New Data Breach and Security Requirements Signed into Law
On July 25th, Governor Cuomo signed into law provisions expanding the definition of "private information" subject to state data breach reporting and creating new data security requirements. The new law, entitled the Stop Hacks and Improve Electronic Data Security Act (the "SHIELD Act"), expands the types of private information that are subject to breach reporting under state law by adding biometric information and usernames or email accounts in combination with their passwords or security questions and answers. "Private information" under state law continues to include Social Security numbers, credit card and bank account numbers, and driver's license and non-driver identification numbers. Health information has not been specifically enumerated in the list of private information, although health records and other records held by health care providers may contain items on the list.
The SHIELD Act does not require breach notification of affected persons if they have already been notified in accordance with another state or federal law, such as HIPAA. However, if a HIPAA-covered entity is required to notify the Secretary of Health and Human Services of a breach of protected health information, the SHIELD Act provides that it must also notify the New York State Attorney General, even if the data disclosed is not defined as private information. Notice of a breach is not required in certain cases of inadvertent disclosure by someone authorized to access the private information if the disclosure would not result in misuse or harm.
In addition to expanding the information subject to breach notification, the SHIELD Act requires any person or business that owns or licenses computerized private information pertaining to New York residents to maintain reasonable safeguards to protect the security, confidentiality, and integrity of the information. The Act sets forth a series of required safeguards but deems entities that are in compliance with HIPAA regulations or certain other regulations to be in compliance with its requirements. The law allows small businesses to implement safeguards tailored to their size and complexity and the sensitivity of the information they control. It also authorizes the Attorney General to bring actions to enjoin violations and seek civil penalties.
The breach notification provisions of the law take effect 90 days after its enactment, and the data security provisions take effect 240 days after its enactment. Members are advised to consult with their attorneys about the implications of these new requirements and their obligations in the event of a data breach.
Contact: Karen Lipson, klipson@leadingageny.org, 518-867-8383 ext. 124