White Papers

New York SHIELD Act: Where Do I Begin?

Issue link: https://insights.cynergistek.com/i/1153724

Contents of this Issue


Page 1 of 5

Consider This…. Page 2/6 CCPA Compliance: Where Do I Begin? New York SHIELD Act: Where Do I Begin? CynergisTek is pleased to provide the second in our occasional series of articles on important topics that will impact organizations long-range planning and strategic approaches to managing information assurance. For this edition of "Consider This…." we look at the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act updates and expands New York's laws for breach notification requirements and the types of information that is protected from unauthorized disclosure. Beginning in October 2019, New York's breach notification requirements will apply to any organization that controls or processes information of a resident, not just those that conduct business in New York State. Separately, all breaches of protected health information reported to the Office for Civil Rights must also be reported to the New York Attorney General. The SHIELD Act also enacts stronger requirements for businesses to have data protection safeguards in place to protect information collected or maintained about consumers. Beginning in March 2020, the SHIELD Act sets minimum standards for administrative, technical, and physical safeguards that businesses may be required to implement through an information security program. New Categories of "Privacy Information" 1. Biometric information, including a fingerprint or retina image; 2. Credit or debit card numbers without a security code, provided the number could be used to access an individual's financial account; and, 3. User names or email addresses together with passwords or security questions and answers that could permit access to an online account. Other Key Changes 1. Expanding the definition of a breach to include the unauthorized access to private information in addition to unauthorized acquisition of private information. Access may include viewing, copying, or downloading private information. 2. Requiring businesses that own or license New York residents' private information to implement "reasonable safeguards" to protect the security of the information. 3. Creating an exception to breach notification obligations where exposure of private information occurs as the result of an inadvertent disclosure by a person authorized to access the private information and where a business reasonably determines the exposure poses no risk of financial or emotional harm to the affected persons. While this creates a new exception, addition of considering the risk of emotional harm will limit the application of this exception for inadvertent disclosure. 4. Exempting additional notification obligations where the notifying organization has also made notification pursuant to the Health Insurance Portability and Accountability Act (HIPAA). However, notice must still be made to several NY state agencies. 5. Requiring HIPAA covered entities to report to the NY attorney general any breach of PHI reported to OCR.

Articles in this issue

view archives of White Papers - New York SHIELD Act: Where Do I Begin?