Department of Financial Services; Jeremy Shockett, New York deputy secretary for public safety; and William Pelgrin, CEO and co-founder, CyberWA, Inc.

The new board members are the following people (with biographical descriptions provided by the governor’s office):

• Luke Dembosky is a partner at the New York City–based law firm Debevoise Plimpton, where he is co-chair of the firm’s cybersecurity & data privacy practice and a member of the white collar & regulatory defense group. Dembosky previously served as a federal prosecutor, most recently as the deputy assistant attorney general for national security at the U.S. Department of Justice, where he oversaw all national security cyber cases.

• Eric Freidberg has 30 years of public and private-sector experience in law, cyber-incident response, cyber-governance, information-technology security, forensics, investigations, and e-discovery. He is co-president of New York City–based Stroz Friedberg, a cyber consultancy and technical services firm acquired by Aon in 2016, and of Aon’s Cyber Solutions, its cyber risk management division.

• Justin Herring is the executive deputy superintendent for the cybersecurity division at the New York Department of Financial Services, where he oversees the department’s cybersecurity regulation for the financial industry. He previously served as a senior cybercrimes’ prosecutor with the U.S. Department of Justice.

• Erez Liebermann served for a decade as prosecutor at the U.S. Department of Justice, where he led the prosecutions of cyber and white-collar criminals. He is now chief counsel, cybersecurity and privacy; and vice president, regulatory law, at Prudential Financial, where he built one of the first cybersecurity and privacy legal teams in a Fortune 500 company and oversees cyber investigations. He was an aerospace engineer prior to law school.

• Debora Plunkett served for decades at the National Security Agency (NSA), where she was senior advisor to the director of the NSA and director of information assurance. She is principal of Plunkett Associates, a cybersecurity consulting business. Since 2016, Plunkett has been a senior fellow in the digital democracy project, launched by the Belfer Center for Science and International Affairs at Harvard’s Kennedy School of Government, providing security advice to campaigns.

Rome Lab selected for quantum economic development consortium

Regional News, Subscriber Only, Technology

ROME — The Air Force Research Laboratory in Rome (Rome Lab) will be the U.S. Department of Defense’s (DOD) leading representative on the quantum economic development consortium (QED-C). Rome Lab serves as the lead Air Force Research Laboratory for quantum information technology, cybersecurity, and information sciences. The National Institute of Standards (NIST) leads the QED-C,

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ROME — The Air Force Research Laboratory in Rome (Rome Lab) will be the U.S. Department of Defense’s (DOD) leading representative on the quantum economic development consortium (QED-C).

Rome Lab serves as the lead Air Force Research Laboratory for quantum information technology, cybersecurity, and information sciences.

The National Institute of Standards (NIST) leads the QED-C, which was created by the 2018 National Quantum Initiative Act, the office of U.S. Senate Minority Leader Charles Schumer (D–N.Y.) announced on Nov. 8.

It also includes the Office of Science and Technology Policy, the U.S. Department of Energy (DOE), and the National Science Foundation (NSF) as other federal-government representatives.

In total, the QED-C has just under 100 member organizations, spanning from large corporate entities to schools and academic institutions to startup companies. The QED-C’s goal is to combine public and private expertise to advance the quantum computing industry in the U.S., and to identify research priorities and the best means of boosting the quantum workforce.

Schumer said that with Rome Lab’s research capabilities and expertise on quantum computing, it will play a “critical role” with the QED-C in “developing future innovation in quantum computing.”

“The race to innovation in quantum computing is proving to be the great scientific race of the 21st century, and Rome Lab is leading the pack. The impacts of falling behind international competitors like China and Russia when it comes to this emerging technology would be wide-ranging and severe — from our economic stability to our national security,” Schumer said in a statement. “Fortunately, through its addition to the quantum economic development consortium, Rome Lab will be on the scene to help prevent that from happening.”

Schumer explained that Rome Lab was selected to serve as the DOD’s lead representative on the QED-C because of how advanced its quantum research capabilities are in comparison to other DOD facilities.

Rome Lab has developed these capabilities, “thanks to yearly budgetary increases Schumer has fought to secure for the facility, specifically for its quantum computing research,” his office contended.

In the defense budgets for fiscal years 2018 and 2019, $243 million and $245 million, respectively, was allocated for Rome Lab’s operations and personnel. That funding included more than $13 million for Rome Lab to establish components of its Quantum Computing Center of Excellence. The Lab is using the funding to create an “Open Innovation Campus” where researchers from the Air Force, DOD, government, industry, small-business community, and academia can collaborate to solve different computing problems using quantum-computing technology.

This past year, Rome Lab announced a partnership with Oneida County to locate the “Open Innovation Campus” at Griffiss International Airport.

NYSTEC formally opens new corporate HQ at Griffiss Park

Regional News, Subscriber Only, Technology

ROME — NYSTEC in mid-October formally opened its new corporate headquarters at 99 Otis St. at Griffiss Business and Technology Park. NYSTEC executives, partners in government, and community members gathered to formally cut the ribbon and open the facility. The 32,110-square-foot building includes 16,779 square feet of space leased to NYSTEC, with the rest of

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The New York SHIELD Act: What’s new under the state’s breach law?

Business Mentors, Law, Accounting & Taxes, Subscriber Only, Technology

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

On July 25 of this year, Gov. Andrew Cuomo signed into law the “Stop Hacks and Improve Electronic Data Security” Act, commonly known as the SHIELD Act. While the SHIELD Act has garnered some attention given the ever-increasing number of privacy breaches impacting New York residents and others throughout the country, N.Y. General Business Law § 899-aa, New York state’s breach law, has been on the books since 2005. The SHIELD Act’s amendments to Section 899-aa have given New York businesses more to which they should pay attention.

Previously, Section 899-aa explicitly applied to any entity conducting business in New York state that owned, licensed, or maintained computerized data. Under the SHIELD Act, the prerequisite of conducting business in New York state has been eliminated, even though the obligation to notify individuals impacted by a breach, or regulatory agencies that may intercede in the event of a breach, relates only to breaches affecting New Yorkers. In addition, the types of computerized data — called “private information” under Section 899-aa — that a business must safeguard have been expanded by the SHIELD Act. Private information now includes biometric data (e.g., fingerprints, voice prints, or retina scans) as well as combinations of information, such as user names and passwords, if the improper disclosure of such information could compromise an individual’s account.

Perhaps the biggest change under the SHIELD Act is the addition of Section 899-bb, which will require businesses that own or license computerized private information of New Yorkers to implement and maintain “reasonable safeguards” to protect that information. For entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act, this may sound familiar, as federal regulations have required these industries to maintain reasonable security standards for years. In fact, entities that can demonstrate compliance with these laws or other New York State data security requirements, such as the New York Department of Finance cybersecurity regulations, will be deemed compliant for purposes of Section 899-bb. Entities that are not deemed compliant under other data-security rules must have a data-security program with administrative, technical and physical safeguards for computerized data in place by March 21, 2020. Small businesses have additional flexibility for developing their data-security programs based on their size, complexity and the sensitivity of the information they maintain. Small businesses are defined as those having fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets.

The SHIELD Act also brought about changes to reporting requirements for breaches of private information. Section 899-aa now includes an exception to the breach-notice requirement for inadvertent disclosures where the entity can demonstrate that exposure will not result in misuse of the information or financial or emotional harm to an individual. Such determinations must be documented by the entity and maintained for a period of five years. If an incident affects over 500 New Yorkers, the entity must provide its written determination to the New York State Attorney General within 10 days of making such a determination.

In the event a breach notice is required, it continues to be the case that the entity must provide notice to impacted New York residents as well as the New York State Attorney General, the State Police, and the Department of State’s Division of Consumer Protection. For breaches affecting more than 5,000 New Yorkers, notice is also required to consumer reporting agencies, as was the case prior to the SHIELD Act amendments. In addition, the attorney general must now receive notice of breaches that do not include “private information.” This raises the question whether entities must provide notice to the attorney general of breaches that do not involve computerized data. In addition, notices to individuals impacted by a breach must include contact information for state and federal agencies that provide information regarding security breach response and identity theft protection. Since this is not currently required for HIPAA breach notices to individuals, this is one area where health-care organizations may have to update their HIPAA breach-notification policies and templates.

Failure to comply with Sections 899-aa and 899-bb may be costly. While individuals do not have a right to bring a claim in court under this law, the attorney general may bring an action against an entity in the name of impacted New Yorkers. Knowing or reckless violations of the data-breach notification requirements could lead to civil penalties of $5,000, or up to $20 per instance of failed notification, capped at $250,000. Failure to comply with the data-security program requirements could lead to civil penalties of $5,000 per violation, though it is unclear what would constitute a single violation. While the civil penalties are not new, the amounts have increased, just as we expect to be the case with enforcement efforts under New York’s breach law. The changes to the breach-notification law went into effect on October 23, 2019; however, businesses have until March 21, 2020, to meet the new data-security program requirements.

Mary M. Miner is a partner and Andriy Troyanovych is an associate at the Syracuse–based law firm of Hancock Estabrook, LLP. Contact Miner at mminer@hancocklaw.com and contact Troyanovych at

atroyanovych@hancocklaw.com

Viewpoint: What Windows 7 End of Life Means for You

Business Mentors, Subscriber Only

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

It’s the end of an era: Microsoft has announced that Windows 7 will be put out to pasture after a venerable 10 years in operation. This means when Windows 7 reaches its end-of-life phase on Jan. 14, 2020, Microsoft will stop releasing updates and patches for the operating system. The widely popular operating system still has a huge user base, as it maintains 37 percent of the global market for Windows desktop and laptop systems, according to NetMarketShare. The biggest issue with continuing to use Windows 7 is that it won’t be patched for any new viruses or security problems once it enters end of life, and this leaves you extremely vulnerable to any emerging threats.

On the downside, Windows 7 is running on many mission-critical systems, such as a majority of the voting machines in the United States as well as PCs used by the UK’s National Health Service. Many businesses still rely on Windows 7 for their day-to-day operations, and may fear that the announcement of its end of life will mean more headaches. If you’re still running Windows 7, the good news is that end of life isn’t the end of the world: there are several precautions that can be taken to ensure the security of your data and maintain the functionality of your operating system until you upgrade.

Security concerns

If a large number of people continue to use Windows 7 after the end-of-life date, that could actually be a big incentive for malicious users to target viruses and other nasties at Windows 7 users. Since the end-of-life process means that Microsoft will stop patching bugs and security holes, it is not unlikely for hackers to start targeting computers that don’t have the added support. Continuing to use Windows 7 after the end-of-life date will make users more vulnerable for hackers to exploit the weak points no longer being supervised by Microsoft. Large enterprises can apply for extended support contracts after the January 2020 date, but they will be charged a fee per device per year.

Exchange Server

If you use Microsoft Exchange for your email and calendar needs, note that Exchange Server 2010 will reach end of support. If you haven’t already begun your migration from Exchange 2010 to Office 365 or Exchange 2016, now is the time to start your planning.

When Exchange 2010 reaches its end of support on Oct. 13, 2020, Microsoft will no longer provide:

• Technical support for problems that may occur;

• Bug fixes for issues that are discovered and that may impact the stability and usability of the server;

• Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches;

• Time-zone updates.

Solutions

If you are part of a business that uses Windows 7 across many computers, updating them all may seem daunting. To prioritize your update schedule, it is important to take stock of which computers are most at-risk for data breaches. Take an inventory of each computer and note which ones are connected to the public internet or sensitive data and which are used by system administrators — these factors all make computers running Windows 7 more vulnerable and should be addressed first.

If you’re still using Windows 7, you should immediately upgrade to Windows 10, which is the current Windows version. Released in 2015, Windows 10 supports apps that can be used across multiple devices, including PCs, tablets, and smartphones. It also supports touchscreen, keyboard, and mouse-input methods. Additionally, Windows 10 is faster than Windows 7 and provides a number of other useful benefits.

Kevin Blake is president and CEO of ICS, an information-technology (IT) support firm with offices in the greater Binghamton, Syracuse, and Ithaca areas.

Breaking Down the New York SHIELD Act

Business Mentors, Subscriber Only

N ew York’s new Stop Hacks and mprove Electronic Data Security SHIELD) Act is broadening the state’s security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical, and physical safeguards for New York residents’ private information (899-BB). Signed by Gov. Andrew Cuomo on July 26, 2019, SHIELD’s breach-notification requirements took effect in

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ew York’s new Stop Hacks and

mprove Electronic Data Security

SHIELD) Act is broadening the state’s security breach notification requirements (899-AA) and requiring businesses to implement reasonable administrative, technical, and physical safeguards for New York residents’ private information (899-BB). Signed by Gov. Andrew Cuomo on July 26, 2019, SHIELD’s breach-notification requirements took effect in October of this year, with safeguard requirements due by March 2020.

Why the SHIELD Act is needed

The updated breach-notification law was designed to “keep pace with current technology.” And if we look at technology’s current state, that’s easily understood.

Organizations have seen a digital transformation over the past few years as workloads move from on-premise to multiple cloud services, including software (SaaS), platform (PaaS), and infrastructure (IaaS). Data is being transferred and dispersed — and the attack surface broadened — making information containment and control much more challenging.

The threat landscape has changed dramatically. Hackers are taking advantage of advanced technologies — such as artificial intelligence, machine learning, and data analytics — to build new capabilities, including shapeshifter malware with the ability to analyze network defenses and modify malicious code on the fly to circumvent those defenses.

Cybercrime economics statistics are staggering, with $6 trillion in annual global losses expected by 2021. For New York State, the cost of a lost record is $148, up 4.8 percent from 2018, and the average recovery cost from a breach stands at $3.86 million.

So, the need for the new SHIELD Act is evident in the numbers.

When the SHIELD Act applies

The SHIELD Act applies to any person or business that owns or licenses computerized data that includes a New York resident’s private information. And not just those that conduct business within New York state.

The law applies to both regulated and unregulated companies, but “without imposing duplicate obligations on those already subject to other federal or New York State data security regulations.” That means if a person or company (the Department of Financial Services, for example) is already regulated by existing New York or federal data regulations (including the Gramm-Leach-Bliley Act or HIPAA), they should already have the appropriate level of controls in place to be considered compliant with the SHIELD Act. However, companies should keep in mind that those controls must be applied to any additional data types included in the SHIELD Act.

Protected private information for New York residents includes:

• User names or email addresses in combination with a password or security question and answer that would permit access to an online account

• A name or other information that can be used to identify a specific person, in combination with any of the following:

– Social Security number

– Driver’s license number or non-driver identification card number

– Account, credit, or debit-card number in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account

– Account, credit, or debit-card number, if the number could be used to access an individual’s financial account without additional identifying information, security code, access code or password

– Biometric information, specifically data generated by electronic measurements of an individual’s unique physical characteristics, including fingerprint, voiceprint, or retina or iris image, or other unique physical representation or digital representations used to authenticate an individual’s identity.

Defining a breach

Prior versions of the law defined a breach as the unauthorized acquisition of private information. A breach only needed to be reported if you were confident information was exfiltrated from the network.

Starting Oct. 23, the SHIELD Act expanded the definition of a breach to include any unauthorized access to private or personal information. Now, any unauthorized viewing of private or personal information is considered a breach and requires notification to the attorney general, even if there is no evidence the data was removed.

Security requirements

The SHIELD Act requires organizations to develop, implement, and maintain “reasonable” administrative, technical, and physical safeguards to protect and securely dispose of New York residents’ private information. However, the requirements read more like mission statements than specific control requirements, so here’s an attempt at translating the requirements into high-level action plans for organizations.

Administrative safeguards

• Designate one or more employees to coordinate the security program: assign security responsibility, appoint or outsource CISO

• Identify reasonably foreseeable internal and external risk: develop a risk-management plan

• Assess the sufficiency of safeguards in place to control the identified risks: perform a gap analysis to identify deficiencies and develop a plan of action for remediation

• Train and manage employees in security program practices and procedures: implement a training program aligned with organization policies and procedures, security reminders and user testing

• Select service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract: develop a third-party security audit and contractual process for onboarding service providers and for ongoing safeguard evaluation

• Adjust the security program in light of business changes or new circumstances: implement change management

Technical safeguards

• Assess risks in network and software design: vulnerability management, including authenticated scans of external and internal network assets

• Assess risks in information processing, transmission and storage: monitor data flows and boundary defenses

• Detect, prevent, and respond to attacks or system failures: develop a documented incident-response plan

• Regularly test and monitor the effectiveness of key controls, systems, and procedures: develop an internal-audit process

Physical safeguards

• Assess risks of information storage and disposal: develop storage-media policies and procedures

• Detect, prevent and respond to intrusions: again, develop a documented incident-response plan

• Protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information: implement access-control policies and procedures

• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so the information cannot be read or reconstructed: develop documented data retention and media disposal policy

Fines and penalties

The penalties for violating the SHIELD Act are somewhat murky. The state attorney general may prosecute the offending organization if it fails to implement reasonable administrative, technical and physical safeguards to secure New York residents’ private or personal information.

If an organization fails to comply with the SHIELD Act’s breach notification requirements, the attorney general may impose a civil penalty of the greater of $5,000 or $20 per instance of failed notification, with a new ceiling of $250,000 — twice the previous penalty.

The March 23 deadline is quickly approaching, and for organizations that are starting at square one, getting to compliance with the SHIELD Act is going to require a substantial effort. The clock is ticking. Go.

Michael Montagliano is the chief technology officer at iV4 (www.iv4.com), an IT consulting, support, and professional services firm with offices in Fairport, Syracuse, and Amherst. Contact him at mmontagliano@iv4.com

Ithaca startup wins $50K in FuzeHub commercialization competition

Subscriber Only

An Ithaca startup won $50,000 in prize money in FuzeHub’s commercialization competition held Nov. 18-19 in Albany. FuzeHub is an Albany–based nonprofit organization that works to help small- to medium-sized manufacturing companies in New York. The Jeff Lawrence manufacturing-innovation fund, which FuzeHub administers, provided the award funding. Halomine, Inc. of Ithaca is “developing antimicrobial products to

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Project Homecoming Job & Career Fair 2025

Annual Nonprofit Conference 2026

2026 CenterState CEO Economic Forecast Breakfast

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates