New York’s Sweeping Data Protection & Breach Notification Law Will Have National Impact

July 8, 2019 David Holtzman

Recently, the New York State Legislature passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to amend the state’s breach notification law and to add mandates for organizations to adopt information security programs to safeguard electronic data of state residents. Once the bill is signed into law by Governor Cuomo, New York will join the growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring organizations handling sensitive consumer information to implement reasonable security controls.

The Biggest Change

Among the new categories of “private information” that may trigger notification are:

  • Biometric information, including a fingerprint or retina image;
  • Credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account; and,
  • User names or email addresses together with passwords or security questions and answers that could permit access to an online account.

Other Key Changes Include:

  • Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying, or downloading private information.
  • Requiring businesses that own or license New York residents’ private information to implement “reasonable safeguards” to protect the security of the information.
  • Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, addition of considering the risk of emotional harm will limit the application of this exception for inadvertent disclosure.
  • Exempting additional notification obligations where the notifying organization has also made notification pursuant to the Health Insurance Portability and Accountability Act (HIPAA). However, notice must still be made to several NY state agencies.
  • Requiring HIPAA covered entities to report to the NY attorney general any breach of PHI reported to OCR

Compliance with the new “reasonable safeguards” standard may have significant impact to organizations maintaining private information of New York residents. The SHIELD Act sets forth a list of administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.

The SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’s size, the nature of the business’s activities, and the sensitivity of the private information maintained. Businesses not meeting the definition of a small business may still be deemed compliant if they comply with the requirements of the HIPAA Security Rule. Requirements.

When Governor Cuomo signs the bill into law, the expanded protections for information and breach notification will take effect 90 days thereafter. The requirements to adopt minimum data security standards will take effect 240 days after the bill is signed into law.

A summary of the NY SHIELD Act can be accessed here.

Bottom Line

Health care organizations and any business that maintains private information of New York residents should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. HIPAA covered entities should prepare to begin reporting breaches to the NY Attorney General. Additionally, companies should ensure that their information security programs comply with the HIPAA Security Rule if applicable, or the SHIELD Act’s required data security safeguards.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Article
Can Patient Data Be Truly 'De-Identified' for Research?
Can Patient Data Be Truly 'De-Identified' for Research?

Next Article
AMCA Bankruptcy Filing in Wake of Breach Reveals Impact
AMCA Bankruptcy Filing in Wake of Breach Reveals Impact