New York’s Sweeping Data Protection & Breach Notification Law Takes Effect This Week

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act that amends the state’s breach notification law goes into effect on October 23rd. The SHIELD Act significantly expands what types of personal information are protected, lowers the bar for which security incidents must be reported as a breach, and sets new mandates for organizations covered by the HIPAA rules to report breaches to state authorities.

A separate mandate will take effect in March 2020 requiring organizations controlling the private information of New York residents put into place information security programs to safeguard electronic data. New York joins a growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring organizations handling sensitive consumer information to implement security controls and have a risk-based program to manage their data.

Among the new categories of “private information” that may trigger notification are:

  • Biometric information, including a fingerprint or retina image;
  • Credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account; and,
  • Usernames or email addresses together with passwords or security questions and answers that could permit access to an online account.

Other Key Changes Include:

  • Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying, or downloading private information.
  • Requiring businesses that own or license New York residents’ private information to implement “reasonable safeguards” to protect the security of the information.
  • Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, addition of considering the risk of emotional harm will limit the application of this exception for inadvertent disclosure.
  • Exempting additional notification obligations where the notifying organization has also made notification pursuant to the Health Insurance Portability and Accountability Act (HIPAA). However, notice must still be made to several NY state agencies.
  • Requiring HIPAA covered entities to report to the NY attorney general any breach of PHI reported to OCR

Compliance with the new “reasonable safeguards” standard may have significant impact to organizations maintaining private information of New York residents. The SHIELD Act sets forth a list of administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.

The SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’s size, the nature of the business’s activities, and the sensitivity of the private information maintained. Businesses not meeting the definition of a small business may still be deemed compliant if they comply with the requirements of the HIPAA Security Rule Requirements.

The expanded protections for information and breach notification take effect on October 23, 2019. The requirements to adopt minimum data security standards will take effect on March 21, 2020.

Bottom Line

Healthcare organizations and any entity that maintains private information of New York residents, including employee and applicant data, should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. HIPAA covered entities should be prepared to report breaches to the NY Attorney General. Additionally, companies should ensure that their information security programs comply with the HIPAA Security Rule if applicable, or the SHIELD Act’s required data security safeguards.

How CynergisTek Can Help Organizations Comply

  • Download our “Consider This…”white paper, “NY SHIELD ACT: Where Do I Begin” for a full summary of NY SHIELD requirements.
  • Develop and/or test incident response plans to verify that your organization can correctly respond to a breach that includes a NY resident’s personal information.
  • Assess your overall privacy program against the HIPAA Privacy Rule and ensure that your policies and procedures comply with the NY SHIELD Act.
  • Utilize our privacy team’s expertise for short-term or long-term privacy projects such as updating existing policies and procedures to comply with the NY SHIELD Act.
  • Reevaluate your last risk assessment by conducting a new one to identify what is in place to protect NY residents’ personal information.
  • Close security gaps and prepare for the changes that go into effect March 2020 through a variety of cybersecurity services.
July 8th, 2019|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.