The New York SHIELD Act: Data Breaches, Cyber Security and Comparison with the European Approach

The EU General Data Protection Regulation (GDPR) has become an inspiration and reference point for data protection regimes around the world, propelling the right to privacy to the forefront of legislative and business agendas alike.

One such case is the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), signed by NY Governor Andrew Cuomo almost one year ago on 25th July 2019. 

The SHIELD Act overhauled New York’s existing data breach notification laws and added new data security requirements. Alongside California’s Consumer Privacy Act (CCPA), the SHIELD Act adds to a growing number of US states that are taking privacy laws more seriously.

With the SHIELD Act’s one-year anniversary now approaching, at Gerrish Legal, we thought it would be useful to break down this Act and the implications it has for businesses falling under its scope, as well as providing a comparison with the GDPR. 

Data security in the United States: 

Before delving into the SHIELD Act, it is useful to have an overview of data security laws in the US. As opposed to the large scale application of the GDPR and the ePrivacy Regulation in the European Union, data security laws in the US are designed at a state law level, as opposed to federal law, and have historically always been siloed into three distinct categories: (i) security breach notification laws; (ii) reasonable security requirement laws; and (iii) sector-specific cybersecurity laws. The SHIELD Act falls under the first two categories, with its data breach notification requirements taking effect from 23rd October 2019, and its data security requirements taking effect from 21st March 2020.  

As each state has its own data breach notification laws, the strength of such obligations varies greatly from state to state, with New York and California having some of the strongest laws in place, and states such as Kentucky and Mississippi having some of the weakest. However, there have been some recent regulatory trends seen in the US, with several states now expanding the definition of personal data to mirror or bring it closer to the definition accorded by the GDPR, as well as reducing breach notification timeframes. This is in line with an international shift towards stricter breach notification requirements seen in the last two years, with several countries introducing such notification obligations for the first time. 

Who does the SHIELD Act apply to and what data does it cover? 

Due to the nature of international data transfers, companies can often be concerned about whether their data processing activities are subject to a certain legal regime or not. For example, international transfers of personal data from the European Economic Area (the EEA) to the US are almost a given for many businesses when you take into consideration the strength and dominance of US-based service providers and data centres. As such, the provisions of the SHIELD Act apply to: 

“any person or business that owns or licences computerized data which includes private information on a resident of New York”.

Therefore, this Act could apply to your business, regardless of whether you are based in New York or not, if you are processing the computerized data and private information of a resident of New York. To this extent, the SHIELD Act has expanded the definition of “private information” to now also include:

biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity”; 

as well as:

“an account, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information; or a security code, access code or password”;

and 

“a username or email address in combination with a password or security questions and answer that would permit access to an online account”. 

What constitutes a data breach and what are the notification requirements?

Similar to the definition of “private information”, a “breach of the security system” has also been widened from mere unauthorised access to a computer, to: 

“unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business”. 

However, fortunately for businesses, the SHIELD Act expressly carves out good faith access by employees, meaning that any accidental access of private information by an employee within the parameters of the business will not constitute a data breach under the Act. 

If a data breach has occurred, notification should be made without unreasonable delay to New York residents affected by the breach, as well as the New York Attorney General (NY AG), the department of state and state police. Notably, the Act has increased the time that the NY AG has to bring an enforcement action for any failures to notify from two years to three years, from the date of discovery of the violation. 

The SHIELD Act has also added new exceptions to this obligation to notify. One such exception is that notification to residents under the SHIELD Act is not required where notification has been granted under another data breach notification law, such as a sector-specific law (more information on this below). The second exception is the “risk of harm” balancing act; namely, notification will not be required where disclosure occurs by a person authorized to access that private information, and where such a disclosure will not result in any harm to the resident. 

If a business wants to rely on this second exception, they must fully document this “risk of harm” analysis and reasoning, with such documentation to be retained for a period of five years. However, this is not a complete get out of jail free card – if the disclosure affects more than 500 New York residents, a copy of this risk of harm analysis document must be sent to the NY AG within ten days of its creation. 

What are the data security requirements under the SHIELD Act and how can you demonstrate compliance? 

Unlike the data breach notification requirements above, which came into effect in October 2019, the data security elements of the SHIELD Act have only recently come into effect in March 2020, right at the beginning of the Covid-19 pandemic wreaking its effects on the US, and at a time where a large majority of employees were sent to work from home. As such, many businesses are still in the process of understanding the data security requirements of the SHIELD Act, and some are yet to even start their compliance projects. 

There are three categories of safeguards and controls to ensure and demonstrate that you have complied with data security requirements: administrative safeguards, technical safeguards, and physical safeguards. 

Administrative safeguards can include appointing a data protection officer, internal and external policy documents such as privacy notices, and employee training programs. Physical measures include the security measures you have in place at your office or working environment; for example, secure key card access, locks on doors, or storing away equipment. This element has become more difficult to implement given the recent pandemic. 

Technical measures include cyber security, encryption, software design, firewalls and other such measures. This is usually the element that businesses can find the most difficult, as the level of security required will depend on the size and scope of the business, as well as the nature of the data being processed. This level of security will also depend on the sector in which the business operates, for which sector-specific cyber security laws are also in play in the US. 

Examples of such sector-specific cyber security laws include the Health Insurance Portability and Accountability Act (HIPAA) for the health sector, the Federal Information Security Modernization Act for federal agencies, the Gramm–Leach–Bliley Act (GLBA) for the financial services sector, the Homeland Security Act, and regulations from the Internal Revenue Service for the tax sector and from the Securities and Exchange Commission for public securities markets and the public companies sector. 

Such sector-specific laws and regulations will also have to be adhered to when looking at your business’ cyber security measures. Entities that are regulated by these sector-specific laws and have been deemed to be compliant with their requirements, are also deemed to be in compliance with the SHIELD Act as a result. 

In addition to these sector-specific laws, businesses can also rely on frameworks to benchmark their compliance against, for internal and external purposes. Examples include the NIST Cybersecurity Framework, which is a very US-specific framework, the ISO 270001/270002 framework, which is more internationally recognised, and the CIS Critical Security Controls. 

Differences in the New York and European Union approach 

Whilst the SHIELD Act has brought New York’s regime closer to the gold standard offered by the EU through the GDPR, the underlying basis of both pieces of legislation are quite different. The SHIELD Act is based on a harm-based approach; looking at the harm that is caused by a breach. This includes looking at whether a particular breach has caused financial harm or physical harm to the individual whose data is the subject of the breach. 

Conversely, the GDPR is more focused on a risk-based approach; therefore, looking at the risks that are or could be caused by a breach to a data subject’s fundamental human rights. This approach allows for a much broader application and therefore, a wider range of acts and omissions can constitute a data breach for the purposes of the legislation. 

Similarly, when looking at cyber security legislation and general data security requirements, the US adopts a patchwork approach, implementing laws according to sectors and on a case by case basis, allowing each state to determine the levels and modalities of security they see fit. The GDPR however has taken a more blanket approach, not only due to the all-encompassing nature of European Union regulations (in that they apply to all 27 member states in the same way and without the need for national implementation), but also as such security requirements apply to all sectors in the same way. The distinction of the level of security required under the GDPR depends rather on the data that is being processed and the risks that are posed to data subjects should that data be lost, stolen or damaged. For example, the GDPR breaks down personal data into ordinary personal data and special category personal data, which includes data relating to racial or ethnic origin, sexual orientation and biometric data. This special category personal data is accorded extra protection under the GDPR as processors require a legal basis under both Article 6 and Article 9 of the GDPR. 

Nonetheless, there is pressure in the States to pass a federal level law in order to have a common US standard.  For the moment, businesses who process the private information of residents from several US states often choose either the law of New York, California, or Massachusetts to adhere to, as these data security laws are some of the most developed and robust, and as such ensures that companies can demonstrate compliance at the highest level, regardless of the state in which an issue arises. Similarly, many companies choose to align their security standards with the GDPR, seen as the gold standard in the world. 

Going a level deeper, when looking at the measures to be implemented to prevent data breaches, the SHIELD Act talks about administrative, technical and physical measures, whereas the GDPR talks about technical and organisational measures. Non-EU based companies have found this concept of “technical and organisational measures” difficult to grasp. However, in including such wording, the GDPR has actually accorded flexibility to data processors to carry out their own risk analysis and implement measures according to their size and scope of processing. 

Of course, the GDPR has also accounted for the regulation of any abuse of this flexibility by the significant fines that can be handed out for non-compliance, such fines capped to a maximum of €20 million, or 4% of annual global turnover, whichever is greater. This demonstrates the principle of accountability that underlies the GDPR. In comparison, under the SHIELD Act, the NY AG’s fines for failure to notify a data breach sits at $20 per instance of failed notification, capped to a maximum of $250,000. Similarly, reporting times vary greatly under the two regimes; 72 hours under the GDPR compared to 10 days under the SHIELD Act. 

Therefore, taking into account the level of protection accorded by the GDPR, on a practical level, conformity to the GDPR as an EEA-based data processor is more often than not taken into consideration by the NY AG for any data breaches under the SHIELD Act, subject to the size and nature of the breach in question. 

Conclusion 

It will be interesting to see how businesses implement the data security requirements under the SHIELD Act, especially in line with the astronomical uptake of tech and new tech platforms as a result of the pandemic and global work-from-home orders. Similarly, it will be interesting to see whether the US will adopt a blanket approach and implement a federal level data security law, or whether any future developments with the SHIELD Act and the CCPA will bring these regimes closer in line with the standard offered under the GDPR and its EU-US Privacy Shield certification rules. 

Of course, if you have any questions or thoughts in relation to the SHIELD Act or the GDPR, or questions around your international data transfers, please do reach out to us at Gerrish Legal

Article by Komal Shemar @ Gerrish Legal, July 2020 / Cover Photo by Florian Wehde on Unsplash

Previous
Previous

The AI France Summit: The Race to World Domination

Next
Next

Schrems 2.0: EU-US Privacy Shield invalidated by the Court of Justice