New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act requiring organizations controlling the private information of New York residents put into place information security programs to safeguard electronic data took effect on March 22, 2020. New York joins a growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring organizations handling sensitive consumer information to have put into place “reasonable safeguards” to protect personal information through implementing security controls as well as have a risk-based program to manage their data.
Compliance with the new “reasonable safeguards” standard may have significant impact to organizations maintaining private information of New York residents. The New York SHIELD Act sets forth a list of administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.
The New York SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’s size, the nature of the business’s activities and the sensitivity of the private information maintained. Businesses large or small, that are in compliance with other regulatory schemes requiring information security such as the HIPAA Security Rule or Gramm-Leach-Bliley Act are deemed compliant with the New York SHIELD Act.
The provisions setting minimum data security standards on entities that handle personal information joined the new provisions of the New York breach notification law which went into effect in October 2019. The New York SHIELD Act’s breach notification requirements significantly expanded what types of personal information are protected, lowers the bar for which security incidents must be reported as a breach, and sets new mandates for organizations covered by the HIPAA rules to report breaches to state authorities.
Among the new categories of “private information” that may trigger notification are:
- Biometric information, including a fingerprint or retina image;
- Credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account; and,
- Usernames or email addresses together with passwords or security questions and answers that could permit access to an online account.
Other Key Changes Include:
- Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying, or downloading private information.
- Requiring businesses that own or license New York residents’ private information to implement “reasonable safeguards” to protect the security of the information.
- Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, addition of considering the risk of emotional harm will limit the application of this exception for inadvertent disclosure.
- Exempting additional notification obligations where the notifying organization has also made notification pursuant to the HIPAA. However, notice must still be made to several New York state agencies.
- Requiring HIPAA covered entities to report to the New York attorney general any breach of PHI reported to OCR
Health care organizations and any entity that maintains private information of New York residents, including employee and applicant data, should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. HIPAA covered entities should be reporting breaches to the NY Attorney General. Additionally, companies should ensure that their information security programs comply with the HIPAA Security Rule if applicable, or the New York SHIELD Act’s required data security safeguards.
How CynergisTek Can Help Organizations Comply with New York SHIELD Act
- Download our “Consider This…”white paper, “NY SHIELD ACT: Where Do I Begin?” for a full summary of New York SHIELD Act requirements.
- Develop and/or test incident response plans to verify that your organization can correctly respond to a breach that includes a New York residents’ personal information.
- Assess your overall privacy program against the HIPAA Privacy Rule and ensure that your policies and procedures comply with the New York SHIELD Act.
- Utilize our privacy team’s expertise for short-term or long-term privacy projects such as updating existing policies and procedures to comply with the New York Shield Act.
- Reevaluate your last risk assessment by conducting a new one to identify what is in place to protect New York residents’ personal information.
- Close security gaps and prepare for the changes that go into effect March 2020 through a variety of cybersecurity services.
About the AuthorFollow on Twitter More Content by David Holtzman