New York’s Sweeping Data Protection & Breach Notification Law Now in Full Force

April 1, 2020 David Holtzman

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act requiring organizations controlling the private information of New York residents put into place information security programs to safeguard electronic data took effect on March 22, 2020. New York joins a growing number of states revamping their breach notification and data security laws by broadening the scope of protected information and requiring organizations handling sensitive consumer information to have put into place “reasonable safeguards” to protect personal information through implementing security controls as well as have a risk-based program to manage their data.

Compliance with the new “reasonable safeguards” standard may have significant impact to organizations maintaining private information of New York residents. The New York SHIELD Act sets forth a list of administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. These safeguards include (i) designating one or more employees to implement the security program, (ii) training and managing employees in security program practices, (iii) regular testing and monitoring of the effectiveness of key company controls and systems, and (iv) disposing of private information within a reasonable time after the information is no longer needed.

The New York SHIELD Act permits a “small business” to tailor its information security program as appropriate for the business’s size, the nature of the business’s activities and the sensitivity of the private information maintained. Businesses large or small, that are in compliance with other regulatory schemes requiring information security such as the HIPAA Security Rule or Gramm-Leach-Bliley Act are deemed compliant with the New York SHIELD Act.

The provisions setting minimum data security standards on entities that handle personal information joined the new provisions of the New York breach notification law which went into effect in October 2019. The New York SHIELD Act’s breach notification requirements significantly expanded what types of personal information are protected, lowers the bar for which security incidents must be reported as a breach, and sets new mandates for organizations covered by the HIPAA rules to report breaches to state authorities.

Among the new categories of “private information” that may trigger notification are:

  • Biometric information, including a fingerprint or retina image;
  • Credit or debit card numbers without a security code, provided the number could be used to access an individual’s financial account; and,
  • Usernames or email addresses together with passwords or security questions and answers that could permit access to an online account.

Other Key Changes Include:

  • Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying, or downloading private information.
  • Requiring businesses that own or license New York residents’ private information to implement “reasonable safeguards” to protect the security of the information.
  • Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, addition of considering the risk of emotional harm will limit the application of this exception for inadvertent disclosure.
  • Exempting additional notification obligations where the notifying organization has also made notification pursuant to the HIPAA. However, notice must still be made to several New York state agencies.
  • Requiring HIPAA covered entities to report to the New York attorney general any breach of PHI reported to OCR

Bottom Line

Health care organizations and any entity that maintains private information of New York residents, including employee and applicant data, should carefully review their cybersecurity policies and procedures and make any necessary adjustments to their incident response plans in the event of a data breach. HIPAA covered entities should be reporting breaches to the NY Attorney General. Additionally, companies should ensure that their information security programs comply with the HIPAA Security Rule if applicable, or the New York SHIELD Act’s required data security safeguards.

How CynergisTek Can Help Organizations Comply with New York SHIELD Act

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
The Labyrinth That Is HIPAA
The Labyrinth That Is HIPAA

Next Content
CAPP Conference Survey Results
CAPP Conference Survey Results

CynergisTek’s Survey Data Reveals Leading Cybersecurity Concerns for Healthcare Organization Executives.