More advice on New York’s SHIELD Act
On June 20, 2022, the New York Attorney General (NYAG) announcement a consent agreement (called Cancellation insurance) with Northeastern grocery chain Wegmans for, among other things, violations of SHIELD law requirements. Wegmans neither confirms nor denies the NYAG’s findings.
In short, on April 5, 2021, a security researcher contacted Wegmans about a serious breach that left some personal data of Wegmans customers publicly available. After receiving no response for a week, he tried again. This time Wegmans responded, and discovered he was right, that a cloud storage container was not secure and open to the public, potentially exposing sensitive information. The container contained a database backup file containing over three million records of customer email addresses and account passwords, the latter of which were hashed and salted. Wegmans concluded that the misconfiguration was introduced when the container was set up with the database, in January 2018. During his investigation, Wegmans found a second misconfigured container, which was also open to the public. This container contained names, email addresses, postal addresses, and checksum values derived from driver’s license numbers. Wegmans believes the misconfiguration was also introduced when setting up the container with the database, this time in November 2018. Wegmans updated the container configurations to disallow public access on May 12, 2021 and has informed consumers.
The NYAG blamed Wegmans for five areas of security: access controls, password management, asset management, logging and monitoring, and data collection and retention. With respect to password management and data collection and retention, the consent agreement states:
Password management: At the time of the incident, the backup of the database containing customer email addresses and passwords contained more than 1.8 million passwords hashed using the hashing algorithm SHA-I. Given the shortcomings of SHA-I hashing, Wegmans began switching users to the PBKDF2 hashing algorithm to secure passwords in 2016, but nonetheless continued to store passwords with SHA-I until in January 2020. Users who logged in from 2016 would automatically have their password. updated hash to use PBKDF2 algorithm. However, if a user had not logged in between 2016 and the date the database backup file was created, their credentials would still have been stored in SHA-I format.
Data collection and storage: The information involved included checksums derived from customers’ driver’s license numbers. However, Wegmans did not have a reasonable business purpose to retain any form of driver’s license information indefinitely. Checksums are not immune to attack and therefore cannot justify the retention of unnecessary personal information.
As part of the settlement, Wegmans agreed to pay $400,000 and to take various steps commonly seen in security-related consent agreements, such as: a written information security program, asset management (including cloud assets), log retention (“Logs for Cloud Asset activity should be readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was registered.”), annual penetration testing, annual third-party assessment for the next 3 years, password policies, and customer account management and authentication. Some of the more unusual requirements are:
- Asset Management: Wegmans will use manual processes and, where possible, automated tools to regularly inventory and classify, and publish internal reports on, all Cloud assets contained in its network, including, but not limited to, all software, applications, network components, databases, data stores, tools, technology and systems. The asset inventory and applicable configuration and change management systems shall, at a minimum, collectively identify: (a) the name of the asset; (b) the version of the asset; (c) the owner of the asset; (d) the location of the asset within the Network; (e) Asset criticality rating; (f) whether the asset collects, processes or stores personal information; and (g) each security update and security patch applied or installed during the prior period.
- Data gathering: Wegmans will not collect a customer’s personal information without a reasonable business purpose for such collection.
- Data deletion: Wegmans will establish and maintain appropriate policies and procedures to ensure that personal information is deleted when there is no reasonable business purpose for retaining such personal information. For personal information collected prior to the effective date of this insurance, Wegmans will permanently delete private information for which no reasonable business purpose exists within ninety (90) days of the effective date of this insurance. effect and will permanently delete all other personal information for which no reasonable business purpose exists. exists within two hundred and forty (240) days of the Effective Date.
(In New York, the State Breach Notification Act defines “private information” in General Business Law § 899-aa, and the Consent Agreement uses the same definition. Personal Information, the Consent Agreement defines the term “personal information” as “information that can be used to identify a customer, including name, home or other physical address, email address, number phone number, account password, social security number, government identification number, including driver’s license number, bank account number, credit or debit card number, or any private information.”)
As we highlighted in our previous article on a SHIELD Act regulation, this regulation demonstrates regulators’ continuing and growing emphasis on reasonable record retention and data destruction. Record retention often plays a secondary role in data security and privacy programs, but the theft of old and unused personal information is something regulators can quickly identify. A simple retention policy and schedule that employees do not meaningfully follow is unlikely to protect an organization from regulatory scrutiny.
Even hashing and salting apparently won’t help a SHIELD Act claim if a company had no business justification for having the data in the first place. Your records retention policy is only part of a “minimum necessary” policy that minimizes the amount of personal data collected, which would also help reduce the cost of protecting that personal data and minimize fines regulations in the event of a data breach.
Additionally, note that New York required the company to make a vulnerability disclosure program “visibly available” on its website. Security researchers and companies that have their own threat intelligence programs received clarification in May from the US Department of Justice (DOJ) regarding the federal anti-piracy law known as the Computer Fraud and Abuse Act ( CFAA). The DOJ has announced revisions to its pricing Politics on violations of the CFAA. The policy for the first time directs Justice Department attorneys not to press charges against the CFAA for “good faith security research.” The policy also clarifies that the DOJ will not prosecute cases of “excess authorized access,” although prosecution for “unauthorized access” has not changed.