[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act requiring organizations controlling the private information of New York residents put into place information security programs to safeguard electronic data took effect on March 22, 2020.  New York joins a growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring organizations handling sensitive consumer information to have put into place “reasonable safeguards” to protect personal information through implementing security controls as well as have a risk-based program to manage their data.

Compliance with the new “reasonable safeguards” standard may have significant impact to organizations maintaining private information of New York residents. The New York SHIELD Act sets forth a list of administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.

The New York SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’s size, the nature of the business’s activities and the sensitivity of the private information maintained. Businesses large or small, that are in compliance with other regulatory schemes requiring information security such as the HIPAA Security Rule or Gramm-Leach-Bliley Act are deemed compliant with the New York SHIELD Act.

The provisions setting minimum data security standards on entities that handle personal information joined the new provisions of the New York breach notification law which went into effect in October 2019. The New York SHIELD Act’s breach notification requirements significantly expanded what types of personal information are protected, lowers the bar for which security incidents must be reported as a breach, and sets new mandates for organizations covered by the HIPAA rules to report breaches to state authorities.

Among the new categories of “private information” that may trigger notification are:

Other Key Changes Include:

Bottom Line

Health care organizations and any entity that maintains private information of New York residents, including employee and applicant data, should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. HIPAA covered entities should be reporting breaches to the NY Attorney General. Additionally, companies should ensure that their information security programs comply with the HIPAA Security Rule if applicable, or the New York SHIELD Act’s required data security safeguards.

How CynergisTek Can Help Organizations Comply with New York SHIELD Act