As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product, known as Orion, helps organizations manage their networks, servers, and networked devices. The hacker concealed malware inside a software update that, when installed, allowed the hacker to perform reconnaissance, elevate user privileges, move laterally into other environments and compromise the organization’s data.
The developing coronavirus pandemic affects businesses and personnel within the state and elsewhere. With more New Yorkers working from home, there are more opportunities for cyberattacks through unsecure remote connections and the public concern growing each day.
The New York SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act was signed to law on July 25, 2019. It is an amendment to New York’s data breach notification law. The SHIELD Act provides a number of changes that we reported last year, including expanding the definitions of “private information” and “breach.” The definition of “private information” now covers emails and passwords or security questions and answers, credit card details, and biometric data among others. A “breach of the security system” now covers unauthorized access, where such access may have occurred if “the information was viewed, communicated with, used, or altered” without authorization.